Blog Archives

Email In Security Hot Seat

As technology evolves with the rise of the cloud and BYOD, so does the debate on keeping corporate information secure.

Many companies also require remote wiping capability on employee devices in case they are lost or stolen, plus communication encryption software. They also require employees not to use a single password for multiple sites, and some are forbidding passwords of a single word.

But Parris, who formerly held technical and sales management positions at Boeing Computer Services and founded Intercede, argues that securing email also requires identity management — a system that creates a digital identity for employees and other third parties connected to an enterprise, which will then track, “who is sending which email and information to whom, when and protecting it in transit and at rest.”

Even that will not ensure protection of the email, he said. “It must also be run on a secure platform that delivers tightly controlled policy to enforce data labeling, digital message signing, encryption and checking of the actual content.”

Jeff Wilson, principal analyst for security at Infonetics, agrees that an email management platform would help, since “most people are getting email on [multiple] mobile devices that could be lost, stolen, or compromised.”

But he noted a more basic problem for many companies: “They don’t even have an accurate inventory of devices connecting to their network or a framework for building a security policy and buying appropriate security solutions.”

Since email is the primary method of information sharing, enterprises must keep it secure, “to protect intellectual property and to compete in the global business environment,” Parris said.

Source: Email in security hot seat with rise of cloud, BYOD | Consumerization Of It – InfoWorld.

NIST Updates Guidelines for Mobile Device Security

Mobile devices allow workers, including government employees, to work in multiple locations and to improve their efficiency. But the same features that make these devices desirable make them a security challenge. Mobile

logo of National Institute of Standards and Te...

(Photo credit: Wikipedia)

devices can easily be lost or stolen, and users may be tempted to download nonsecure apps that might conceal “malware” that could be used to steal confidential data. Since security is minimal for mobile devices, a thief can retrieve sensitive data directly from the device, or use the phone or tablet to access an organization’s computer network remotely.

The revised guidelines recommend using a software technology that centralizes device management at the organization level to secure both agency-issued and personally owned devices that are used for government business. Centralized programs manage the configuration and security of mobile devices and provide secure access to an organization’s computer network. They are typically used to manage the smart phones that many agencies issue to staff. The new NIST guidelines offer recommendations for selecting, implementing, and using centralized management technologies for securing mobile devices.

“Mobile devices need to support multiple security objectives: confidentiality, integrity and availability, so they need to be secured against a variety of threats,” explains co-author and NIST guest researcher Karen Scarfone.

Source: NIST Updates Guidelines for Mobile Device Security | DFI News.

What are your thoughts on the proposed update? 

Security holes in mobile bank apps

This is not good.

A security firm disclosed holes today in mobile apps from Bank of America, USAA, Chase, Wells Fargo and TD Ameritrade, prompting a scramble by most of the companies to update the apps.

“Since Monday (11/01/2010), we have been communicating and coordinating with the financial institutions to eliminate the flaws,” research firm viaForensics wrote in a post on its site. “The findings we published reflect testing completed on 11/03/2010. Since that time, several of the institutions have released new versions and we will post updated findings shortly.”

The company had reported its findings to The Wall Street Journal earlier in the day. Yesterday, viaForensics went public with problems in PayPal‘s iPhone app, spurring the online payment provider to action.

Specifically, viaForensics concluded that: the USAA’s Android app stored copies of Web pages a user visited on the phone; TD Ameritrade’s iPhone and Android apps were storing the user name in plain text on the phone; Wells Fargo’s Android app stored user name, password, and account data in plain text on the phone; Bank of America’s Android app saves a security question (used if a user was accessing the site from an unrecognized device) in plain text on the phone; and Chase’s iPhone app stores the username on a phone if the user chose that option, according to the report.

While most of the companies scrambled to update their apps this tidbit is concerning.

Spokespeople from several of the financial institutions told the newspaper that the supposed holes, in and of themselves, would not necessarily put users at risk because other safeguards are in place and that an attacker would need to know the user ID and password in many cases to access accounts.

As pointed out by Andrew Hoog of viaForensics:

“Our appWatchdog service clearly highlights the secure aspects of the financial apps we tested. Unfortunately, in the security world (especially when you access your bank account or provide credit card numbers), providing security most of the time is simply not good enough. For mobile app providers, there are no shortcuts to protecting customers’ data. It must be engineered from the start and thoroughly tested after any change in the app or underlying OS (i.e. iPhone iOS or Google Android).” (Source: CNET News)

While technology advancement has made life easier in many respects, security can not be sacrificed.

 

Powered by ScribeFire.

Enhanced by Zemanta

 

Data security …

being neglected by employees.

More employees are ignoring data security policies and engaging in activities that could put a company at risk, according to a survey released by Ponemon Institute on Wednesday.A large number of employees copy secure data to USB drives or turn off security settings in mobile devices like laptops, which could put a company’s data at risk, according to the survey. The rate of noncompliant behavior was worse in this most recent survey compared to a similar survey conducted in 2007, Ponemon Institute said in a press release.

Around 69 percent of the 967 IT professionals surveyed said they copied confidential company data to USB sticks, even though it was against the rules. Some even lost USB sticks that store confidential corporate data, but did not report it immediately, the survey said.

The survey also took into account new technologies that could bring rogue software to computers, like social networking. Close to 31 percent of respondents engaged in social-networking practices on the Web from work PCs. Additionally, around 53 percent said they downloaded personal software on corporate PCs, which could increase the risk of bringing malware to the workplace.

Mobile technologies that let employees do more while on the road are contributing to the issue, said Larry Ponemon, chairman and founder of Ponemon Institute, in a blog entry. As the use of mobile devices grows, the inability to enforce data security policies could increase the possibility of data breaches. “I’m seeing a confluence of conditions that appear to be contributing to this challenge to data integrity,” he said.

Some professionals surveyed blamed companies for poor training or ineffective data security policies. Close to 57 percent said their company’s data protection policies were ineffective, and 58 percent said they were not provided with enough data-security-related training. (Source: More employees neglecting data security, survey says – CIO-Security)

Hard to enforce security policies when the IT staff violates it.

Reblog this post [with Zemanta]
%d bloggers like this: