JULY/AUGUST 2013 INFORMATION VOL. 15 - Bitpipedocs.media.bitpipe.com/io_11x/io_111332/item_737708/ISM_July...tant of Voodoo Security, Shackleford already sees Fortune 100 companies

JULY/AUGUST 2013 VOL. 15 | NO. 06I N F O R M A T I O N

SECURITY

Unlock New Pathways to Network Security ArchitectureConsolidation and new platforms hold promise for security teams. THIRD-PARTY

RISK HORROR STORIES?!!

IS BIG DATA SECURITY EDUCATION A BIG FAILURE?

SECURE NETWORK ACCESS AND ENTERPRISE MOBILITY

THE LEGACY OF SB 1386

MOBILE SECURITY BY THE NUMBERS

2 INFORMATION SECURITY n JULY/AUGUST 2013

EDITOR’S NOTE


SECURITY EDUCATION

NEW PATHWAYS TO NETWORK

SECURITY

THIRD-PARTY RISK HORROR STORIES?!!

MOBILE SECURITY BY THE NUMBERS throughout the day. In our cover story this month, virtual-

ization infrastructure guru Dave Shackleford looks at how some organizations are starting to control traffic at differ-ent layers of their networks and use emerging technolo-gies that facilitate traffic capture, analysis and control.

In addition to new isolation techniques, organizations today are looking to collapse their infrastructure through virtualization and unified platforms, outside of UTM, writes Shackleford. In his day job as principal consul-tant of Voodoo Security, Shackleford already sees Fortune 100 companies replacing traditional Layer 3/4 firewalls and IDS/IPS with next-generation firewalls and virtual appliances.

As we look ahead at emerging technologies designed to facilitate network security architecture in the new world of mobility and cloud services, we also decided to

Secure Network Access and Enterprise MobilityWe polled readers on enterprise mobile device security and the results are in. BY KATHLEEN RICHARDS

EDITOR’S DESK

WE CRUNCHED THE numbers in this month’s issue to get your take on mobile device secu-rity and noticed some tell-ing trends. Access control has

moved to the top of many organizations’ security lists in 2013 as device control continues to give way to bring your own device.

The data from our annual Enterprise Mobile Security Survey, fielded in Q2 2013, is presented in “Mobile Secu-rity by the Numbers.” Thanks to the 768 IT and security professionals that participated in the SearchSecurity.com survey.

Enterprise mobile security—and data loss preven-tion—gets even more fun when you add the host of ser-vices and networks that mobile devices access regularly

http://searchservervirtualization.techtarget.com/feature/Keeping-up-with-virtualization-and-mobile-technology-security

http://searchservervirtualization.techtarget.com/feature/Keeping-up-with-virtualization-and-mobile-technology-security


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY



to Information Security magazine. Now CEO and chief analyst at ZeroPoint Risk Research, Don authored this month’s feature on third-party vendor risk management and what’s required in top notch service-level agree-ments. He tackled this timely topic as U.S. service provid-ers, among others, worry about the global fallout of Eric Snowden’s allegations against the NSA and its effects on selling data storage and related services.

Finally, our education columnists, Doug Jacobson and Julie A. Rursch, instructors in the electrical and computer engineering department of Iowa State University, tell us why big data education is so hard. “Given the void in big data education, it should come as no surprise that the se-curity of big data is not covered in most curriculums,” they write. Could industry partnerships help?

Enjoy the issue and let us know what you think. n

KATHLEEN RICHARDS is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath. Send comments on this column to [email protected].

EDITOR’S DESK

take a look back. Ten years ago, Randy Sabett, CISSP (and now counsel at ZwillGen), examined how to achieve com-pliance with the then-new California SB 1386 privacy law. As Sabett explained in Information Security magazine in June 2003:

California’s new privacy law (SB 1386), which goes into effect July 1, requires any company that conducts busi-ness in California and owns or licenses computerized per-sonal data to notify California residents of any actual or suspected security breach that compromises the “security, confidentiality or integrity” of that information.

This issue, we invited him back to tell us what’s changed (if anything) in the last 10 years; how the Cali-fornia privacy laws influenced future legislation that requires proactive security measures to prevent data breaches and why some states still don’t offer these protections.

We’d also like to welcome back MacDonnell Ulsch

http://searchsecurity.techtarget.com/feature/Big-data-analytics-New-patterns-emerge-for-security

https://twitter.com/RichardsKath

mailto:[email protected]

http://searchsecurity.techtarget.com/feature/Achieving-compliance-with-the-California-SB-1386-privacy-law

http://searchsecurity.techtarget.com/news/2240187604/California-data-breach-report-25M-residents-at-risk-of-identity-theft

http://searchsecurity.techtarget.com/news/2240187604/California-data-breach-report-25M-residents-at-risk-of-identity-theft

http://searchsecurity.techtarget.com/feature/PING-with-Don-Ulsch


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY



DATA BREACH NOTIFICATION LAW

The Legacy of SB 1386A decade after becoming law, the ripple effects of California’s SB 1386 have surfaced in a new breed of proactive, granular state data privacy laws. BY RANDY SABETT

WETHER OR NOT you view the passage of California’s SB 1386 data privacy law in 2003 as a watershed moment in the in-formation security world, few

can argue that its enactment significantly changed the in-fosec playing field.

Although federal legislation had covered certain in-dustry verticals (e.g., GLBA and HIPAA/HITECH), most activity involving broadly applicable privacy and informa-tion security laws has occurred at the state level. SB 1386 initiated much of this activity.

Over time, a definite trend has emerged: reactive state laws dealing with cybercrime have given way to proac-tive laws requiring affirmative steps to secure information systems.

REACTIVE STATE DATA PRIVACY LAWSEarly state data privacy laws criminalized various ac-tivities that today would collectively be referred to as “hacking.” These reactive laws focus primarily on the hacker—an elusive entity that even if apprehended could not, in most cases, make a victim whole again. These laws often came into play only after a breach event had oc-curred involving the data of a particular state’s residents. Other than the slight deterrent effect that they might have, the antihacking laws have done little to prevent cy-bercrime from occurring. Because of this, state legisla-tures began to realize the need to focus on other parties in the chain of liability.

By passing SB 1386 in 2003, California became the first state with a data breach notification law. With it, not only would the actual wrongdoer be criminally liable, but



http://searchsecurity.techtarget.com/video/Intersecting-state-and-federal-data-protection-acts-and-regulations

http://searchsecurity.techtarget.com/magazineContent/HITECH-Act-increases-HIPAA-security-requirements

http://searchfinancialsecurity.techtarget.com/tip/Understanding-the-impact-of-new-state-data-protection-laws

http://searchsecurity.techtarget.com/ezine/Information-Security-magazine/Is-your-data-safe-from-next-generation-attackers

http://searchsecurity.techtarget.com/ezine/Information-Security-magazine/Is-your-data-safe-from-next-generation-attackers

http://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.pdf


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




notification laws as a second wave, and reasonable secu-rity measures laws as a third wave—a new fourth wave of state information security laws is emerging. The laws in this fourth wave represent an attempt by state legislatures to pass much more granular provisions. To date, Oregon, Massachusetts and Nevada have the most detailed re-quirements, with Minnesota not far behind.

In Oregon, SB 583 requires companies to implement an information security program that includes adminis-trative, physical and technical safeguards. It then speci-fies measures for each class of safeguards deemed to be in compliance with the law.

Detailed data security regulations in Massachusetts, 201 CMR 17, took effect in March 2010 and require com-panies to implement a comprehensive information secu-rity program along with certain administrative, technical and physical controls to protect sensitive personal infor-mation. Highlights include retaining third-party service providers that can implement appropriate security mea-sures and contractually requiring such measures.

The most compelling trend besides granularity is the incorporation of commercial standards (in particular, elements of the Payment Card Industry Data Security Standard or PCI DSS) into state law. Two states, Ne-vada and Minnesota, have codified or partially codified the PCI DSS. In Nevada, a business that accepts payment cards must comply with the PCI DSS. This creates a type of “safe harbor.” If the entity is PCI-compliant and the

entities that allow a breach to occur also might bear some liability. Other states soon followed, some with “bright line” legal tests for determining breach occurrence while others have a subjective risk-based standard. Some laws have GLBA or HIPAA safe harbors; others do not. All, however, are still reactive, because they don’t kick in un-til a breach has already occurred. At a minimum, they have created a negative incentive and increased the vis-ibility of information security.

PROACTIVE STATE DATA PRIVACY LAWS California continued its lead role by passing AB 1950 in 2004. Unlike data breach laws, AB 1950 focuses on whether an entity has in place “reasonable security pro-cedures and practices.” This was one of the first of its kind: a broad-reaching proactive data security statute that places obligations on parties before a breach event has oc-curred. (Although both HIPAA and GLBA have a similar structure, they are limited to specific industry verticals and are not broadly applicable to all businesses that col-lect or maintain sensitive personal information.) Many states have now followed suit with similar proactive laws that require reasonable security measures.

GRANULAR INFORMATION SECURITY LAWSIf we view antihacking laws as a first wave, data breach

http://www.leg.state.or.us/ors/646a.html

http://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdf

http://searchsecurity.techtarget.com/tutorial/Mass-201-CMR-17-Basics-for-security-practitioners

http://searchsecurity.techtarget.com/ebook/Technical-guide-on-PCI-Global-compliance-trends

http://searchsecurity.techtarget.com/magazineContent/State-Data-Breach-Notification-Laws-Have-They-Helped

http://www.leginfo.ca.gov/pub/03-04/bill/asm/ab_1901-1950/ab_1950_bill_20040929_chaptered.html

http://searchsecurity.techtarget.com/tip/Leveraging-database-security-investments


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




common framework-based approach to compliance, us-ing a single set of controls that cover the existing “patch-work” of laws. Those companies that select one of the most stringent laws and meet its requirements may find the need to update their security posture in response to the legislative “leapfrogging” that could occur.

Second, I believe that we will eventually see data pri-vacy legislation become law at the federal level, though the broad nature of some of the bills over the past few years makes passage difficult. For now though, it seems that there are too many stakeholders with varied inter-ests to get an “omnibus-style” bill on the books. That may change quickly, however, should some type of drastic event occur that gets everyone aligned. Hopefully, that won’t be the case. n

RANDY V. SABETT, J.D., CISSP, is counsel in the Washington, DC office of ZwillGen PLLC and has more than 20 years of infosec experience, including as an NSA cryptography engineer. He counsels clients on information security, IT licensing and intellectual property. He served on the Commission on Cybersecurity for the 44th Presidency and he has been recognized as a leader in privacy & data security in the 2007-2013 editions of Chambers USA. Sabett is an adjunct professor, a frequent lecturer and author, and has appeared on or been quoted in a variety of national media sources.

breach is not caused by “the gross negligence or inten-tional misconduct” of the entity, it will not be liable un-der the law for damages for a security breach.

The Minnesota law reflects only one part of the PCI DSS and, in many respects, codifies obligations already contained in merchants’ contracts with the card brands. The law forbids entities that handle credit card infor-mation from retaining the card security code, PIN or contents of any track of magnetic stripe data after the transaction is authorized. Companies not in compliance with the statute are liable for any fraudulent transactions that result from such noncompliance, as well as the costs of replacing compromised cards.

DATA PRIVACY LAWS: WHAT’S NEXT? I am certainly not a prognosticator and I don’t play one on TV. Having said that, I do believe the trend of increas-ingly proactive and granular state data privacy laws will continue to evolve in two ways.

First, states will press forward with innovative laws that focus on information security and further refine the obligations of the various stakeholders, specifically the enterprises that collect, process, and maintain data. This may frustrate those entities that employ a somewhat


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY



SECURITY EDUCATION

Is Big Data Security Education a Big Failure?Big data presents big challenges for computer science programs from classification to cloud security. Are industry partnerships the answer?BY DOUG JACOBSON AND JULIE A. RURSCH

WHEN IT COMES to integrating in-formation technology trends into the curriculums of many universities and colleges, the educational system has fallen

behind the learning curve. This is true for big data educa-tion, and unfortunately, the IT security needed to protect unstructured information.

The concepts related to the handling of large amounts of data are briefly touched on in courses that focus on databases or algorithms. But when big data is addressed in an algorithms class, it’s primarily as a justification for teaching different sorting algorithms, essentially, order-ing lists in “big data” projects.

If universities do offer classes on big data, it is of-ten as graduate-level coursework. Despite few computer

engineering or computer sciences classes that focus spe-cifically on big data, we see the concept show up in other courses; bio-informatics, for example, where processing big data is required to complete a task.

SECURITY OPTIONAL Given the void in big data education, it should come as no surprise that the security of big data is not covered in most curriculums. Even the newly proposed National Se-curity Association and Department of Homeland Security focus areas for the National Centers of Academic Excel-lence list big data security as an optional knowledge unit in three content areas.

Security of big data is important, but it is difficult to teach for many reasons—the terminology, current

http://www.news.iastate.edu/news/2012/10/03/bigdata

http://www.nsa.gov/ia/academic_outreach/nat_cae/

http://www.nsa.gov/ia/academic_outreach/nat_cae/

http://www.nsa.gov/academia/nat_cae_cyber_ops/nat_cae_co_requirements.shtml


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY



SECURITY EDUCATION

attempted or have succeeded. In today’s world, we hear lamentations of how large log files grow and how difficult it is to separate the useful data from the noise, even with the help of a vendor’s product. In the world of big data, the complexity of security and monitoring systems only grows exponentially.

Although, many factors complicate big data security, one final issue we want to note is that big data often lives in the cloud. Therefore, the discussions about security methods for big data include cloud security. Neither of these topics is mature and organizations taking security measures will need to consider how these measures will work with cloud data.

From the educational prospective, we believe that teaching big data security starts with the fundamentals of data security that are taught in all security programs. There is no stronger foundation for big data security dis-cussions than a deep and broad understanding of security concepts; however, the additional complexities that big

security and monitoring systems, physical infrastruc-ture—and that’s just for starters. First and foremost, it is hard to classify what is meant by the term “big data.” It implies incomplete knowledge of what data points may be in the storage set and trying to secure that which is un-known is difficult. Think about data loss prevention; it’s difficult, if not impossible, to tell if sensitive data is leav-ing the facility when the data isn’t enumerated.

We’re not teaching big data security. But in our de-fense, how can we secure something that is hard to clas-sify? Furthermore, how can we teach others how to secure it? The new classification of big data presents a basic problem that needs resolution before we provide solutions.

NEW SECURITY METHODSDoes the new classification of big data mean new security methods are warranted or can we use methods that cur-rently are deployed, only on a larger scale? In the case of big data, we argue that the size and complexity requires more than just scaling current data security methods.

If we can get beyond the terminology and lack of knowledge, we need to rethink the implementation of security and monitoring systems in big data situations. In current security and monitoring systems, writing to and reviewing log files is the primary technique used to capture events and indicate when security breaches are

We’re not teaching big data security. But in our defense, how can we secure something that is hard to classify? How can we teach others to secure it?

http://searchsecurity.techtarget.com/answer/What-is-big-data-Understanding-big-data-security-issues


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY



SECURITY EDUCATION

we, as educators, need to be innovative in combining cloud and big data security concepts and encouraging our students to think about these topics.

So, what can we realistically hope to accomplish in the area of big data security education? We would hope that as educators we can help our students learn the fun-damentals needed to adapt to ever changing threats and technologies. While today the current topics are big data and cloud security, tomorrow’s topics are unknown. As educators we are bound to include the most current secu-rity topics and issues such as big data and cloud security for our students. However, we must also strive to educate our students so they can adapt to changes once they leave our hallowed halls. n

DOUG JACOBSON is a professor in the department of electrical and computer engineering at Iowa State University and director of the Information Assurance Center, which was one of the original seven NSA-certified centers of academic excellence in information assurance education.

JULIE A. RURSCH is a lecturer in the department of electrical and computer engineering at Iowa State University and director of the Iowa State University Information Systems Security Laboratory, which provides security training, testing and outreach to support business and industry.

data adds to the problem of security need to be included in the curriculum.

While we believe the best way for students to learn is through laboratory experiments or simulations, devel-oping big data security exercises may prove more diffi-cult than traditional security exercises. If we argue that a definition of big data could be developed and universally accepted, we still see obstacles to overcome. Currently, students work with intrusion detection and data loss prevention, but not in a big data environment. And, we have found, they really aren’t prepared to handle the massive amount of data that pours in from security de-vices, network monitoring and data loss monitors. Lab-oratory experiments have to be carefully crafted to not overwhelm students, but also provide the look and feel of big data.

NO MEANINGFUL DATAUnfortunately, access to realistic and meaningful data is difficult in higher education. We cannot have access to real big data because, in many cases, it is private. We need to develop example data sets of big data in which the data types match different industries. This is a perfect place for academia to partner with vertical industries or industry trade groups to develop these data sources. And,

http://searchsecurity.techtarget.com/feature/Managing-big-data-privacy-concerns-Tactics-for-proactive-enterprises


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY



COVER STORY: NETWORK SECURITY ARCHITECTURE

By Dave Shackleford

NEW PATHWAYS TO NETWORK SECURITY Want to shed appliances? Consolidation and new platforms hold promise for security teams.

IN AN INTERESTING paradox, enterprise networks have ex-perienced unprecedented sprawl and significant consoli-dation over the past 10 years. With new technology and application use at an all-time high, security teams re-quire different ways to isolate, monitor and control traffic within their data centers and extended networks.

What network isolation and segmentation techniques are many companies now considering? How can consoli-dation and collapse of feature sets into unified platforms, and more condensed network security architecture at the perimeter secure sensitive data and corporate assets?

While security isn’t the primary driver of major net-work architecture overhauls, new threats are leading more organizations to re-architect portions of their net-works. For some large organizations, the continued rise of devastating distributed denial-of-service (DDoS) attacks, embedded HTTPS control channels, and sophisticated malware may necessitate a redesign focused on network security architecture.

Business growth or operational changes can also in-crease the need to refresh network security architecture.


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




touted as a way to help security professionals imple-ment access controls and traffic filtering, packet cap-ture and monitoring, and isolation of traffic at Layers 2 and above. In March, Microsoft Principal Network Ar-chitect Rich Groves gave a talk describing the compa-ny’s use of the OpenFlow specification and commodity switch hardware to send large quantities of packet data to network monitoring devices (Figure 1). This same technique can easily be used to quarantine and isolate packets with specific attributes, potentially helping de-feat DDoS and other attacks.

■n Layer 2 isolation: While the use of virtual LANs (VLANs) to segment broadcast domains in a network is not new, more organizations are strategically using VLANs and private VLANs as a segmentation strategy for sensitive domains. Many newer switches, including Cisco Systems’ Nexus series and Juniper Networks’ EX devices, can also accommodate VLAN access control lists that allow for filtering based on MAC addresses and forwarding and capture of packets.

■n Isolation at virtual network layers: The use of virtual firewall appliances and newer virtual switches such as the Cisco Nexus 1000v, Juniper vGW line, and Open vSwitch is starting to emerge within converged infra-structure clusters as a sound isolation and segmenta-tion practice. While most organizations aren’t replacing

These design changes are often coupled with equipment upgrades and replacement scenarios.

For many enterprises, compliance is the major driver for changes in both security and general IT operations. Any technology or internal design change that can limit or reduce the scope of the environment for compliance can save money and time, in years to come. Isolation of systems, applications and network segments that handle payment card data, for example, can go a long way to lim-iting the scope of PCI DSS audits.

ISOLATION AND SEGMENTATION TECHNIQUESRegardless of motivation, new considerations are driving the way networks are designed. In the past, many orga-nizations used a traditional single or dual-firewall archi-tecture that divided networks into segments at Layers 3 and 4, limiting IP address ranges and TCP/UDP ports that could traverse one segment or another. While this network security architecture is still the most common, more organizations are starting to control traffic at differ-ent layers and use emerging technologies that facilitate traffic capture, analysis and control.

■n Software-defined networking for monitoring and isolation: SDN is an emerging technology that imple-ments network control through software and script-ing in switches and centralized controllers. It’s heavily

http://searchsdn.techtarget.com/news/2240181908/Microsoft-uses-OpenFlow-SDN-for-network-monitoring-and-analysis

https://www.opennetworking.org/sdn-resources/onf-specifications/openflow


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




■n Use of load balancers and content switches to isolate traffic: A majority of the traffic in enterprises today is HTTP, HTTPS or other application traffic. Load balancers and content switches are often used to provide availability and control for application traffic, but security teams can benefit from these technologies

existing hardware-based security platforms with vir-tual systems, the use of virtual traffic control and moni-toring systems is growing as a new layer of defense. Some of these systems offer capabilities that their hardware-based counterparts cannot (see tip on virtual networking).

[FIGURE 1 ]

Microsoft is using software-defined networking

based on the OpenFlow protocol for traffic isolation

and aggregation in its cloud.

(SOURCE: WWW.OPENFLOW.ORG)

http://searchsecurity.techtarget.com/tip/Evaluating-network-security-virtualization-products

http://searchsecurity.techtarget.com/tip/Evaluating-network-security-virtualization-products


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




advantage of these features as application traffic grows. Using application-layer packet attributes to direct and control traffic can help organizations isolate more sen-sitive or critical traffic, and identify malware command control channels using HTTP/HTTPS.

■n Internal VPNs and private cloud gateways: Several organizations have employed internal virtual private network (VPN) platforms to segment their networks. SSL VPNs can be easily set up and configured to act as a gateway to one or more segments of the environment, providing more robust authentication requirements, endpoint inspection capabilities, and integration with virtual desktop technologies. For organizations with private cloud deployments, new cloud “edge” gateways such as VMware’s vShield Edge or Juniper’s vGW can be installed to provide controlled access. Technologies such as VMware’s VXLAN allow migration and control of Layer 2 traffic across Layer 3 data center and cluster boundaries, which affords more flexibility to distrib-uted virtual and cloud environments.

UNIFIED PLATFORMS AND COLLAPSED ARCHITECTUREIn addition to new isolation techniques and controls, or-ganizations today are generally looking to collapse their infrastructure a bit more. The security community is

as well. While many leading manufacturers have of-fered security options in these products for some time (including port mirroring, scripting capabilities and DDoS defenses), security teams are starting to take

Sizing Up Unified Security Platforms SMALL- AND MEDIUM-SIZED businesses have adopted universal threat management devices more than enterprises. Trends that “stuck” for defense in depth are prevalent in many large organizations’ networks:

n Multiple tiers of security access control/ filtering devices

n Different vendors (in some cases)

n Separation of functionality

Today, organizations are looking to collapse func-tionality into bigger, more capable platforms. Next-generation firewalls are starting to replace traditional Layer 3/4 firewalls and IDS/IPS at some Fortune 100 companies. n


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




applications. These segments often include the primary ingress points from the Internet, segments where a VPN connection terminates, and any exposed DMZ subnets, along with internal zones that need protection.

So what’s changing? Some Fortune 100 companies are replacing firewalls with next-generation firewall (NGFW) platforms. These systems offer more application and traf-fic behavior inspection along with new capabilities, such as user tracking from internal directory services and more robust protocol inspection. This strategy starts to approach the UTM concept, but with more capable and high-performing platforms.

Another major shift is the gradual consolidation of IDS/IPS platforms with next-generation devices and tech-nologies. While a good number of organizations are still proponents of separate IDS/IPS, some companies are see-ing benefits in using the NGFW platforms to handle both firewall and IPS functionality. As long as the performance of the network is not impacted with a single device han-dling so many security functions, this approach may make sense for some companies.

PLANNED UPGRADES AND SMALLER ZONES How should security and network teams proceed? First, align any network security architecture and monitoring changes with planned upgrades or changes whenever pos-sible. If new or updated technology is already slated for

actively using converged security appliances (often called universal threat management, or UTM systems) that offer a combination of services like antimalware defense, an-tispam and mail protection, content filtering, traditional Layer 3 and 4 firewall rules and even VPN and proxy ca-pabilities, in some cases.

While these systems have steadily become prevalent and more mature, the technology is more viable for small to mid-sized businesses. Many enterprises are not sold on the technology, because it represents a single point of failure. It doesn’t support the scalability or performance required in large, fast (10 Gbps+) network environments. While this still holds true, many companies are looking to reduce the number of security layers within their net-works and add enhanced functionality that may prove more effective at combating modern threats.

Over the last 10-15 years, many organizations followed popular trends in network security architecture, start-ing with the adoption of multiple layers of security traffic control points, such as firewalls. Some enterprises have even used technology from different vendors at each layer to prevent a single point of failure. This strategy may of-fer a multi-layered approach to network security, but it results in much higher implementation and operations costs, as well as overhead to manage these platforms.

Many enterprises use dedicated intrusion detection and prevention systems (IDS/IPS) to secure heavily used network segments and those that house sensitive data and

http://searchsecurity.techtarget.com/magazineContent/Unified-threat-management-devices-for-the-enterprise


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




NGFWs can either augment or potentially replace ex-isting firewalls and IPS platforms.

Another focal area for network and security manag-ers is built on the concept of “compartmentalization” of network segments. With any redesign efforts, security teams should attempt to segment sensitive data, traffic and systems into more carefully controlled areas. While the concept of DMZs and network segmentation is not new, building more, smaller zones may make sense with a combination of VLANs, Layer 3 access controls and even application-level traffic monitoring and control. With advanced firewalls and new virtual platforms, this net-work security architecture is much easier to accomplish. NGFW systems and virtual appliances can help network and security teams lower costs, if they are replacing mul-tiple platform types.

With new network technology and the availability of advanced security platforms, the design and architecture of many networks is likely to continue to change rapidly, in some cases, collapsing infrastructure with virtualiza-tion and cloud deployments. n

DAVE SHACKLEFORD is owner and principal consultant at Voodoo Security, senior vice president of research and CTO at IANS, and a SANS analyst, instructor and course author. He is a VMware vExpert and has extensive experience designing and configuring secure virtualized infrastructures.

purchase and implementation, investigate the access con-trol, filtering and monitoring features built into these sys-tems, regardless of vendor. If vendor selection and design phases have not been completed, suggest looking at tech-nologies and designs that allow for the following:

■n Access controls and monitoring at Layers 2 and above: Instead of a consolidated firewall design, switches and other network devices may play more im-portant roles in controlling and monitoring traffic, es-pecially in widely distributed networks.

■n Integration with SDN protocols such as OpenFlow and sFlow: While many organizations may not be ready to make the switch to SDN just yet, preparing for it by purchasing equipment that allows for programmable functions and traffic control to be implemented is a sound idea.

■n Integration with virtualization and private cloud technologies from VMware, Microsoft, Citrix and oth-ers: Virtual appliance models with security technology are becoming available from numerous vendors. These systems can complement existing capabilities and net-work designs, especially in environments with virtual systems or a private cloud.

■n Application and protocol inspection: New types of

http://www.sflow.org/


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY



CYBERATTACKS LEAP FROM the headlines almost daily, yet senior management at some companies still believe their organizations are not potential targets: “Nobody knows who we are, why would anyone want to attack us?”

One consistent breach finding may get their attention: Almost without exception, a third-party vendor or affili-ate is involved. It may be the client, or it may be the origi-nation point of the breach.

The third party is often a quasi-insider, enjoying some degree of the trust afforded employees. Based on a rela-tionship’s longevity and personal interactions, third-party trust levels sometimes meet or exceed the level of insider trust.

Unfortunately, the conveyance of trust does not al-ways end well. This is why third-party management and service-level agreements (SLA) are so critical in the man-agement of risk. SLAs are negotiable instruments that re-flect the company’s appetite or tolerance for risk; its size and complexity, geographic distribution, type of informa-tion managed, as well as the ability to effectively monitor the third-party management program.

By MacDonnell Ulsch

THIRD-PARTY RISK HORROR STORIES?!! The majority of breaches occur as the result of third parties. MacDonnell Ulsch advises companies to safeguard third-party agreements.

VENDOR RISK MANAGEMENT

http://www.computerweekly.com/news/2240178104/Bad-outsourcing-decisions-cause-63-of-data-breaches


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY



insurance premiums and civil litigation from investors, shareholders, business partners and others (see Negative Outcomes: Third-Party Risk Management—Figure 1). Heads may roll in the executive suite. Criminal prosecu-tions often result. (Immunity in a breach is as scarce as hieroglyphics.)

The worst risk impact occurs when companies are clearly not ready for a breach, which is too often the case.

ALREADY MADE IN CHINAWhen it comes to managing risk, no company is perfect; usually, it’s far from it. In the well-known case of Nortel Networks Inc., the optical networking company’s com-puter systems and senior management’s emails— includ-ing the CEO’s—were compromised by Chinese hackers, for nearly a decade. An employee said he alerted Nortel’s executives that there was a breach in 2004, according to The Wall Street Journal, but outside of changing pass-words, his warnings were largely ignored. This ongoing breach resulted in costly and complex litigation during Nortel’s asset sale after it declared bankruptcy in 2009. Companies that acquired Nortel’s intellectual property—Ciena Corp., Avaya Inc. and Ericsson Inc.—found out that their organizations might not have “exclusive rights” to the sensitive information.

Avoiding the often substantial impact of legal, finan-cial, regulatory and reputation risk isn’t trivial. In the best scenario, managing risk is supposed to prevent bad things from happening. The next best outcome is to reduce the impact when a collision of a threat and its intended tar-get prove unavoidable. In the worst case, managing risk is about recovering from an event that proved to be, for whatever reason, both unpreventable and highly effec-tive, translation: expensive.

Risk impact can be defined by a variety of metrics: loss of revenue, loss of company value, diminished market share and brand equity, increased cost of capital, higher


[ FIGURE 1 ]

Negative Outcomes: Third-Party Risk Management

(SOURCE: ZEROPOINT RISK RESEARCH LLC)

RISK

Regulatory Risk

Legal Risk

Financial Risk

Reputation Risk

Cascading Risk

IMPACT

Regulatory Impairment, Regulatory Fines, Increased Government Scrutiny,

Rigorous Remediation, Litigation Foundation

Civil Litigation, Criminal Prosecution, Class Actions, Jury Awards, Settlements

Value Loss, Investor Loss, Customer Loss, Capital Cost Increases

Press and Media Exposure, Market Drift, Competitor Positioning

Market Loss, Recovery Continuation, Sustainability Questions

http://online.wsj.com/article/SB10001424052970203363504577187502201577054.html


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




are also noted in the final rule, as well as enforcement and penalty provisions. The Genetic Information Nondis-crimination Act prohibits health plans from using genetic information as an underwriting consideration. Multiple privacy issues are also noted in the final rule, especially on the use and disclosure of protected health informa-

tion, including the uses associated with marketing and fundraising. (Similarly, recent changes in the European Union Model Clause affect E.U. companies exporting data overseas, as well as the third-party data importers.)

Contract negotiators, attorneys and others with expe-rience managing the SLA process address certain issues reasonably well: performance-related requirements, and even some regulatory requirements. Companies can fur-ther protect their information assets by ensuring that the following components are included in the negotiation of all third-party management agreements: information security, information privacy, threat and risk analysis, compliance obligation range, enforcement mechanisms, internal audit access and disclosure requirements, and

The majority of breaches occur as the result of the actions or defensive deficiencies associated with a third-party ser-vice provider. One third-party vendor’s deficient antimal-ware deployment resulted in a massive cyberattack. The impact: extensive, costly regulatory reporting and uncom-fortable discussions and negotiations with its corporate customer base. The breach was detected when an em-ployee noticed suspicious firewall log activity. The hack-ers, however, had covered their infiltration by erasing the majority of their intrusive activities, making the breach even worse and complicating the forensic analysis.

COMPLIANCE AND THIRD-PARTY MANAGEMENT AGREEMENTSThird-party management agreements are important in-struments in managing legal, regulatory, financial and reputation risk. These contracts, also known as Business Associate Agreements (BAA), are neglected tools for de-fending against information compromise.

Any company protecting health information, for ex-ample, needs to pay particular attention to the changes brought about by the HIPAA Omnibus Final Rule, which was passed in January 2013 and went into effect in March. A number of deadlines for compliance are set for September 23, 2013. Changes include requirements for business associates and subcontractors to comply with the complex security rule. Breach notification changes

Business Associate Agreements are neglected tools for defending against information compromise.

http://www.genome.gov/24519851

http://www.genome.gov/24519851

http://ec.europa.eu/justice/data-protection/document/international-transfers/transfer/index_en.htm

http://ec.europa.eu/justice/data-protection/document/international-transfers/transfer/index_en.htm

http://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdf


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




identities and acquired cell phone numbers, addresses, social security numbers and so on. On paper, “the em-ployees” certainly seemed like real people—each one passed a background information check. An address in the background check forms seemed out of place, but that didn’t prevent them from getting hired. Personally identifying information (PII) was stolen in this scam and sold to organized crime and narcotics traffickers in a for-eign country, resulting in financial fraud. The breach was

foreign corrupt practices management (Figure 2). Focus-ing on these seven elements will increase the efficiency and effectiveness of third-party management agreements while creating an effective risk management framework.

Third-party management agreements may not be enough to protect organizations from elaborate cyber-fraud, however. In one occurrence, the third-party ven-dor hired independent contractor employees who did not exist. Well, one did. Ingeniously, this individual invented

[ FIGURE 2 ]

Successful negotiation of third-party management agreements is built around seven elements.


Information Security Agreement

Information Privacy Agreement

Specific Threats and Risks Defined

Foreign Corrupt Practices Management

Audit and Monitoring Terms Agreement Enforcement Mechanisms Compliance Requirements

Range


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




ASSETS AT RISKIt is not always discernible what information is at risk in a cyberbreach, especially right away. One third-party vendor responded to a breach based on an assumption that the organization did not possess any regulated data, when in fact, it did. What the company thought was just a matter of tightening security in the initial stages of the breach, evolved into a serious reportable event.

Every third-party provider should know what data is in its possession. This is an absolutely critical deter-minant of how that data must be protected. While few mandates exist regarding the protection of intellectual property and trade secret assets—this is typically limited to contractual obligations cited in customer contracts and insurer’s policies— personal information must be pro-tected according to statute and regulation.

Many breaches of regulated data are never reported, however. Sometimes, a decision is reached not to report on the basis that the breach did not meet certain require-ments—the exact definition of PII or protected health information (PHI). A breach that isn’t reportable in the United States may be disclosed in other countries based on different regulations.

Managing risk by regulation has significant draw-backs, yet many companies continue to do just that. Here’s the problem. Many regulations are written upon the back of mandatory minimum requirements. While it’s

detected due to suspicious behaviors exhibited by the in-dependent contractor behind the felony crime.

RESPONSIBILITY AND REPORTINGIt is important to remember that the principal company or covered entity that engages a third party is always re-sponsible for ensuring the integrity of information. While various regulations may also hold third-parties account-able, never assume that the obligation of compliance is assignable to another company. When negotiating an SLA, the company must require the third-party service provider to both assume responsibility for compliance with all applicable regulations, and to specify the time-frame in which to report a breach to the company. This can get tricky, and the contract language is important. Al-ways confer with corporate legal counsel on this issue.

First, be sure to define what a breach is. An incident or event is not necessarily a breach of regulation. Is the event a breach of policy and procedure, security or regu-lation? Some contracts require the third party to notify the principal company of a security policy breach within 24 hours of the incident. Maintaining tight control over the reporting requirements of the third party under agreement is vital. It is also recommended that the com-pany pre-emptively engage the third party by asking, in writing, about any security incidents at the third party, and receive a response in writing. (Continued on page 22)


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




Inside ‘Jobs’INSIDER THREATS CAN take advantage of high trust levels to hatch elaborate schemes. A group of employees working for a large U.S. technology company decided to use their employer’s technology assets for personal gain. They had access to desktop and laptop computers that were coming off lease, being sold or otherwise recycled. These units were stockpiled in unused offices, unsecured rooms and even in hallways.

The employees signed into the data center using these machines and built their own data management network, underneath the raised floor of the corporate data center. They started “competing” for external business with their employer. This crime went undetected for about a year.

It was eventually detected, but not because of all the technology company’s monitoring hardware and software. A security guard outside of the data center figured it out. The guard noticed that these workers consistently checked into the data center when everyone else was logging out—at the end of the day and on weekends. He became suspicious.

It’s worth noting that many employees who get caught committing fraud against the company are not criminally or even civilly prosecuted. Prosecutions result in a public record—and negative publicity. Which brings up the issue of background investigations: Many people who engage in illegal actions get terminated and soon apply for other jobs in the industry. Meaningful background investigations are woefully absent, and $49 background checks are often inadequate.

There’s a reason that a top secret security clearance can take two years to complete. In 2012, according to The Washington Post, about 500,000 private contractors had federal clearance for “handling top-secret materials” at some level. n

http://www.washingtonpost.com/blogs/wonkblog/wp/2013/06/11/about-500000-private-contractors-have-access-to-top-secret-information/


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




and trade secrets of value, bearing in mind that this ap-proach, while better than nothing, is a minimum based upon regulatory requirements.

What do all of these breached companies have in common—and especially third parties? It isn’t the type of information that was exposed—PII, PHI, intellectual property and trade secrets. It’s that these organizations didn’t manage risk effectively, from their definitions of risk management to communication gaps between IT and executive management and the board. (The further they are from the point of the breach, the less they understand the breach and its impact.)

SPEND NOW OR LATERMany companies would rather spend on recovery and re-mediation than on prevention through risk management and optimization of SLAs. (That may not be what statis-tics indicate, but that’s what we see.) For one thing, after a breach, budget immediately materializes. The message from executive management is usually this: “Fix this and then do what you need to do to keep this from happen-ing again.” Sometimes, the company embraces a more strategic risk management solution in the aftermath of a breach. Other times, though, the focus is very tactical and concentrated on IT security fixes in the absence of a real risk management approach.

better than nothing (and there are those companies that fail to meet even these basic requirements), it’s not where the industry needs to be. This practice is unacceptable in other industries. No one wants a pilot who’s met only the minimum regulatory threshold.

BASELINE FOR PROPRIETARY INFORMATIONOf course, not all companies or third parties are in the business of managing regulated information. What about managing the risk associated with unregulated data—proprietary information, intellectual property and trade secrets? In a world where brand counts, pro-tecting the brand is ensuring a company’s future. Brand protection is critical because the mission of nation-state espionage and commercial economic and technology competitors is to steal valuable business information. The financial loss is staggering, with some estimates sur-passing a trillion dollars a year, and about a third of those losses are in the United States (Figure 3).

One third-party management strategy is to borrow from the requirements used in regulated data manage-ment deployments. Most companies, whether large or small, are required to at least protect employee and cus-tomer information in a manner consistent with U.S. fed-eral and state requirements. Require third parties to use that baseline to extend protection to intellectual property

(Continued from page 20)

(Continued on page 24)

http://www.economicespionage.com/StickyFingers.htm


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




[ FIGURE 3 ]

Financial losses caused by insider and third-party threats resulting in breaches of intellectual property and trade secrets are estimated at more than $1 trillion worldwide.


Empl

oyee

s

Part

ners

Vend

ors

Cont

ract

ors

Regulation

Litigation

Technology

Culture

Economy

Climate

Malice

Information Integrity

Mistake

TerroristsFinancial

Risk Exposure

ReputationRisk

Exposure

U.S.: More than 500 Million PII Electronic Records Compromised/

$1T+ Year IP/TS Stolen

LegalRisk

Exposure

RegulatoryRisk

Exposure

Drug Cartels

Organized Crime

Employees

Governments

ENVIRON

MEN

TAL CHAN

GE

INSIDER AND THIRD-PARTY THREATEX

TERN

AL T

HRE

AT


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




“One of our outside service provider’s employees had some of our client data on an iPad that was stolen, and now it looks like we’re going to have to report this event to regulators in 40 countries. I hate to think what the im-pact of this is going to be.”

Board member: “Tell me more about this.”Think about the relationship of security to the man-

agement of risk. Risk is a potential condition of concern to many people in the organization. Many executives that will be responsive to the language of risk are not re-sponsive to the language of technology and information security. Chief executives, chief risk officers (which are often chief financial officers), internal legal counsel, in-ternal auditors, privacy officers and compliance officers have an interest in managing risk and are usually respon-sive. Also, employees with a vested interest in the compa-ny’s reputation, including sales and marketing, are often responsive. Conveying the risk message appropriately, though, is necessary to get anyone’s attention.

Speaking technology and security will secure the job. Speaking risk will secure budget and your future. n

MACDONNELL ULSCH is the CEO and chief analyst at ZeroPoint Risk Research LLC, in Boston, Mass., and advises commercial and government clients. He wrote THREAT! Managing Risk in a Hostile World. The working title of his upcoming book is CYBER SABRES: Defending the Future Against Enemies Near and Far.

Regardless of whether the breach originated at a third party or at the principal company, a key determinant in the post-breach report is who’s in charge of the breach investigation. When executive management, especially the general counsel and the board are involved, there’s a greater likelihood that a more effective risk manage-ment program will result. But not always: by the time many companies finish paying the bills associated with a breach, they’re sometimes seeking fiscal restraint and re-covering from the financial cost of the breach. This often leads to, “Let’s try and do the rest of this mitigation in-house.” That’s usually a mistake, depending on individ-ual breach circumstances, and the cooperativeness of any third-party vendor involved.

ENTERPRISE TOWERS OF BABELAs much as anything, managing risk is about effective communication.

Take the CISO who happens to ride in an elevator with a member of the board of directors: “We’ve got a BYOD issue that led to a BAA infosec incident.”

Board member thinks “Why can’t this elevator move faster?”

Speak the language of business and risk. This sounds simplistic, but what if the CISO said:

(Continued from page 22)

http://www.zeropointrisk.com/

http://www.zeropointrisk.com/

http://www.amazon.com/THREAT-Managing-RISK-HOSTILE-World/dp/0894136208

http://www.amazon.com/THREAT-Managing-RISK-HOSTILE-World/dp/0894136208


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY



MOBILE SECURITY BY THE NUMBERSAlmost 60% of security professionals in our 2013 Enterprise Mobile Security Survey believe mobile devices present more risk now than in 2012. What’s changed?

By Kathleen Richards

ENTERPRISE MOBILITY SURVEY

SEARCHSECURITY.COM POLLED 768 IT and security profes-sionals in April 2013 and the data clearly indicates that the challenges of securing a multi-device environment continue to mount. While shifting IT assets outside of the firewall can help companies to lower costs, roughly 60% of the Enterprise Mobile Security Survey 2013 respon-dents believe mobile devices present more risk to their organizations compared to Q2 2012.

About 30% of respondents do not see higher risk, while 13% said they don’t know.

The consumerization of IT isn’t slowing down as more employees use personally-owned devices to access corpo-rate data and applications. But a surprising finding in our 2013 survey was how many companies no longer even is-sued mobile devices outside of traditional laptop comput-ers, sliding from 83% in our Enterprise Mobile Security Survey 2012 to 65% (Figure 1).

Despite growing concerns over mobile security, only 60% of respondents indicated that their organization re-quired security technologies on mobile devices. In the

http://searchsecurity.techtarget.com/guides/Survey-Enterprise-mobile-device-security-2012

http://searchsecurity.techtarget.com/guides/Survey-Enterprise-mobile-device-security-2012


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY



capabilities (14%). Perhaps, more alarming is the 40% of organizations, according to those surveyed that don’t re-quire use of security technologies on mobile devices.

The challenges of taming multi-device environments are quickly becoming the norm, however. About half of survey respondents (49%) indicated that their organiza-tions applied unique security policies and controls for each mobile platform, with Apple iOS and Google An-droid topping the list of mobile platforms supported on non-company issued devices (Figure 2). Less than half

group that did, the security initiatives ranked as follows: access control (67%), authentication (57%), encryption (53%), remote wipe (44%), antimalware (44%), PIN enforcement (42%), remote lock (39%), Microsoft ActiveSync (38%), remote access VPN (37%), mobile device management (36%), policy configuration and en-forcement (34%), application control (30%), app store restrictions (29%), remote software distribution (23%), blacklist capabilities/data containment (23%), jail-break detection (21%), GPS tracking (19%) and whitelist


65+35+s[ FIGURE 1 ]

Does your organization supply employees with mobile devices (excluding traditional

laptop computers)?

[ FIGURE 2 ]

For non-company-issued devices, what mobile platforms does your company support?

(Check all that apply.)

79%

62%

54%

Apple iOS

Goodle Adroid

BlackBerry/RIM

Windows Mobile

35% No

65% Yes

84%

http://searchsecurity.techtarget.com/feature/MDM-solutions-More-calls-to-secure-a-mobile-workforce

http://searchsecurity.techtarget.com/feature/MDM-solutions-More-calls-to-secure-a-mobile-workforce


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




APP SECURITY BETTER THAN DESKTOPWhat types of applications do employees access via per-sonally-owned mobile devices? According to survey re-spondents, 79% use personal email, instant messaging and chat applications; 68% use Web browser and produc-tivity applications, such as Microsoft Office; 59% access social media; 49% access the corporate intranet and 41% use corporate applications.

Securing the application layer has received a lot of at-tention in 2013 as more mobile application management systems and related technologies emerge. Problems per-sist with device data leakage, including apps that request too many permissions (e.g., access to contacts) or hook into other areas on the device. Half of survey respondents indicated that their company is putting more resources —money and staff hours—into mobile application secu-rity in 2013, compared to Q2 2012. But almost one-third (29%) of organizations do not have plans to put more re-sources towards mobile app security, and one-fifth didn’t know. These developments coincided with the height-ened focus on mobile app security and operating systems in April, as Facebook blurred the lines when it rolled out its new “apperating system,” Facebook Home (built on the Google Android OS).

So what’s changed? In our 2012 survey, the top five mobile security concerns ranked as follows: device loss, application security, device data leakage, malware at-tacks and device theft. This year device data leakage

(43%) of those surveyed did not have different security policies based on mobile operating systems.

At the same time, 43% of organizations required employees to sign a consent document that grants the employer at least limited control over any personally- owned device that accesses corporate systems or data, while 57% did not have any such policy. Half of the re-spondents said that their employers allow non-company mobile devices to access the corporate network and data (Figure 3).

50+42+8+s[ FIGURE 3 ]

Does your employer allow non-company-issued mobile devices to access the corporate

network and data?

50% Yes

42% No

8% Don’t know

https://bg-bg.facebook.com/home


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




fifth—when respondents were asked to select their orga-nizations’ top three mobile security concerns—as shown in Figure 4.

ranked first (45%), followed by unauthorized access (41%), device loss/theft (40%), application security (38%) and compliance and malware attacks (28%) tied for

[ FIGURE 4 ]

What are the top three mobile security fears at your organization? (Select three.)

Device data leakage

Unauthorized access

Device loss/theft

Application security

Compliance

Malware attacks against devices

Liability over data on personal devices

Unauthorized or unmanaged mobile access to network resources

Vulnerable third-party applications

Platform-specific vulnerabilities

Unauthorized or unmanaged mobile app downloads

Location tracking

Other

45%

41%

40%

38%

28%

28%

17%

15%

11%

8%

6%

3%

4%


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




2% of the organizations, and 6% of respondents indicated that they don’t know. (See Figure 5 for types of data ac-cess on personally-owned devices).

Data loss continues to rank as the top threat in enter-prise mobile security on all sides with device data leakage and device loss and theft, among the common problems. Of particular concern for many companies is how data is handled when users switch phones or leave the organi-zation. Despite these security threats, backups on non-company issued devices at the majority of organizations

Not surprisingly, mobile identity and access manage-ment is high on the list of enterprise mobile security con-cerns, even though vendors of classic identity and access management systems are attempting to extend the func-tionality. According to this year’s survey, all the employ-ees at 28% of the organizations have access to corporate network/data resources such as email, applications or customer data; more than half of the employees have ac-cess at 29% of the organizations; and less than half have access at 35% of the organizations. None have access at

[ FIGURE 5 ]

What types of data do employees access and/or store via personally-owned mobile devices? (Check all that apply.)

90%

71%

61%

53%

31%

30%

Standard email attachments

Work-related contacts

Personally-owned non-work files (photos/music/movies)

Non-sensitive file shares/documents/presentations

Confidential/sensitive work-related data

Sensitive or encrypted email messages/attachments


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




MALWARE WATCHBy 2014, employee devices will be compromised by mal-ware at more than double the rate of corporate-driven de-vices, according to Gartner. So far that hasn’t happened; despite industry warnings that hackers go where the op-portunity lies. From a software publisher’s standpoint, it’s a lot easier to write secure code for modern mobile platforms such as Apple iOS and Google Android than it is to sandbox programs and data, for example, on legacy desktops.

“Historically, Apple iOS has been proven to have the right mix of policy, process and technology to make the bad guys avoid it,” said Brad Arkin, chief security officer, Adobe Systems.

“With Android, I think its weaknesses are also its strengths,” he said. “Because it’s so open, bad guys can use side-loading mechanisms and trick people into load-ing something malicious, but at the same time that open-ness allows [organizations] like the NSA to put together a secure version of Android including a secure broadband connection back to the mothership,” he continued. “An-droid also allows you to do security monitoring software, which is not possible on iOS.” Of course, Android secu-rity depends on several factors—platform flavor, hard-ware, updates and what kind of app stores you are using, noted Arkin.

“I don’t think the desktop attack vector of going af-ter people through email and browsers is going to be a

(70%) are never required, according to survey respon-dents. Of the 30% that do demand backups on employee-owned devices, 12% required it daily, 11% weekly, 5% monthly, 2% hourly, and 1% of organizations limited the personal device backup requirements to quarterly.

At the same time, 44% of organizations allow users to access app stores on company-issued mobile devices and freely download apps; however, our survey data indicates that’s a considerable decline from the 52% of companies that followed this practice in 2012. One-fifth of compa-nies in 2013 permitted their employees to download ap-proved app stores and applications. About one-third of organizations (36%) do not sanction any app downloads on company-issued devices.

With close to 30% of organizations posing app store restrictions, according to our survey, it’s not surprising that 16% of respondents indicated that their organiza-tions planned to build their own app stores.

“Historically, Apple iOS has been proven to have the right mix of policy, process and technology to make the bad guys avoid it.” — Brad Arkin, chief security officer, Adobe Systems


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




because it exposes native APIs, but mobile platform breaches overall remain rare. Even so, 65% of security professionals in our Enterprise Mobile Security 2013 sur-vey viewed the Android platform as carrying some level of

near-term problem for mobile devices just because the at-tack surface is very different, and it’s not as attractive for the bad guys,” he added.

Android is often viewed as an easier malware target

[ FIGURE 6 ]

What mobile malware threats pose the greatest risk to your organization? (Select up to three.)

64%

47%

45%

29%

29%

23%

20%

15%

12%

10%

7%

Data-stealing malware

Malicious applications

Unauthorized network access using mobile device

Root exploits/rogue software

Spam, phishing over SMS/MMS

Eavesdropping malware

Man in the middle attacks

Self-replicating malware

Zero-days in third-party software

Dialer malware (calls made to premium numbers)

Supply-chain malware


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




more companies to follow the college and university models by enforcing mobile security policies that govern network access instead of controlling personally-owned devices.

MOBILE DEVICE POLICY UPDATESIn organizations with mobile device policies, 26% have updated these documents in the past year, 14% within the past three months, 7% within the past 30 days, 6% within the past two years and 4% in the past three years or more.

The biggest drivers of recent mobile security device policy updates, according to the Enterprise Mobile Se-curity 2013 Survey: to satisfy internal corporate require-ments (20%), address new threats (17%), manage new devices (15%) and compliance (11%). However, 13% of re-spondents indicated other, while 59% didn’t know.

Despite indications of a mobile tipping point, execu-tives remain more involved in general IT security deci-sions and policies, according to those surveyed, as shown in Figure 7.

Finally, which top three mobile security technolo-gies did security professionals expect their organizations to spend more on this year? One-third of respondents se-lected access control; one-quarter said data loss preven-tion and authentication, followed by antimalware (22%) and encryption (20%). Mobile device management (18%) finished sixth. Other security initiatives identified for

risk. According to those surveyed, 38% of respondents in-dicated that the Android platform presented “some risk” to enterprises; 23% considerable risk, 4% an unacceptable level of risk, 16% no notable risk and 19% had no opinion. Figure 6 details which mobile threats respondents felt posed the greatest risk to their organizations.

While mobile malware has yet to cause significant problems, mobile device security policies may not be keeping pace with the rapid developments in enterprise mobility. One-fifth of respondents claimed that their or-ganizations didn’t have mobile device security policies. What?!

Of those that did, close to half (44%) do not require employees to read and sign the documentation.

On a positive note, more than half (56%) indicated that their organization required employees to read and sign the company’s mobile device security policy, but that’s a significant drop from the 81% that reported that requirement in our Q2 2012 survey.

As BYOD continues to take hold, Gartner expects

Mobile device security policies may not be keeping pace with the rapid developments in enterprise mobility.

http://www.gartner.com/newsroom/id/2211115

http://www.gartner.com/newsroom/id/2211115

http://searchsecurity.techtarget.com/tip/How-to-write-an-effective-enterprise-mobile-device-security-policy


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY




increased spending include: remote access VPN (15%), application control (12%), remote wipe (12%), policy configuration and enforcement (11%), ActiveSync (11%), and data containment (11%).

In our 2012 survey, roughly half of respondents honed in on the top five: authentication topped the list (53%),

[ FIGURE 7]

How involved is your organization’s executive team in defining and implementing security decisions and policy in 2013 compared to 2012?

19%

26%

23%

5%

Much more involved

Somewhat less involved

No more or less involved

Somewhat less involved

Much less involved

Don’t know

23%

27%

24%

5% 6%

21%

6%

16%n MOBILE

DEVICE SECURITY

n GENERAL IT SECURITY

followed by data loss prevention (51%), access control (50%), encryption (45%) and remote wipe (41%). What a difference a year makes. n

KATHLEEN RICHARDS is the features editor of Information Security magazine. Follow her on Twitter @RichardsKath.

https://twitter.com/RichardsKath


EDITOR’S NOTE


SECURITY EDUCATION


SECURITY



TechTarget Security Media Group

TechTarget 275 Grove Street, Newton, MA 02466www.techtarget.com

EDITORIAL DIRECTOR Robert Richardson

FEATURES EDITOR Kathleen Richards

SENIOR MANAGING EDITOR Kara Gattine

SENIOR SITE EDITOR Eric Parizo

DIRECTOR OF ONLINE DESIGN Linda Koury

COLUMNISTS Marcus Ranum, Gary McGraw, Doug Jacobson, Julie A. Rursch, Matthew Todd

CONTRIBUTING EDITORS Michael Cobb, Scott Crawford, Peter Giannoulis, Ernest N. Hayden, Jennifer Jabbusch Minella, David Jacobs, Nick Lewis, Kevin McDonald, Sandra Kay Miller, Ed Moyle,Lisa Phifer, Ben Rothke, Anand Sastry, Dave Shackleford, Joel Snyder, Lenny Zeltser

USER ADVISORY BOARD

Phil Agcaoili, Cox CommunicationsRichard Bejtlich, MandiantSeth Bromberger, Energy Sector ConsortiumMike Chapple, Notre DameBrian Engle, Health and Human Services Commission, TexasMike Hamilton, City of SeattleChris Ipsen, State of NevadaNick Lewis, Saint Louis UniversityRich Mogull, SecurosisTony Spinelli, EquifaxMatthew Todd, Financial EnginesMacDonnell Ulsch, ZeroPoint Risk Research

VICE PRESIDENT/GROUP PUBLISHER Doug [email protected]

© 2013 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or byany means without written permission from the publisher. TechTarget reprints are available through The YGS Group.

About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

COVER IMAGE AND PAGE XX: ??

http://reprints.ygsgroup.com/m/techtarget

Documents

JULY/AUGUST 2013 INFORMATION VOL. 15 - Bitpipedocs.media.bitpipe.com/io_11x/io_111332/item_737708/ISM_July...tant of Voodoo Security, Shackleford already sees Fortune 100 companies