Do You Splunk 2.0
A little over two years ago I blogged Do you Splunk? about the reporting integration with our FirePass SSL VPN and BIG-IP ASM. The Splunk reports have provided customers valuable insight into application access and user behavior along with deep analysis of application violations, web attacks and other key metrics. Recently, Splunk and F5 have been working behind the scenes and now you can also get 22 different templates for detailed reporting on the BIG-IP Access Policy Manager. BIG-IP APM is a flexible, high-performance access and security solution that runs as a module on BIG-IP LTM. Splunk is the data engine for IT. It collects, indexes and harnesses the fast-moving IT data generated by all of your IT systems and infrastructure - whether physical, virtual or in the cloud and correlates various pieces of data sources to provide new views and new insights. Splunk makes it possible to search and navigate data from any application, server or network device from a web browser, in real time. Logs, configurations, messages, traps, alerts, and scripts: if a machine generates it, Splunk will index it. The Splunk for F5 App provides real-time dashboards for monitoring key performance metrics. Reports from Splunk support long-term trending and can be downloaded in PDF or Excel formats or scheduled for email delivery. The F5 App supports core Splunk functionality such as deep drill-down from graphical elements, robust role-based access controls and Splunk’s award-winning search capabilities. The following are a sample of the reports available in this version of Splunk for F5 using ASM, APM and FirePass data: Request Status Over Time Top Attacker Top Sites Top Violations Active Sync by Device Type Top Device Type Top User Geo-location Reports Session Duration and Throughput Authentication Success/Failure Connections by User Failed Connections by User All Connections Over Time Splunk also has the unique ability to augment data from FirePass and ASM by connecting to and gathering data from Active Directory or LDAP and asset management databases that can highlight asset or application owner information. Businesses are faced with competing challenges when it comes to granting their mobile workforce access to company data. The data must be readily accessible to users on the go but at the same time companies must protect and safeguard their internal systems that contain sensitive information. Robust monitoring controls are a must for maintaining auditing access, enabling dynamic application access and preventing data loss and availability issues. Resources: Splunk for F5 F5 Networks Partner Spotlight - Splunk Knowledgebase: Splunk for Use with F5 Networks Solutions Video: Splunk for Use with F5 Networks Solutions Splunk Templates for BIG-IP Access Policy Manager (pdf) Splunk for FirePass SSL VPN (pdf) Splunk for Application Security Manager (pdf) ASM & Splunk integration F5 Security Community Group on DevCentral Do you Splunk?Surfing the Surveys: Cloud, Security and those Pesky Breaches
While I’m not the biggest fan of taking surveys, I sure love the data/reports that are generated by such creatures. And boy has there been a bunch of recent statistical information released on cloud computing, information security, breaches and general IT. Since this prologue is kinda lame, let’s just get into the sometimes frightening, sometimes encouraging and always interesting results from a variety of sources. 2012 Verizon Data Breach Report: If you haven’t, read Securosis' blog about how to read and digest the report. It’s a great primer on what to expect. An important piece mentioned is that it’s a Breach report, not a cybercrime or attack report. It only includes incidents where data was taken – no data loss, not included. And with that in mind, according to the report, there were 855 incidents with 174 million compromised records, the 2nd highest data loss total since they’ve been tracking (2004). This coming after a record low 4 million lost records last year. The gold record of stolen records. While hacktivism exploded, accounted for 100 million of that 174 mill of stolen records and 58% of all data theft along with untraditional motives; credit cards, intellectual property, classified info and trade secrets were all still hot targets. 81% of the breaches used some sort of hacking with 69% involving malware. 79% were targets of opportunity meaning they had an exploitable vulnerability rather than being ‘on a list.’ 96% of the breaches were not that difficult and 97% could have been avoided using simple to standard protection mechanisms. Unfortunately, organizations typically don’t discover the breach until weeks later. As Securosis points out, don’t be flustered by the massive increase in lost data but focus on the attack and defense trends to help protect against becoming a statistic and as Verizon mentions, ‘this study reminds us that our profession has the necessary tools to get the job done. The challenge for the good guys lies in selecting the right tools for the job at hand and then not letting them get dull and rusty over time. Evidence shows when that happens, the bad guys are quick to take advantage of it.’ BMC Software Survey: Conducted by Forrester Consulting on behalf of BMC, ‘Delivering on High Cloud Expectations’ found that while 81% of the respondents said that a comprehensive cloud strategy is a high priority, they are facing huge challenges in accomplishing that task – mainly complexity. Even with cost reduction as a top IT priority, 43% reported using three or more hypervisor technologies as they try to reduce complexity. CIOs are concerned that cloud technologies offer an avenue for groups to circumvent IT which may hinder IT’s ability to meet overall business expectations. When groups deploy unmanaged public cloud services without IT involvement it can add to the complexity that they are trying to avoid. While 79% of respondents do plan on supporting mission-critical workloads on unmanaged public cloud services over the next two years, only 36% allow this today. No surprise that hybrid-cloud deployments, at 37%, was the most desired deployment. The full study results will be announced on Thursday, April 26, 2012 at 11 a.m. CDT as part of a BMC webinar. CSC Cloud Usage Index: Late last year, Independent research firm TNS surveyed more than 3,500 cloud computing users in eight countries around the world to find answers to cloud usage, expectations, attitudes and other cloud related questions. The survey focused on capturing user information about outcomes and experiences rather than predictions and intentions. In an interesting shift from the typical ‘cost savings’ and ‘business agility’ usually cited as a top motivator, one-third of respondents cite their need to better connect employees who use a multitude of computing devices as the number one reason they adopt cloud. 17% claim agility and only 10% indicate cost savings as a top reason for cloud adoption. 82% of respondents said they saved money on their most recent cloud project but 35% of U.S organizations reported a payback of less that $20,000. In terms of overall IT performance, 93% of respondents say cloud improved their data center efficiency/utilization and 80% see similar improvements within six months of moving to the cloud. Zenoss 100 Best Cloud Stats of 2011: Admittedly, this came out last year but it is still a great statistical overview of Cloud Computing. It starts with data growth stats, like 48 hours of video uploaded to youtube every minute; that 74% of Data Centers have increased their server count over the last three years accounting for 5.75 million new servers every year yet 15% do not have data backup and recovery plans; that, on average, cloud users report saving 21% annually on those applications moved to the cloud; that a delay of 1 second in page load times equals 7% loss of conversions, 11% fewer pages viewed and a 16% decrease in customer satisfaction; that Agility is the top driver for cloud adoption and Scalability the top factor influencing cloud use; that 74% of companies are using some sort of cloud service today yet 79% do not have an IT roadmap for cloud computing and a whole slew of others. All the stats appear to be attributed and run the gamut from storage to cloud to apps. Cloud Industry Forum (CIF) study: As enterprises continue to embrace cloud adoption, it is important for service providers to understand motivators for cloud adoption to ensure those services are being offered. This study, USA Cloud Adoption & Trends 2012 shows that smaller U.S. companies indicate that flexibility as their main driver for cloud adoption while large enterprises cite cost savings as their main reason for cloud deployments. This survey also noted that ‘Cloud’ is no longer a nebulous buzzword with 76% of polled organizations already using some sort of cloud computing for at least one service. Organizations are happy about it also – 98% said they were satisfied with the results of their cloud services with 94% expecting to increase their use in the next 12 months. Data security and data privacy were tagged as the top concerns with 56% and 53% respectively. By no means an exhaustive list of all the recent survey results pertaining to cloud and/or IT security, but they do offer some interesting data points to consider as organizations continue to strive to deliver their available applications as fast and secure as possible. psParking Ticket Privacy
Imagine getting a $20 parking ticket and then filing suit against the issuing municipality for exposing too much personal information on that ticket. That’s exactly what Jason Senne did after receiving a $20 parking ticket in 2010 for illegally parking his car overnight in the Chicago ‘burb of Palatine, Ill. His name, address, driver's license number, date of birth, height and weight all appeared on the ticket, which was placed on his windshield in full public view. Senne's complaint alleged that disclosure of his identity was in violation of the Driver’s Privacy Protection Act of 1994 (DPPA). DPPA requires that all states protect a driver's name, address, phone number, Social Security number, driver identification number, photograph, height, weight, gender, age, and specific medical or disability information. Congress passed the privacy legislation in response to the death of actress Rebecca Schaeffer. She was killed by a stalker who had gotten her unlisted home address through the California DMV. In Senne’s case, initially a federal judge found that an exception for law enforcement protected the village's actions, and a 3-judge panel of the 7th Circuit affirmed that last year. Senne pushed and the full federal appeals court agreed to rehear the case. Last week, the full federal appeals court decided Monday that ‘the parking ticket at issue here did constitute a disclosure regulated by the DPPA.’ In a 7-4 ruling, the appeals court said that it didn’t matter if someone walking by happened to notice the personal info – just the fact that it was exposed in such a public manner was enough. The earlier district court decision, in favor of Palatine Village, was based on the notion that a ‘disclosure’ was when an entity turned over information to someone else without consent and was not considered disclosure. In this case, there was no direct handoff, just the ticket flapping on the windshield/wiper blade in plain sight. In the overturned ruling, the divided court felt that there was real risk, safety and security concerns at stake. A stalker looking for a target could just hang out where overnight parking is banned and collect a bunch of potential victim’s info for future harassment. The recent court’s interpretation of the law might also expose Palatine to a hefty $80 million fine. Since there is a 4 year statute of limitations on private lawsuits and each privacy violation carries a $2500 penalty, all those tickets issued during that time frame with the protected info could be in play. It’s an interesting case about privacy and how others, without malicious intent, may expose personal, sensitive details about an individual. While identity theft due to electronic means, like data breaches, is on the rise, stolen wallets or physical documents (dumpster diving) still account for a good percentage of ID theft crimes. Back in 2009, a Javelin study indicated that stolen wallets and physical documents accounts for 43% of all identity theft (pdf) which means we still need to shred our printed materials. ps References: Privacy Issue in Parking Tickets, Full Circuit Says Appeals court reinstitutes parking ticket lawsuit against Palatine Detailed Parking Tickets Breach Personal Privacy, Appeals Court Says Court Says Parking Tickets Could Be Illegal Senne v. Village of Palatine Driver Information Can Be Sold for Commercial Use Under DPPA (FindLaw's Seventh Circuit Blog) Driver's Privacy Protection Act Seems Fairly Useless (FindLaw's Sixth Circuit Blog) Dumpster Diving vs. The Bit BucketYou’ll Shoot Your Eye Out…
…is probably one of the most memorable lines of any Holiday Classic. Of course I’m referring to A Christmas Story, where a young Ralphie tries to convince his parents, teachers and Santa that the Red Ryder BB Gun is the perfect present. I don’t know of there was a warning label on the 1940’s edition box but it is a good reminder from a security perspective that often we, meaning humans, are our own worst enemy when it comes to protecting ourselves. Every year about 100 or so homes burn down due to fried turkeys. A frozen one with ice crystals straight in or the ever famous too much oil that overflows and toasts everything it touches. Even with the warnings and precautions, humans still take the risk. Warning: You can get burned badly. As if the RSA breach wasn’t warning enough about the perils of falling for a phishing scam, we now learn that the South Carolina Department of Revenue breach was also due to an employee, and it only takes one, clicking a malicious email link. That curiosity lead to over 3.8 million Social Security numbers, 3.3 million bank accounts, thousands of credit cards along with 1.9 million dependant’s information being exposed. While the single click started it all, 2-factor authentication was not required and the stored info was not encrypted, so there is a lot of human error to go around. Plus a lot of blame being tossed back and forth – another well used human trait – deflection. Warning: Someone else may not protect your information. While working the SharePoint Conference 2012 in Vegas a couple weeks ago, I came across a interesting kiosk where it allows you to take a picture and post online for free to any number of social media sites. It says ‘Post a picture online for free.’ but there didn’t seem to be a Warning: ‘You are also about to potentially share your sensitive social media credentials or email, which might also be tied to your bank account, into this freestanding machine that you know nothing about.’ I’m sure if that was printed somewhere, betters would think twice about that risk. If you prefer not to enter social media info, you can always have the image emailed to you (to then share) but that also (obviously) requires you to enter that information. While logon info might not be stored, email is. Yet another reason to get a throw away email address. I’m always amazed at all the ways various companies try to make it so easy for us to offer up our information…and many of us do without considering the risks. In 2010, there were a number of photo kiosks that were spreading malware. Warning: They are computers after all and connected to the internet. Insider threats are also getting a lot of attention these days with some statistics indicating that 33% of malicious or criminal attacks are from insiders. In August, an insider at Saudi Aramco released a virus that infected about 75% of the employee desktops. It is considered one of the most destructive computer sabotages inflicted upon a private company. And within the last 2 days, we’ve learned that the White House issued an Executive Order to all government agencies informing them of new standards and best practices around gathering, analyzing and responding to insider threats. This could be actual malicious, disgruntled employees, those influenced by a get rich quick scheme from an outsider or just ‘compromised’ employees, like getting a USB from a friend and inserting it into your work computer. It could even be simple misuse by accident. In any event, intellectual property or personally identifiable information is typically the target. Warning: Not everyone is a saint. The Holidays are still Happy but wear your safety glasses, don’t click questionable links even from friends, don’t enter your logon credentials into a stray kiosk and a third of your staff is a potential threat. And if you are in NYC for the holidays, a limited run of "Ralphie to the Rescue!" A Christmas Story, The Musical is playing at the Lunt-Fontanne Theatre until Dec 30th. ps References How One Turkey Fryer Turned Into A 40-foot Inferno That Destroyed Two Cars And A Barn S.C. tax breach began when employee fell for spear phish 5 Stages of a Data Breach Thinking about Security from the Inside Out Obama issues insider threat guidance for gov't agencies National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs Insiders Big Threat to Intellectual Property, Says Verizon DBIR Negligent Insiders and Malicious Attacks Continue to Pose Security Threat Infographic: Protect Yourself Against Cybercrime The Exec-Disconnect on IT Security "Ralphie to the Rescue!" A Christmas Story, The Musical Opens On Broadway Nov. 19BYOD–The Hottest Trend or Just the Hottest Term
It goes by many names: ‘Bring Your Own Danger’, ‘Bring Your Own Disaster’ and what most people call ‘Bring Your Own Device’ and everyone it seems is writing, talking and surveying about BYOD. What used to be inconceivable, using your own personal mobile device/smartphone for work, is now one of the hottest trends or at least, one of the hottest topics being discussed throughout the IT industry. The idea of using a personal smartphone at work sprouted, I think, when many executives got their first iPhone back in 2007 and wanted access to corporate resources. As more smartphones made their way into employee’s hands, the requests for corporate access only grew. Initially resistant to the idea due to security concerns, IT seems to be slowly adopting the concept based on the many blogs, articles and surveys that have littered the internet of late. But, it is a true trend that will transform IT or simply a trending term getting a lot of attention? We’ll be right back after these important messages. Just Kidding. Most likely the former. While many of the cautionary articles talk about potentially grim disasters, they do acknowledge that BYOD is not going away and in fact, is gaining ground. Greater productivity and cost savings seem to be the driving factors. Let’s take a quick look at the smattering of articles surrounding this offshoot of IT consumerization. The Mobile Device Threat: Shocking Mobile Security Stats: A nice slide show featuring highlights from a recent Ponemon Institute and Websense survey. Right out of the gate they talk about how mobile devices are a double-edge sword for enterprises. 77 % of the 4640 responses said that the use of mobile devices in the workplace is important to achieving business objectives but almost the same percentage - 76% - believe that these tools introduce a "serious" set of risks. While organizations understand the risks, the survey showed that only 39% have security controls in place to mitigate them. As a result, 59% of respondents said they’ve seen a jump in malware infections over the past 12 months due, specifically, to insecure mobile devices including laptops, smartphones, and tablets while 51% said their organization has experienced a data breach due to insecure devices. While 45% do have a corporate use policy, less than half of those actually enforce it. In terms of recommendations based on their findings they said, be sure to understand the risk that mobile devices create in the workplace; educate employees about the importance of safeguarding their devices; create a mobile device corporate policy and leverage mobile device management solutions, security access controls, and even cloud services to keep confidential data out of the eyes of unauthorized viewers. 10 myths of BYOD in the enterprise: A nice top 10 from TechRepublic primarily pulling data from a recent Avanadesurvey of more than 600 IT and business leaders. The notion of IT resistance to BYOD is somewhat squashed here with nine out of 10 respondents (according to the results) saying their employees are using their own tech at work. They found that more Androids are encroaching the workplace; that employees are actually using it for work rather than playing games and that nearly 80% of enterprises will make investments this year to manage consumer technologies. There’s 7 more myths along with a couple nice graphics to go along with the list. Interesting and quick read. When Business and Personal Combine: This Wall Street Journal article talks specifically about the conundrum companies and employees face when a remote wipe comes into play. What happens, or really, how to deal with situations when there is a fear of a data breach yet wiping the device also deletes all the employee’s personal data, like family pictures. Policies, use agreements and mobile device management (MDM) solutions are potential solutions. The new BYOD: Businesses are now driving adoption: Rather than the perils of BYOD, this InfoWorld article talks about how enterprises are starting to actively encourage BYOD, not just passively accept it. Reporting on Good Technology’s recent BYOD survey, they found that organizations are jumping on the phenomenon sine they see real ROI from encouraging BYOD. The ability to keep employees connected (to information) day and night can ultimately lead to increased productivity and better customer service. They also found that two of the most highly regulated industries - financial services and health care - are most likely to support BYOD. This shows that the security issues IT folks often raise as objections are manageable and there's major value in supporting BYOD. Another ROI discovered through the survey is that since employees are using their own devices, half of Good’s customers don't pay anything for the employees' BYOD devices – essentially, according to Good, getting employees to pay for the productivity boost at work. BYOD Is The Challenge Of The Decade: Europe is also seeing the BYOD trend. This TechWeek Europe article talks about the familiar threats of malware, spyware, worms and other malicious software but also says that BYOD success depends on both people and technology. That it’s important to involve management early, consider the legal and financial ramifications along with risks to the business to then make an informed decision about a BYOD plan. Not sure if it’s the challenge of the decade but it’s a great headline and will continue to fluster IT in the coming years. IT Security's Scariest Acronym: BYOD, Bring Your Own Device: This PCWorld article uses Nemertes Research data to cover the discrepancies between how companies treat laptops (which can be mobile) and mobile devices themselves. They both have VPN capabilities and device encryption available but stray in different directions after that commonality. The obvious difference is laptops are usually IT owned and smartphones are personally owned. They suggest that it’s a good idea to re-evaluate the difference between security controls on different types of end-user devices and ask, "Is this difference based on valid reasons or a result of legacy thinking?" BYOD Challenge: How IT Can Keep User-Owned iPhones And iPads Secure In Enterprise: This article looks at both the technical and personal challenges to securing employee-owned devices along with suggestions like user education, cost sharing, purchase assistance, tiered access, reward for enrollment and reward for good behavior. I like the last one since much of our challenges and much of what I write about is human behavior, the human condition and why we do the risky things we do. BYOD: Manage the Risks and Opportunities: Bankinfosecurity.com is one of my weekly stops on the internet circuit. While this article is more a primer for an upcoming webinar, it does offer a number a good questions to ask while considering a BYOD strategy. They also say that it's no longer a question of whether to allow employees to use their own devices – the questions are now about inventory, security, privacy, compliance, policy and opportunity. Some BYOD thoughts based on all of the above, in no particular order: Have a BYOD policy or forbid the use all together. Two things can happen if not: personal devices are being blocked and organizations are losing productivity OR the personal devices are accessing the network (with or without an organization's consent) and nothing is being done pertaining to security or compliance. Ensure employees understand what can and cannot be accessed with personal devices along with understanding the risks (both users and IT) associated with such access. What's the written policy and how is it enforced. Acceptable use. Ensure procedures are in place (and understood) in cases of an employee leaving the company; what happens when a device is lost or stolen (ramifications of remote wiping a personal device); what types/strength of passwords are required; record retention and destruction; the allowed types of devices; what types of encryption is used. Organizations need to balance the acceptance of consumer-focused smartphones/tablets with control of those devices to protect their networks. Organizations need to have a complete inventory of employee's personal devices - at least the one’s requesting access. Organizations need the ability to enforce mobile policies. Securing the devices. Organizations need to balance the company's security with the employee's privacy like, off-hours browsing activity on a personal device. Personally, I do find that if I’m playing a game at 9pm and an email comes in, I typically read it. F5 has a number of solutions to help organizations conquer their BYOD fears. From the Edge Client, to our BIG-IP Global Access Solutions (BIG-IP APM and BIG-IP Edge Gateway) to the recent MDM partnership announcements, we can help ensure secure and fast application performance for mobile users. ps Related or, …and the Rest: The Dark Side of BYOD – Remote Wiping and Other Issues How do we manage the BYOD boom, at the technical end? BYOD: Bring your own device could spell end for work PC Bring Your Own Device: Risks and rewards What Risk Does 'BYOD' Pose To Your Business? Survey Says Mobile Device Security Threats Attract Cybercriminals The BYOD Security Dilemma BYOD and the hidden risk of IT security BYOD Policy Template Secure iPhone Access to Corporate Web ApplicationsBYOD Policies – More than an IT Issue Part 2: Device Choice
#BYOD or Bring Your Own Device has moved from trend to an permanent fixture in today's corporate IT infrastructure. It is not strictly an IT issue however. Many groups within an organization need to be involved as they grapple with the risk of mixing personal devices with sensitive information. In my opinion, BYOD follows the classic Freedom vs. Control dilemma. The freedom for user to choose and use their desired device of choice verses an organization's responsibility to protect and control access to sensitive resources. While not having all the answers, this mini-series tries to ask many the questions that any organization needs to answer before embarking on a BYOD journey. Enterprises should plan for rather than inherit BYOD. BYOD policies must span the entire organization but serve two purposes - IT and the employees. The policy must serve IT to secure the corporate data and minimize the cost of implementation and enforcement. At the same time, the policy must serve the employees to preserve the native user experience, keep pace with innovation and respect the user's privacy. A sustainable policy should include a clear BOYD plan to employees including standards on the acceptable types and mobile operating systems along with a support policy showing the process of how the device is managed and operated. Some key policy issue areas include: Liability, Device choice, Economics, User Experience & Privacy and a trust Model. Today we look at Device Choice. Device Choice People have become very attached to their mobile devices. They customize and personalize and it's always with them, to the point of even falling asleep with the device. So ultimately, personal preference or the 'consumerization of IT' notion is one of the primary drivers for BYOD. Organizations need to understand, what devices employees prefer and what devices do employees already own. That would could dictate what types of devices might request access. Once organizations get a grasp on potential devices, they then need to understand each device's security posture. About 10 years ago, RIM was the first technology that really brought the Smartphone into the workplace. It was designed to address the enterprise's needs and for years was the Gold Standard for Enterprise Mobility. Management control was integrated with the device; client certificate authentication was supported; Active Directory/LDAP servers were not exposed to the external internet; the provisioning was simple and secure; organizations could manage both Internet access and intranet access, and IT had end point control. When Apple's iPhone first hit the market, it was purely a consumer device for personal use and was not business centric, like the BlackBerry. Initially, the iPhone did not have many of the features necessary to be part of the corporate environment. It was not a business capable device. It did not support applications like Exchange, which is deployed in many organizations and is critical to a user's day-to-day activities. Over time, the iPhone has become a truly business capable device with additional mechanisms to protect end users. Android, very popular with consumers, also offers numerous business apps but is susceptible to malware. Device selection is also critical to the end user experience. Surveys show that workers are actually more productive when they can use their personal smartphone for work. Productivity increases since we prefer to use our own device. In addition, since many people like to have their device with them all the time, many will answer emails or do work during non-work hours. A recent survey indicated that 80% of Americans work an extra 30 hours a month on their own time with BYOD. But we are much happier. A few blogs ago, I wrote about Good Technology’s BYOD survey, found that organizations are jumping on the phenomenon since they see real ROI from encouraging BYOD. The ability to keep employees connected (to information) day and night can ultimately lead to increased productivity and better customer service. They also found that two of the most highly regulated industries - financial services and health care - are most likely to support BYOD. This shows that the security issues IT folks often raise as objections are manageable and there's major value in supporting BYOD. Another ROI discovered through the survey is that since employees are using their own devices, half of Good’s customers don't pay anything for the employees' BYOD devices – essentially, according to Good, getting employees to pay for the productivity boost at work. As part of the BYOD Policy the Device Choice Checklist, while not inclusive, should: · Survey employees about their preferences and current devices · Define a baseline of acceptable security and supportability features · Do homework: Read up on hardware, OS, and regional variances · Develop a certification program for future devices · Work with Human Resources on clear communication to employees about which devices are allowed–or not–and why ps Related BYOD Policies – More than an IT Issue Part 1: Liability BYOD–The Hottest Trend or Just the Hottest Term FBI warns users of mobile malware Will BYOL Cripple BYOD? Freedom vs. Control What’s in Your Smartphone? SmartTV, Smartphones and Fill-in-the-Blank Employees Evolving (or not) with Our Devices The New Wallet: Is it Dumb to Carry a Smartphone? Bait Phone BIG-IP Edge Client 2.0.2 for Android BIG-IP Edge Client v1.0.4 for iOS New Security Threat at Work: Bring-Your-Own-Network Legal and Technical BYOD Pitfalls Highlighted at RSAHackers Hit Vacation Spots
Just when you were having all that fun running around the waterpark and playing those arcade games comes news that the card processing system of Vacationland Vendors Inc., a Wisconsin Dells firm that supplies arcade games and installs vending machines, was breached. From the notice on their website, they say, ‘Vacationland Vendors recently discovered that an unauthorized person wrongfully accessed certain parts of the point of sales systems that Vacationland Vendors uses to process credit and debit transactions at the Wilderness Resorts.’ Up to 40,000 debit or credit cards that were used in the arcades any time between December 2008 to May 2011 at the Wilderness Waterpark Resort near Wisconsin Dells and a companion resort in Tennessee are potentially compromised. The hackers, according to Vacationland Vendors, improperly acquired credit card and debit information and around 20 accounts have shown irregular activity. Reservation and restaurant transactions were not involved in the breach, only the point-of-sale devices. Malware was the apparent culprit. Point-of-sale devices and the networks they are connected to are often the target of malicious hackers. These ‘kiosks’ are typically unattended and might be in locations where observation is limited. A couple years ago, Target’s breach was the result of hackers gaining access via the customer service kiosks and the huge hit at Heartland Payment Systems, resulting in tens of millions of exposed credit and debit cards was from a breach of the company's point-of-sale network. After successful installation of malicious software, thieves are able to sniff and intercept payment card data as the information is transmitted within the internal network or to the bank for authorization. It might not even be encrypted as it travels. If it was, then the crooks wouldn’t have the info. Many people may think these kiosk point-of-sale devices are safe since it is taking credit card data and merchants need to be PCI compliant. While the overall deadline for PCI 1.2 compliance was a couple years ago (and PCI 2.0 at the end of this year), the deadline for unattended point-of-sale devices was July 2010, a little over a year ago. That’s why you’ve seen a whole slew of new gas station pumps at your favorite fueling stations and just like regular compliance, it’s going to take time to update all the point-of-sale devices. Now, I’m not insinuating that the arcade devices were not PCI compliant since nothing has been reported about that, but what I am saying is be careful with those since you may not know if it is or not. If it looks a few years old, then most likely, it is not. With this and other similar point-of-sale breaches, many security experts (and even the Heartland CEO) believe end-to-end encryption is necessary, even if transmitting on the internal network, from the time the card is swiped all the way until the data reaches the the processor or bank. Many credit card swipe terminal vendors are building encryption into the hardware itself and F5 can help keep that information encrypted while it’s travelling the great unknown. Our BIG-IP APM and BIG-IP Edge Gateway (voted Best Secure Remote Access Product by TechTarget Readers) can easily encrypt any traffic, internal or external. Heck, even a couple BIG-IP LTM running our latest v11 code can initiate a secure tunnel between them, creating an instant, secure WAN connection. With the advent of credit card swiping capabilities on mobile phones now in full force, I’m not sure if this is going to get better or worse. The terminal might be fine but if you install a hacked mobile payment app, then you can skim credit card info like the pros. Remember, humans will often trade privacy for convenience. ps Related blogs & articles: Vending machine company announces major data breach Vending Company Reports Significant Data Breach Security breach affects card users tied to Wilderness arcade Vacationland Vendors Notice Encryption Anywhere and Everywhere Will you Comply or just Check the Box? PCI Turns 2.0 CloudFucius Wonders: Can Cloud, Confidentiality and The Constitution Coexist? Identity Theft Resource CenterHas The Sky Cleared on Cloud Security?
Last year I embarked on a blog series, lead by my trusty advisor CloudFucius, that evolved into an exploration of the numerous cloud computing surveys, reports, statistics and other feelings about the technology. At the time, 4-5 surveys a week were being released covering some aspect of cloud computing and security was cited as the biggest hurdle in almost 90% of the surveys. I also found that availability, control and a general lack of understanding were also drivers in challenges to cloud adoption. Almost 6 months have passed since the last CloudFucius entry and I wanted to see if the same fears were still lingering or at least, were the current surveys reporting the same concerns from a year ago about Cloud Computing. First up, is UK based technology publication, Computing. Working with Symantec.cloud, they surveyed 150 IT decision makers and learned that as more companies embrace Cloud Computing, they are finding that the cloud solutions meet or beat, not only their expectations but also their own existing in-house solutions. While on-premise security solutions might be adequate today, as the security threats evolve, the cloud providers may have the advantage over time due to the infrastructure investments in advanced filtering and detection along with 24/7 trained staff. Last year, availability and uptime also emerged as concerns and today there is great interest in the contractual SLAs offered by cloud providers since it often surpasses what they are capable of in-house. Resiliency and disaster recovery across multiple data centers can ensure that if there is an outage in one location, the customers can still access their data. Management and control still create some anxiety but many IT teams are happy to abdicate routine maintenance, like OS patching and hardware upgrades, in exchange for management SLAs. Now that the hype of cloud services has passed and many providers are proving themselves worthy, it is now becoming part of the overall IT strategy. As the perceived threats to data security in the cloud dwindle, trust in the cloud will grow. The Cloud Connect Conference in Santa Clara also released a survey during their gathering. In that one, elasticity and speed of deployment were the top motivators to using cloud services. Elasticity or the flexibility to quickly add or reduce capacity, can greatly influence the availability of data. These folks however were less motivated by improved security or access to the provider’s IT staff. Their top concerns were data privacy and infrastructure control. I do find it interesting that last year the term ‘security,’ which can encompass many things, was the primary apprehension of going to the cloud while today, it has somewhat narrowed to specifically data privacy. That too can mean several things but areas like outsider’s physical access to systems doesn’t seem to worry IT crews as much any more. When it comes to our school/educational system, Panda Security released a study that focused on IT security in K-12 school districts. Like many companies, they must deal with unauthorized user access, malware outbreaks and admit that IT security is time and resource intensive. They do believe however that the cloud can offer security benefits and improve their overall infrastructure. 91% see value in cloud solutions and are planning to implement over the next couple years with 80% saying improved security was a main reason to deploy cloud-based security. Finally on the consumer front, GfK Business & Technology surveyed 1000 adults about cloud services and storing content in the cloud. With all of our connected devices – cell phone, computer, tablet, etc – there will be a greater demand to move data to the cloud. Not real surprising, less than 10% of the consumers surveyed fully understand what the cloud actually does. The know of it, but not what it accomplishes. With what you don’t understand comes fear. 61% said that they were concerned about storing their data in the cloud and almost half said they would never use the cloud unless it was easy to store and retrieve data. As businesses begin to feel content with the cloud, they then need to both educate and communicate cloud benefits to their consumers. So it does appear like comfort with the cloud is beginning to take hold and as cloud offerings mature, especially around security, err ah, I mean data privacy solutions, the fear, uncertainty and doubt from last year is starting to loosen and it sure seems like greater adoption is on the horizon. And one from Confucius: They must often change who would be constant in happiness or wisdom. ps Resources: CloudFucius Closes This Cloud Canon Content security in the cloud - no longer hot air Cloud-based IT Security at a Tipping Point Reader Forum: The importance of cloud computing in mobile security Panda Security Study Reveals 63 Percent of Schools Plagued by IT Security Breaches at Least Twice a Year Cloud computing: What it can do for you and your business Just Don't Call It A 'Cloud' Defining enterprise security best practices for self-provisioned technology What do security auditors really think? Private Cloud Computing No Safer than Public Cloud Survey Shows Businesses Interested, But Still Conflicted, About The Cloud Cloud Computing Has the Power to Enhance Consumer Data Consumption, But Obstacles Hinder Greater Short-Term AdoptionHoliday Shopping SmartPhone Style
Close to 70% of smartphone owners plan to use the devices for holiday shopping, according to Deloitte (pdf). Smartphone ownership has jumped from 39.7% last year to 46.1% this year and tablet owners have doubled from 10.5% to 22.4% according to 9,000 shoppers surveyed by BIGinsught. This will probably also spur an increasing number of people colliding heads and walking into fountains as everyone in the mall will be looking down at their mobile devices instead of watching where they are walking. Knowing that these devices have become permanent fixtures on our bodies, retailers are using the technology in an attempt to enhance the shopping experience. As soon as you cross the mall threshold, your phone will buzz with merchant coupons or even better, your online shopping cart has been paid and converted to real items for you walk out, bags in hand, without standing in the check-out aisle. You’ll be able to browse inventory to know if that incredible deal is in stock or simply purchasing the item on the smartphone while standing in the store and have it arrive, already wrapped, the next day. Retailers are trying to combat the behavior of looking for the best deals on an item, only to go home and purchase online elsewhere. Many retailers are equipping employees with tablets and checkout areas with mobile payment systems. Employees have apps that offer richer information in case a shopper wants to know what a coat is made of, or specific warranty info on an electronic item. These employee handhelds could also check-out a shopper in the middle of the store, avoiding any lines. Some stores have even installed iPads in the dressing room so shoppers can choose what music to listen to while parading their selections in the mirror. Hopefully on those, the cameras are disabled since I can already see a remote ‘Peeping in the Dressing Room’ breach in the headlines. Coupon sites are starting to deploy Geofencing, or the ability to offer deals that are within range. You cross a digital boundary and the phone lights up with scan-able deals from area merchants. While retailers will be trying to entice the shopper, mobile technology also helps the shopper. They can look up items, prices and reviews; see who has the best selection/inventory/deals; who offers free shipping and a host of other data to help complete Santa’s list while staying under budget. More stores will also be offering free WiFi for shoppers. Boingo Wireless indicates that 20%-30% of retailers have deployed wireless in the stores and they expect that to grow to 30%-40% in the coming years. While it’s wonderful not to be ‘connected’ while shopping, most of these WiFi zones are not secure and all the security rules of open WiFi still apply. Watch the type of sensitive info you enter while connected since there is virtually no protection. In other Holiday Shopping news, Consumer Reports released its 2011 Naughty & Nice Holiday List, which looks at the good and not-so-good shopping policies and the companies behind them. And, Toy sales down after early rush. ps
