data privacy
13 TopicsYou’ll Shoot Your Eye Out…
…is probably one of the most memorable lines of any Holiday Classic. Of course I’m referring to A Christmas Story, where a young Ralphie tries to convince his parents, teachers and Santa that the Red Ryder BB Gun is the perfect present. I don’t know of there was a warning label on the 1940’s edition box but it is a good reminder from a security perspective that often we, meaning humans, are our own worst enemy when it comes to protecting ourselves. Every year about 100 or so homes burn down due to fried turkeys. A frozen one with ice crystals straight in or the ever famous too much oil that overflows and toasts everything it touches. Even with the warnings and precautions, humans still take the risk. Warning: You can get burned badly. As if the RSA breach wasn’t warning enough about the perils of falling for a phishing scam, we now learn that the South Carolina Department of Revenue breach was also due to an employee, and it only takes one, clicking a malicious email link. That curiosity lead to over 3.8 million Social Security numbers, 3.3 million bank accounts, thousands of credit cards along with 1.9 million dependant’s information being exposed. While the single click started it all, 2-factor authentication was not required and the stored info was not encrypted, so there is a lot of human error to go around. Plus a lot of blame being tossed back and forth – another well used human trait – deflection. Warning: Someone else may not protect your information. While working the SharePoint Conference 2012 in Vegas a couple weeks ago, I came across a interesting kiosk where it allows you to take a picture and post online for free to any number of social media sites. It says ‘Post a picture online for free.’ but there didn’t seem to be a Warning: ‘You are also about to potentially share your sensitive social media credentials or email, which might also be tied to your bank account, into this freestanding machine that you know nothing about.’ I’m sure if that was printed somewhere, betters would think twice about that risk. If you prefer not to enter social media info, you can always have the image emailed to you (to then share) but that also (obviously) requires you to enter that information. While logon info might not be stored, email is. Yet another reason to get a throw away email address. I’m always amazed at all the ways various companies try to make it so easy for us to offer up our information…and many of us do without considering the risks. In 2010, there were a number of photo kiosks that were spreading malware. Warning: They are computers after all and connected to the internet. Insider threats are also getting a lot of attention these days with some statistics indicating that 33% of malicious or criminal attacks are from insiders. In August, an insider at Saudi Aramco released a virus that infected about 75% of the employee desktops. It is considered one of the most destructive computer sabotages inflicted upon a private company. And within the last 2 days, we’ve learned that the White House issued an Executive Order to all government agencies informing them of new standards and best practices around gathering, analyzing and responding to insider threats. This could be actual malicious, disgruntled employees, those influenced by a get rich quick scheme from an outsider or just ‘compromised’ employees, like getting a USB from a friend and inserting it into your work computer. It could even be simple misuse by accident. In any event, intellectual property or personally identifiable information is typically the target. Warning: Not everyone is a saint. The Holidays are still Happy but wear your safety glasses, don’t click questionable links even from friends, don’t enter your logon credentials into a stray kiosk and a third of your staff is a potential threat. And if you are in NYC for the holidays, a limited run of "Ralphie to the Rescue!" A Christmas Story, The Musical is playing at the Lunt-Fontanne Theatre until Dec 30th. ps References How One Turkey Fryer Turned Into A 40-foot Inferno That Destroyed Two Cars And A Barn S.C. tax breach began when employee fell for spear phish 5 Stages of a Data Breach Thinking about Security from the Inside Out Obama issues insider threat guidance for gov't agencies National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs Insiders Big Threat to Intellectual Property, Says Verizon DBIR Negligent Insiders and Malicious Attacks Continue to Pose Security Threat Infographic: Protect Yourself Against Cybercrime The Exec-Disconnect on IT Security "Ralphie to the Rescue!" A Christmas Story, The Musical Opens On Broadway Nov. 19255Views0likes0CommentsHoliday Shopping SmartPhone Style
Close to 70% of smartphone owners plan to use the devices for holiday shopping, according to Deloitte (pdf). Smartphone ownership has jumped from 39.7% last year to 46.1% this year and tablet owners have doubled from 10.5% to 22.4% according to 9,000 shoppers surveyed by BIGinsught. This will probably also spur an increasing number of people colliding heads and walking into fountains as everyone in the mall will be looking down at their mobile devices instead of watching where they are walking. Knowing that these devices have become permanent fixtures on our bodies, retailers are using the technology in an attempt to enhance the shopping experience. As soon as you cross the mall threshold, your phone will buzz with merchant coupons or even better, your online shopping cart has been paid and converted to real items for you walk out, bags in hand, without standing in the check-out aisle. You’ll be able to browse inventory to know if that incredible deal is in stock or simply purchasing the item on the smartphone while standing in the store and have it arrive, already wrapped, the next day. Retailers are trying to combat the behavior of looking for the best deals on an item, only to go home and purchase online elsewhere. Many retailers are equipping employees with tablets and checkout areas with mobile payment systems. Employees have apps that offer richer information in case a shopper wants to know what a coat is made of, or specific warranty info on an electronic item. These employee handhelds could also check-out a shopper in the middle of the store, avoiding any lines. Some stores have even installed iPads in the dressing room so shoppers can choose what music to listen to while parading their selections in the mirror. Hopefully on those, the cameras are disabled since I can already see a remote ‘Peeping in the Dressing Room’ breach in the headlines. Coupon sites are starting to deploy Geofencing, or the ability to offer deals that are within range. You cross a digital boundary and the phone lights up with scan-able deals from area merchants. While retailers will be trying to entice the shopper, mobile technology also helps the shopper. They can look up items, prices and reviews; see who has the best selection/inventory/deals; who offers free shipping and a host of other data to help complete Santa’s list while staying under budget. More stores will also be offering free WiFi for shoppers. Boingo Wireless indicates that 20%-30% of retailers have deployed wireless in the stores and they expect that to grow to 30%-40% in the coming years. While it’s wonderful not to be ‘connected’ while shopping, most of these WiFi zones are not secure and all the security rules of open WiFi still apply. Watch the type of sensitive info you enter while connected since there is virtually no protection. In other Holiday Shopping news, Consumer Reports released its 2011 Naughty & Nice Holiday List, which looks at the good and not-so-good shopping policies and the companies behind them. And, Toy sales down after early rush. ps207Views0likes0CommentsBYOD Policies – More than an IT Issue Part 2: Device Choice
#BYOD or Bring Your Own Device has moved from trend to an permanent fixture in today's corporate IT infrastructure. It is not strictly an IT issue however. Many groups within an organization need to be involved as they grapple with the risk of mixing personal devices with sensitive information. In my opinion, BYOD follows the classic Freedom vs. Control dilemma. The freedom for user to choose and use their desired device of choice verses an organization's responsibility to protect and control access to sensitive resources. While not having all the answers, this mini-series tries to ask many the questions that any organization needs to answer before embarking on a BYOD journey. Enterprises should plan for rather than inherit BYOD. BYOD policies must span the entire organization but serve two purposes - IT and the employees. The policy must serve IT to secure the corporate data and minimize the cost of implementation and enforcement. At the same time, the policy must serve the employees to preserve the native user experience, keep pace with innovation and respect the user's privacy. A sustainable policy should include a clear BOYD plan to employees including standards on the acceptable types and mobile operating systems along with a support policy showing the process of how the device is managed and operated. Some key policy issue areas include: Liability, Device choice, Economics, User Experience & Privacy and a trust Model. Today we look at Device Choice. Device Choice People have become very attached to their mobile devices. They customize and personalize and it's always with them, to the point of even falling asleep with the device. So ultimately, personal preference or the 'consumerization of IT' notion is one of the primary drivers for BYOD. Organizations need to understand, what devices employees prefer and what devices do employees already own. That would could dictate what types of devices might request access. Once organizations get a grasp on potential devices, they then need to understand each device's security posture. About 10 years ago, RIM was the first technology that really brought the Smartphone into the workplace. It was designed to address the enterprise's needs and for years was the Gold Standard for Enterprise Mobility. Management control was integrated with the device; client certificate authentication was supported; Active Directory/LDAP servers were not exposed to the external internet; the provisioning was simple and secure; organizations could manage both Internet access and intranet access, and IT had end point control. When Apple's iPhone first hit the market, it was purely a consumer device for personal use and was not business centric, like the BlackBerry. Initially, the iPhone did not have many of the features necessary to be part of the corporate environment. It was not a business capable device. It did not support applications like Exchange, which is deployed in many organizations and is critical to a user's day-to-day activities. Over time, the iPhone has become a truly business capable device with additional mechanisms to protect end users. Android, very popular with consumers, also offers numerous business apps but is susceptible to malware. Device selection is also critical to the end user experience. Surveys show that workers are actually more productive when they can use their personal smartphone for work. Productivity increases since we prefer to use our own device. In addition, since many people like to have their device with them all the time, many will answer emails or do work during non-work hours. A recent survey indicated that 80% of Americans work an extra 30 hours a month on their own time with BYOD. But we are much happier. A few blogs ago, I wrote about Good Technology’s BYOD survey, found that organizations are jumping on the phenomenon since they see real ROI from encouraging BYOD. The ability to keep employees connected (to information) day and night can ultimately lead to increased productivity and better customer service. They also found that two of the most highly regulated industries - financial services and health care - are most likely to support BYOD. This shows that the security issues IT folks often raise as objections are manageable and there's major value in supporting BYOD. Another ROI discovered through the survey is that since employees are using their own devices, half of Good’s customers don't pay anything for the employees' BYOD devices – essentially, according to Good, getting employees to pay for the productivity boost at work. As part of the BYOD Policy the Device Choice Checklist, while not inclusive, should: · Survey employees about their preferences and current devices · Define a baseline of acceptable security and supportability features · Do homework: Read up on hardware, OS, and regional variances · Develop a certification program for future devices · Work with Human Resources on clear communication to employees about which devices are allowed–or not–and why ps Related BYOD Policies – More than an IT Issue Part 1: Liability BYOD–The Hottest Trend or Just the Hottest Term FBI warns users of mobile malware Will BYOL Cripple BYOD? Freedom vs. Control What’s in Your Smartphone? SmartTV, Smartphones and Fill-in-the-Blank Employees Evolving (or not) with Our Devices The New Wallet: Is it Dumb to Carry a Smartphone? Bait Phone BIG-IP Edge Client 2.0.2 for Android BIG-IP Edge Client v1.0.4 for iOS New Security Threat at Work: Bring-Your-Own-Network Legal and Technical BYOD Pitfalls Highlighted at RSA233Views0likes0CommentsHybrid–The New Normal
From Cars to Clouds, The Hybrids are Here Most of us are hybrids. I’m Hawaiian and Portuguese with a bit of English and old time Shogun. The mix is me. I bet you probably have some mix from your parents which makes you a hybrid. The U.S. has been called the melting pot due to all the different ethnicities that live here. I’ve got hybrid seeds for planting – my grass is a hybrid that contains 90% of the fescue and 10% bluegrass so bare spots grow back and also got some hybrid corn growing. With the drought this year, some farmers are using more drought resistant hybrid crops. There are hybrid cats, hybrid bicycles and of course, hybrid cars which has a 3% market share according to hybridcars.com. My favorite has always been SNL’s Shimmer Floor Wax – A Floor Wax and a Dessert Topping! Hybrid is the new normal. Hybrid has even made it’s way into our IT terminology with hybrid cloud and hybrid infrastructures. There are Public Clouds, those cloud services that are available to the general public over the internet; Private (Internal or Corporate) Clouds, which provides cloud hosted services to an authorized group of people in a secure environment; Hybrid Clouds, which is a combo of at least one public cloud and one private cloud; and, what I think will become the norm, a Hybrid Infrastructure or Hybrid IT, where there is a full mix of in-house corporate resources, dedicated servers, virtual servers, cloud services and possibly leased raised floor – resources are located anywhere data can live, but not necessarily all-cloud. This past June, North Bridge Venture Partners announced the results of its second annual Future of Cloud Computing Survey which noted that companies are growing their trust in cloud solutions, with 50% of respondents confident that cloud solutions are viable for mission critical business applications. At the same time, scalability remains the top reason for adopting the cloud, with 57% of companies identifying it as the most important driver for cloud adoption. Business agility ranked second, with 54% of respondents focused on agility. They also noted that cloud users are changing their view with regard to public vs. hybrid cloud platforms. Today, 40% of respondents’ are deploying public cloud strategies, with 36 percent emphasizing a hybrid approach and within five years, hybrid clouds will be the emphasis of 52% of respondents’ cloud strategies. Most respondents (53%) believe that cloud computing maintains a lower TCO and creates a less complex IT. Earlier this year, CIO.com ran a story called, Forget Public Cloud or Private Cloud, It's All About Hyper-Hybrid, where they discussed that as more organizations adopt cloud services, both public and private, for mission critical business operations, connecting, integrating and orchestrating the data back to the core of the business is critical but a challenge. It’s no longer about cloud but it’s about clouds. Multiple cloud services that must link back to the core and to each other. Even when organizations that are cloud heavy, IT shops need to keep up the on-premise side as well, since it's not likely to go anywhere soon. They offer 5 attributes that, if relevant to a business problem, the cloud is a potential fit: Predictable pricing, Ubiquitous network access, Resource pooling & location independence, Self-service and Elasticity of supply. If you are heading in the Hybrid direction, then take a look at BCW’s article from April this year called, Hybrid Cloud Adoption Issues Are A Case In Point For The Need For Industry Regulation Of Cloud Computing. They discuss that the single most pressing issue with hybrid cloud is that it is never really yours which obviously leads to security concerns. Even when a ‘private cloud’ is hosted by a third party, 100% control is still impossible since an organizations is still relying on ‘others’ for certain logistics. Plus, interoperability is not guaranteed. So a true hybrid is actually hard to achieve with security and interoperability issues still a concern. The fix? Vladimir Getov suggests a regulatory framework that would allow cloud subscribers to undergo a risk assessment prior to data migration, helping to make service providers accountable and provide transparency and assurance. He also mentions the IEEE's Cloud Computing Initiative with the goal of creating some cloud standards. He states that a global consensus on regulation and standards will increase trust and lower the risk to organizations when precious data is in someone else’s hands. The true benefits of the cloud will then be realized. ps References: Forget Public Cloud or Private Cloud, It's All About Hyper-Hybrid Hybrid Cloud Adoption Issues Are A Case In Point For The Need For Industry Regulation Of Cloud Computing 2012 Future of Cloud Computing Survey Exposes Hottest Trends in Cloud Adoption Cloud Computing Both More Agile and Less Expensive How to Protect Your Intellectual Property in the Cloud The IEEE's Cloud Computing Initiative IEEE Cloud Computing Web Portal Charting a course for the cloud: The role of the IEEE The Venerable Vulnerable Cloud Cloud vs Cloud FedRAMP Ramps Up The Three Reasons Hybrid Clouds Will Dominate F5 Cloud Computing Solutions189Views0likes0CommentsParking Ticket Privacy
Imagine getting a $20 parking ticket and then filing suit against the issuing municipality for exposing too much personal information on that ticket. That’s exactly what Jason Senne did after receiving a $20 parking ticket in 2010 for illegally parking his car overnight in the Chicago ‘burb of Palatine, Ill. His name, address, driver's license number, date of birth, height and weight all appeared on the ticket, which was placed on his windshield in full public view. Senne's complaint alleged that disclosure of his identity was in violation of the Driver’s Privacy Protection Act of 1994 (DPPA). DPPA requires that all states protect a driver's name, address, phone number, Social Security number, driver identification number, photograph, height, weight, gender, age, and specific medical or disability information. Congress passed the privacy legislation in response to the death of actress Rebecca Schaeffer. She was killed by a stalker who had gotten her unlisted home address through the California DMV. In Senne’s case, initially a federal judge found that an exception for law enforcement protected the village's actions, and a 3-judge panel of the 7th Circuit affirmed that last year. Senne pushed and the full federal appeals court agreed to rehear the case. Last week, the full federal appeals court decided Monday that ‘the parking ticket at issue here did constitute a disclosure regulated by the DPPA.’ In a 7-4 ruling, the appeals court said that it didn’t matter if someone walking by happened to notice the personal info – just the fact that it was exposed in such a public manner was enough. The earlier district court decision, in favor of Palatine Village, was based on the notion that a ‘disclosure’ was when an entity turned over information to someone else without consent and was not considered disclosure. In this case, there was no direct handoff, just the ticket flapping on the windshield/wiper blade in plain sight. In the overturned ruling, the divided court felt that there was real risk, safety and security concerns at stake. A stalker looking for a target could just hang out where overnight parking is banned and collect a bunch of potential victim’s info for future harassment. The recent court’s interpretation of the law might also expose Palatine to a hefty $80 million fine. Since there is a 4 year statute of limitations on private lawsuits and each privacy violation carries a $2500 penalty, all those tickets issued during that time frame with the protected info could be in play. It’s an interesting case about privacy and how others, without malicious intent, may expose personal, sensitive details about an individual. While identity theft due to electronic means, like data breaches, is on the rise, stolen wallets or physical documents (dumpster diving) still account for a good percentage of ID theft crimes. Back in 2009, a Javelin study indicated that stolen wallets and physical documents accounts for 43% of all identity theft (pdf) which means we still need to shred our printed materials. ps References: Privacy Issue in Parking Tickets, Full Circuit Says Appeals court reinstitutes parking ticket lawsuit against Palatine Detailed Parking Tickets Breach Personal Privacy, Appeals Court Says Court Says Parking Tickets Could Be Illegal Senne v. Village of Palatine Driver Information Can Be Sold for Commercial Use Under DPPA (FindLaw's Seventh Circuit Blog) Driver's Privacy Protection Act Seems Fairly Useless (FindLaw's Sixth Circuit Blog) Dumpster Diving vs. The Bit Bucket260Views0likes0CommentsThe Changing Security Threat Landscape Infographic
In conjunction with a new video and a security white paper, this F5 infographic validates the need for organizations to rethink security practices. The global security threat landscape is rapidly evolving and has changed dramatically in ways unfathomable just a few years ago. Due to this growing complexity and the rise of many unknown forces in the battle for information and causes, customers must rethink how they protect their network, applications, and data from ever-changing threats. (you can reuse within your own blogs, etc) ps Resources: F5 Networks Launches Informational Video on the Changing Security Threat Landscape The Changing Threat Landscape – F5 Security Video The Changing Threat Landscape – Infographic A New Firewall for the Data Center – Infonetics Research Paper F5 Security Vignette Series F5 Security Solutions199Views0likes0CommentsBYOD–The Hottest Trend or Just the Hottest Term
It goes by many names: ‘Bring Your Own Danger’, ‘Bring Your Own Disaster’ and what most people call ‘Bring Your Own Device’ and everyone it seems is writing, talking and surveying about BYOD. What used to be inconceivable, using your own personal mobile device/smartphone for work, is now one of the hottest trends or at least, one of the hottest topics being discussed throughout the IT industry. The idea of using a personal smartphone at work sprouted, I think, when many executives got their first iPhone back in 2007 and wanted access to corporate resources. As more smartphones made their way into employee’s hands, the requests for corporate access only grew. Initially resistant to the idea due to security concerns, IT seems to be slowly adopting the concept based on the many blogs, articles and surveys that have littered the internet of late. But, it is a true trend that will transform IT or simply a trending term getting a lot of attention? We’ll be right back after these important messages. Just Kidding. Most likely the former. While many of the cautionary articles talk about potentially grim disasters, they do acknowledge that BYOD is not going away and in fact, is gaining ground. Greater productivity and cost savings seem to be the driving factors. Let’s take a quick look at the smattering of articles surrounding this offshoot of IT consumerization. The Mobile Device Threat: Shocking Mobile Security Stats: A nice slide show featuring highlights from a recent Ponemon Institute and Websense survey. Right out of the gate they talk about how mobile devices are a double-edge sword for enterprises. 77 % of the 4640 responses said that the use of mobile devices in the workplace is important to achieving business objectives but almost the same percentage - 76% - believe that these tools introduce a "serious" set of risks. While organizations understand the risks, the survey showed that only 39% have security controls in place to mitigate them. As a result, 59% of respondents said they’ve seen a jump in malware infections over the past 12 months due, specifically, to insecure mobile devices including laptops, smartphones, and tablets while 51% said their organization has experienced a data breach due to insecure devices. While 45% do have a corporate use policy, less than half of those actually enforce it. In terms of recommendations based on their findings they said, be sure to understand the risk that mobile devices create in the workplace; educate employees about the importance of safeguarding their devices; create a mobile device corporate policy and leverage mobile device management solutions, security access controls, and even cloud services to keep confidential data out of the eyes of unauthorized viewers. 10 myths of BYOD in the enterprise: A nice top 10 from TechRepublic primarily pulling data from a recent Avanadesurvey of more than 600 IT and business leaders. The notion of IT resistance to BYOD is somewhat squashed here with nine out of 10 respondents (according to the results) saying their employees are using their own tech at work. They found that more Androids are encroaching the workplace; that employees are actually using it for work rather than playing games and that nearly 80% of enterprises will make investments this year to manage consumer technologies. There’s 7 more myths along with a couple nice graphics to go along with the list. Interesting and quick read. When Business and Personal Combine: This Wall Street Journal article talks specifically about the conundrum companies and employees face when a remote wipe comes into play. What happens, or really, how to deal with situations when there is a fear of a data breach yet wiping the device also deletes all the employee’s personal data, like family pictures. Policies, use agreements and mobile device management (MDM) solutions are potential solutions. The new BYOD: Businesses are now driving adoption: Rather than the perils of BYOD, this InfoWorld article talks about how enterprises are starting to actively encourage BYOD, not just passively accept it. Reporting on Good Technology’s recent BYOD survey, they found that organizations are jumping on the phenomenon sine they see real ROI from encouraging BYOD. The ability to keep employees connected (to information) day and night can ultimately lead to increased productivity and better customer service. They also found that two of the most highly regulated industries - financial services and health care - are most likely to support BYOD. This shows that the security issues IT folks often raise as objections are manageable and there's major value in supporting BYOD. Another ROI discovered through the survey is that since employees are using their own devices, half of Good’s customers don't pay anything for the employees' BYOD devices – essentially, according to Good, getting employees to pay for the productivity boost at work. BYOD Is The Challenge Of The Decade: Europe is also seeing the BYOD trend. This TechWeek Europe article talks about the familiar threats of malware, spyware, worms and other malicious software but also says that BYOD success depends on both people and technology. That it’s important to involve management early, consider the legal and financial ramifications along with risks to the business to then make an informed decision about a BYOD plan. Not sure if it’s the challenge of the decade but it’s a great headline and will continue to fluster IT in the coming years. IT Security's Scariest Acronym: BYOD, Bring Your Own Device: This PCWorld article uses Nemertes Research data to cover the discrepancies between how companies treat laptops (which can be mobile) and mobile devices themselves. They both have VPN capabilities and device encryption available but stray in different directions after that commonality. The obvious difference is laptops are usually IT owned and smartphones are personally owned. They suggest that it’s a good idea to re-evaluate the difference between security controls on different types of end-user devices and ask, "Is this difference based on valid reasons or a result of legacy thinking?" BYOD Challenge: How IT Can Keep User-Owned iPhones And iPads Secure In Enterprise: This article looks at both the technical and personal challenges to securing employee-owned devices along with suggestions like user education, cost sharing, purchase assistance, tiered access, reward for enrollment and reward for good behavior. I like the last one since much of our challenges and much of what I write about is human behavior, the human condition and why we do the risky things we do. BYOD: Manage the Risks and Opportunities: Bankinfosecurity.com is one of my weekly stops on the internet circuit. While this article is more a primer for an upcoming webinar, it does offer a number a good questions to ask while considering a BYOD strategy. They also say that it's no longer a question of whether to allow employees to use their own devices – the questions are now about inventory, security, privacy, compliance, policy and opportunity. Some BYOD thoughts based on all of the above, in no particular order: Have a BYOD policy or forbid the use all together. Two things can happen if not: personal devices are being blocked and organizations are losing productivity OR the personal devices are accessing the network (with or without an organization's consent) and nothing is being done pertaining to security or compliance. Ensure employees understand what can and cannot be accessed with personal devices along with understanding the risks (both users and IT) associated with such access. What's the written policy and how is it enforced. Acceptable use. Ensure procedures are in place (and understood) in cases of an employee leaving the company; what happens when a device is lost or stolen (ramifications of remote wiping a personal device); what types/strength of passwords are required; record retention and destruction; the allowed types of devices; what types of encryption is used. Organizations need to balance the acceptance of consumer-focused smartphones/tablets with control of those devices to protect their networks. Organizations need to have a complete inventory of employee's personal devices - at least the one’s requesting access. Organizations need the ability to enforce mobile policies. Securing the devices. Organizations need to balance the company's security with the employee's privacy like, off-hours browsing activity on a personal device. Personally, I do find that if I’m playing a game at 9pm and an email comes in, I typically read it. F5 has a number of solutions to help organizations conquer their BYOD fears. From the Edge Client, to our BIG-IP Global Access Solutions (BIG-IP APM and BIG-IP Edge Gateway) to the recent MDM partnership announcements, we can help ensure secure and fast application performance for mobile users. ps Related or, …and the Rest: The Dark Side of BYOD – Remote Wiping and Other Issues How do we manage the BYOD boom, at the technical end? BYOD: Bring your own device could spell end for work PC Bring Your Own Device: Risks and rewards What Risk Does 'BYOD' Pose To Your Business? Survey Says Mobile Device Security Threats Attract Cybercriminals The BYOD Security Dilemma BYOD and the hidden risk of IT security BYOD Policy Template Secure iPhone Access to Corporate Web Applications253Views0likes0CommentsSurfing the Surveys: Cloud, Security and those Pesky Breaches
While I’m not the biggest fan of taking surveys, I sure love the data/reports that are generated by such creatures. And boy has there been a bunch of recent statistical information released on cloud computing, information security, breaches and general IT. Since this prologue is kinda lame, let’s just get into the sometimes frightening, sometimes encouraging and always interesting results from a variety of sources. 2012 Verizon Data Breach Report: If you haven’t, read Securosis' blog about how to read and digest the report. It’s a great primer on what to expect. An important piece mentioned is that it’s a Breach report, not a cybercrime or attack report. It only includes incidents where data was taken – no data loss, not included. And with that in mind, according to the report, there were 855 incidents with 174 million compromised records, the 2nd highest data loss total since they’ve been tracking (2004). This coming after a record low 4 million lost records last year. The gold record of stolen records. While hacktivism exploded, accounted for 100 million of that 174 mill of stolen records and 58% of all data theft along with untraditional motives; credit cards, intellectual property, classified info and trade secrets were all still hot targets. 81% of the breaches used some sort of hacking with 69% involving malware. 79% were targets of opportunity meaning they had an exploitable vulnerability rather than being ‘on a list.’ 96% of the breaches were not that difficult and 97% could have been avoided using simple to standard protection mechanisms. Unfortunately, organizations typically don’t discover the breach until weeks later. As Securosis points out, don’t be flustered by the massive increase in lost data but focus on the attack and defense trends to help protect against becoming a statistic and as Verizon mentions, ‘this study reminds us that our profession has the necessary tools to get the job done. The challenge for the good guys lies in selecting the right tools for the job at hand and then not letting them get dull and rusty over time. Evidence shows when that happens, the bad guys are quick to take advantage of it.’ BMC Software Survey: Conducted by Forrester Consulting on behalf of BMC, ‘Delivering on High Cloud Expectations’ found that while 81% of the respondents said that a comprehensive cloud strategy is a high priority, they are facing huge challenges in accomplishing that task – mainly complexity. Even with cost reduction as a top IT priority, 43% reported using three or more hypervisor technologies as they try to reduce complexity. CIOs are concerned that cloud technologies offer an avenue for groups to circumvent IT which may hinder IT’s ability to meet overall business expectations. When groups deploy unmanaged public cloud services without IT involvement it can add to the complexity that they are trying to avoid. While 79% of respondents do plan on supporting mission-critical workloads on unmanaged public cloud services over the next two years, only 36% allow this today. No surprise that hybrid-cloud deployments, at 37%, was the most desired deployment. The full study results will be announced on Thursday, April 26, 2012 at 11 a.m. CDT as part of a BMC webinar. CSC Cloud Usage Index: Late last year, Independent research firm TNS surveyed more than 3,500 cloud computing users in eight countries around the world to find answers to cloud usage, expectations, attitudes and other cloud related questions. The survey focused on capturing user information about outcomes and experiences rather than predictions and intentions. In an interesting shift from the typical ‘cost savings’ and ‘business agility’ usually cited as a top motivator, one-third of respondents cite their need to better connect employees who use a multitude of computing devices as the number one reason they adopt cloud. 17% claim agility and only 10% indicate cost savings as a top reason for cloud adoption. 82% of respondents said they saved money on their most recent cloud project but 35% of U.S organizations reported a payback of less that $20,000. In terms of overall IT performance, 93% of respondents say cloud improved their data center efficiency/utilization and 80% see similar improvements within six months of moving to the cloud. Zenoss 100 Best Cloud Stats of 2011: Admittedly, this came out last year but it is still a great statistical overview of Cloud Computing. It starts with data growth stats, like 48 hours of video uploaded to youtube every minute; that 74% of Data Centers have increased their server count over the last three years accounting for 5.75 million new servers every year yet 15% do not have data backup and recovery plans; that, on average, cloud users report saving 21% annually on those applications moved to the cloud; that a delay of 1 second in page load times equals 7% loss of conversions, 11% fewer pages viewed and a 16% decrease in customer satisfaction; that Agility is the top driver for cloud adoption and Scalability the top factor influencing cloud use; that 74% of companies are using some sort of cloud service today yet 79% do not have an IT roadmap for cloud computing and a whole slew of others. All the stats appear to be attributed and run the gamut from storage to cloud to apps. Cloud Industry Forum (CIF) study: As enterprises continue to embrace cloud adoption, it is important for service providers to understand motivators for cloud adoption to ensure those services are being offered. This study, USA Cloud Adoption & Trends 2012 shows that smaller U.S. companies indicate that flexibility as their main driver for cloud adoption while large enterprises cite cost savings as their main reason for cloud deployments. This survey also noted that ‘Cloud’ is no longer a nebulous buzzword with 76% of polled organizations already using some sort of cloud computing for at least one service. Organizations are happy about it also – 98% said they were satisfied with the results of their cloud services with 94% expecting to increase their use in the next 12 months. Data security and data privacy were tagged as the top concerns with 56% and 53% respectively. By no means an exhaustive list of all the recent survey results pertaining to cloud and/or IT security, but they do offer some interesting data points to consider as organizations continue to strive to deliver their available applications as fast and secure as possible. ps334Views0likes0CommentsOur Identity Crisis
As as kid, my mom would constantly remind me that I was a Hawaiian Prince – a direct descendant of King Kamehameha’s grandparents and the Kekaulike (23rd Moi of Maui) line. I was born in Hawaii but grew up on the East Coast so as a kid, I was embarrassed to be of Hawaiian Royalty since it was different from the typical ethnic groups of the New England states but that was/is Who I Am. Of course as I got older I like being 254th in line to the Hawaiian throne…if it was still a sovereign kingdom. Your identity is what makes you, You. It is made up of things like, Your Family, Your history, What you say, What you know, Where you are, What you share, Who you know, Your preferences, Your choices, Your reputation, Your profession, Your biggest fears, Your greatest love and all the nuances that make each of us an individual. This information is available on the web, in profiles, contacts, email, data, documents, music, images, blogs, favorites…. Networks… you name it. Some may confuse ‘image’ or ‘persona’ with identity. Many celebrities have images to keep, or present a persona that they want their audience to latch to but many times, it is not their true identity and who they really are at their core. There are also certain pieces of our identity we’d also like to keep secret. That’s the same information that the crooks want. As we approach the holidays, this is an especially critical time to keep an eye on our information and those devices that contain our information, like our mobile devices. You may have seen the recent commercials about making payments over your smartphone – the one where everyone pulls out their phones after dinner to pay their share and the guy with cash looks like the fool. Huh? I got real, crisp, green money in my hand, right from the ATM and nobody wants it. The mobile payment infrastructure is still in the early stages but you can imagine the schemes already being hatched by those who would love to intercept those transactions. And speaking of crooks, did you see that 111 arrested in massive ID theft bust in New York? Prosecutors are calling it the largest ID theft fraud case in US history. For two years, law enforcement dug in for ‘Operation Swiper,’ which targeted a very sophisticated ID theft ring who recruited and paid restaurant workers, retail cashiers and even bank tellers to steal credit card numbers and quickly convert that data into cash. They had everything – computers, skimmers, card readers, embossers, credit card blanks and shopping crews who went coast-to-coast buying high end merchandise while staying in 5-star hotels. They made off with over $13 Million in less than a year and a half. On a separate but positive note, a new Federal law was passed to protect foster children from identity theft. This new law requires states to run credit checks on older foster children and work to resolve ID theft cases so when the child reaches adulthood, they have a clean slate. Foster children are prime targets for and face greater risks of ID theft since their information passes through so many hands and agencies. Most states also still use the foster child’s SSN to identify them, adding to the risk. Many foster children enter adulthood with massive debt due to someone else leaving them with bad credit. This law is intended to both protect against that and help those who have been victims. And lastly, next week is the 4th annual National Protect Your Identity Week (PYIW). Multiple Better Business Bureaus are joining several government agencies and other national advocacy organizations to offer educational workshops, free document shredding and computer recycling. Javelin Strategy and Research noted that in 2010, 8.1 million adults were victims of identity theft resulting in the loss of $37 billion. Plus, according to AllClear ID, children are 51 times more likely to have their identity stolen. So as the year end festivities start heating up, don’t forget to keep an eye on you along with protecting and embracing your identity. ps Related: 111 arrested in massive ID theft bust Foster children gain protection from ID theft New law protects foster kids from identity theft Identity Theft Bust Exposes Need For 'Smart' Credit Cards Alleged Identity Theft Leads to Chase From TD Bank Protecting yourself from identity theft Identity Theft and Your Family: Deterring Disaster The Web Leaks Like a Sieve Technorati Tags: F5, PCI DSS, virtualization, cloud computing, Pete Silva, security, cloud, credit card, compliance, web, internet, cybercrime, holiday shopping, identity theft,197Views0likes0CommentsHackers Hit Vacation Spots
Just when you were having all that fun running around the waterpark and playing those arcade games comes news that the card processing system of Vacationland Vendors Inc., a Wisconsin Dells firm that supplies arcade games and installs vending machines, was breached. From the notice on their website, they say, ‘Vacationland Vendors recently discovered that an unauthorized person wrongfully accessed certain parts of the point of sales systems that Vacationland Vendors uses to process credit and debit transactions at the Wilderness Resorts.’ Up to 40,000 debit or credit cards that were used in the arcades any time between December 2008 to May 2011 at the Wilderness Waterpark Resort near Wisconsin Dells and a companion resort in Tennessee are potentially compromised. The hackers, according to Vacationland Vendors, improperly acquired credit card and debit information and around 20 accounts have shown irregular activity. Reservation and restaurant transactions were not involved in the breach, only the point-of-sale devices. Malware was the apparent culprit. Point-of-sale devices and the networks they are connected to are often the target of malicious hackers. These ‘kiosks’ are typically unattended and might be in locations where observation is limited. A couple years ago, Target’s breach was the result of hackers gaining access via the customer service kiosks and the huge hit at Heartland Payment Systems, resulting in tens of millions of exposed credit and debit cards was from a breach of the company's point-of-sale network. After successful installation of malicious software, thieves are able to sniff and intercept payment card data as the information is transmitted within the internal network or to the bank for authorization. It might not even be encrypted as it travels. If it was, then the crooks wouldn’t have the info. Many people may think these kiosk point-of-sale devices are safe since it is taking credit card data and merchants need to be PCI compliant. While the overall deadline for PCI 1.2 compliance was a couple years ago (and PCI 2.0 at the end of this year), the deadline for unattended point-of-sale devices was July 2010, a little over a year ago. That’s why you’ve seen a whole slew of new gas station pumps at your favorite fueling stations and just like regular compliance, it’s going to take time to update all the point-of-sale devices. Now, I’m not insinuating that the arcade devices were not PCI compliant since nothing has been reported about that, but what I am saying is be careful with those since you may not know if it is or not. If it looks a few years old, then most likely, it is not. With this and other similar point-of-sale breaches, many security experts (and even the Heartland CEO) believe end-to-end encryption is necessary, even if transmitting on the internal network, from the time the card is swiped all the way until the data reaches the the processor or bank. Many credit card swipe terminal vendors are building encryption into the hardware itself and F5 can help keep that information encrypted while it’s travelling the great unknown. Our BIG-IP APM and BIG-IP Edge Gateway (voted Best Secure Remote Access Product by TechTarget Readers) can easily encrypt any traffic, internal or external. Heck, even a couple BIG-IP LTM running our latest v11 code can initiate a secure tunnel between them, creating an instant, secure WAN connection. With the advent of credit card swiping capabilities on mobile phones now in full force, I’m not sure if this is going to get better or worse. The terminal might be fine but if you install a hacked mobile payment app, then you can skim credit card info like the pros. Remember, humans will often trade privacy for convenience. ps Related blogs & articles: Vending machine company announces major data breach Vending Company Reports Significant Data Breach Security breach affects card users tied to Wilderness arcade Vacationland Vendors Notice Encryption Anywhere and Everywhere Will you Comply or just Check the Box? PCI Turns 2.0 CloudFucius Wonders: Can Cloud, Confidentiality and The Constitution Coexist? Identity Theft Resource Center219Views0likes0Comments