Monday, 19 September 2011

Security without the hype


Anonymous. LulzSec. Stuxnet. A Digital Pearl Harbour. Cyber attacks are bigger than the global drugs trade.
Recent high profile data breaches might well suggest that some corporate networks have all the security of a sieve, but is a lot of the rhetoric and war-room talk that accompanies so much of the discussion of cyber security really necessary?
There’s only so much hype people can take before they switch off or start making assumptions about the true value of the message. And it’s only fair to say that a lot of the fear and negativity that’s associated with digital and network security could be having the opposite effect on end users. In the face of the seeming inevitability of an attack, it seems that many end users are adopting a resigned approach that borders on carelessness or worse: passing the buck and assuming someone else will look after it.
Clearswift’s recent WorkLifeWeb research found that 31% of employees surveyed said they believed information security to be entirely the responsibility of their company. 21% of those employees admitted to not thinking about security at all when using the web or email at work, with 19% saying they’d work around any company blocking policy. Hardly surprising, then, that 50% of managers believe employees are oblivious to security concerns.
It’s that last figure that’s so interesting to me, because it raises some pretty obvious questions: If your employees are oblivious to security concerns, whose fault is that? Similarly, why is it that, with more managers expressing concern about data loss via employees than via external hacking, other Clearswift research has found that 38% of employees had received no training at all on security issues in their current job?
As Andrew Wyatt put it in a recent blog post here, technology on its own is a skimpy fig leaf. Modern information security is about a lot more than just inbound threat detection. It’s about the value and benefits beyond it. Being able to implement flexible policies that work with, rather than against, employees; simplifying solutions and reducing administrative burdens so IT staff can dedicate more time and effort to proactive vigilance; educating your workforce and creating a visible, flexible policy that they are not only aware of but understand the need for...
These are just some of the more positive steps that companies can take towards securing their information assets. Hype might help to sell products. It might even help to push security higher up the business agenda in some firms, but unless we start to see a trickle down to all levels of the business, it’s a waste of breath. Worse still, with 87% of businesses we surveyed saying security fear was the biggest single inhibitor of the adoption of the kinds of technologies that 57% of them described as critical to their future success, it’s worth remembering that some cures are worse than the disease.
By Nick Peart


Posted by CMI at 12:27 0 comments

Thursday, 8 September 2011

The Social Media Stalemate


Earlier this week, I commented on some of the trends revealed by our WorkLife Web research. One area I didn’t touch on, however, was the insatiable demand for consumer mobile devices such as iPads and smartphones and how these are impacting on the workplace.
This ‘consumerisation of IT’ – where users bring their own devices to work – poses a number of new challenges to businesses, creating new headaches for IT security staff as they battle to secure boundaries and prevent data loss via unauthorised devices. In fact, 87% of the companies we surveyed said they are so concerned about security and data loss that it’s preventing technology adoption.
Another interesting aspect of this year’s WorkLifeWeb research is its reflection of what appears to be a growing divide between workers and management when it comes to social media use in the workplace. While 48% of managers say social media use is either allowed or encouraged, only 25% of employees agree that this is the case. This development of a social media stalemate between managers and employees is further highlighted by the fact that while 60% of companies state that they allow personal device use at work, only 40% of employees think this is the case.
There is clearly a growing tension between the two groups: one feels the need to manage, restrict and control, while the other believes it should be trusted to use technologies that can empower and enhance communications. This friction currently looks unlikely to abate. Perhaps companies should note that stricter social media policies would detrimentally affect over 40% of the workforce.
On the whole, the 2011 research indicates that companies are clamping down on new communication channels rather than embracing them. This in turn is stifling potential avenues of growth. One saving grace is that while this is happening, the research shows that businesses do recognise the important role that social media has to play. We can only assume that the clampdown is a knee jerk reaction rather than a long term trend.
Posted by CMI at 12:42 0 comments

Comparative Review: Active Directory Auditing Tools


NetVision was recently featured in a Windows IT Pro product comparative review on Active Directory audit solutions. The full article is available in the September issue and on the Windows IT Pro web site under the title Comparative Review: Active Directory Auditing Tools. But, we just wanted to call out a few of our favorite quotes:

Trying to find the culprit using Event Viewer is like looking for a needle in a haystack. You need a tool that can lay out the data in a clear and concise manner—you need a good Active Directory (AD) auditing tool.

NetVision should be your first choice if you’re looking for a turnkey solution. No matter whether you want to use the physical appliance, virtual appliance, or managed service, it’s the best for hands-free AD auditing.

Overall, I was impressed with [NetVision's] product. It’s extremely robust…

Each one has its own strengths and weaknesses, but the one that impressed me the most was [NetVision] NVAssess, which is why it earns the Editor’s Choice award.

Well said Windows IT Pro!

Of course, to get the details, please read the full article. And let us know if you have any questions.
Posted by CMI at 05:37 0 comments

The business case for compliance


Last week Adrian Leppard, City of London Police Commissioner, wrote an article that discussed how an increasing number of criminals were targeting businesses that failed to encrypt customer data to a high enough standard. He commented that the financial loss and reputational damage inflicted on a company from a data breach will always outstrip the investment cost of putting in place the correct security systems and policies. This is a very valid point.
There are many sector specific security standards in the marketplace, with the Payment Card Industry Data Security Standard (PCI DSS) being one of the best known. This mandatory regulation was put in place by prominent industry players such as American Express, Visa and MasterCard Worldwide, to establish a common framework for data security compliance.
By becoming PCI compliant, your business adheres to the PCI DSS requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. In operational terms, it means you are playing your role in ensuring your customers' payment card data is kept safe throughout every transaction, and that they – and you – can have confidence that they're protected against the pain and cost of data breaches.
Unfortunately, too many companies have a rather lax approach to compliance, seeing it as another bureaucratic tick box rather than a business imperative. This seems a rather strange attitude to take when you consider that non-compliance means you are not only jeopardising the security of your customer data but are also gambling with your reputation and brand. All companies that handle customer data should conduct regular data discovery exercises to ensure that unprotected cardholder data is found and correctly secured.
Another consideration is that criminals are always using new methods to obtain data, which is why data standards constantly evolve: PCI DSS is currently in version 2.0. Security vendors should therefore pay close attention to evolving standards to ensure the solutions they offer are relevant and mitigate client risk.
Police Commissioner Leppard made the point that what is needed is not just a change of process, but a change in attitude; only reacting when things go wrong is not the mark of a strong business. In essence, having the foresight to implement a flexible security strategy is one of the first steps you should take if customer retention is important to your business model.
By Richard Turner
Posted by CMI at 05:30 0 comments

New Windows worm highlights prevalence of weak admin passwords


Last weekend, Microsoft’s Malware Protection Centre (MPCC) detected a new worm that exploits weak passwords to infect Windows workstations and servers.
Dubbed ‘Morto’ the worm is similar to Slammer or CodeRed from years back, but with a twist: The attack exploits Remote Desktop connections, giving it command-and-control to access the network through the infected machine. Once in, Morto connects to a remote server, updating its components and downloading further information. The worm can then terminate processes for local security applications as well as perform Denial of Service (DoS) attacks against specified targets.
Clearswift Chief Software Engineer Paul Singh says this is the first time we’ve seen an attack of this nature. “This is probably a proof of concept attack that has worked a bit better than the perpetrators expected,” he says. While the attack utilises RDP, the weak point is not remote desktop access over the internet; the initial “in” for Morto is most likely to come via an infected email or visiting an infected site, says Singh. “As such, using VPN as a defence mechanism isn’t relevant. Perimeter security that scans email and web traffic to prevent infections in the first place is important.”
Singh says that Morto highlights just how easy it is to crack the most commonly used passwords. Worse still, the worm exposes “How lazy some administrators are, as Morto is targeting the passwords for admin accounts.”
“Recent attacks on popular sites like Gawker, RockYou and PSN gave hackers access to passwords that can be used to increase the statistical probability of guessing admin passwords correctly,” says Singh. And while some might question the relevance of Gawker users’ choice of passwords to IT admins, the list of user account names and password combos Morto has tried includes some real eye-openers: admin, root, owner, 1234, 123, password and 123123...
According to Singh, the simple solution to attacks of this nature is to adopt a more robust, well-defined and enforced password policy in the workplace. This can include clear guidelines around password complexity and the setting of basic password requirements such as length, mixing upper-and-lower-case letters and numbers.
Singh adds that the worm was detected through the unusual levels of network traffic it creates on certain ports: RDP scans, downloads, receiving commands and DNS queries for command-and-control servers. “This highlights the need for IT departments to constantly and proactively examine log files for unusual activity,” he says.
You can read more about Morto here.
Pamela Weaver
Posted by CMI at 05:25 0 comments

Social networking can improve productivity, but only with the right policies in place


For every action, there's an equal and opposite reaction. Newton's third law of motion might not have been written in response to the great man's observations on the use of social media in the workplace, but that doesn't mean they can't be applied there.

Yesterday, slackers and conscientious workers in need of a break alike rejoiced in news from Singapore, where researchers at the National University found that employees who are allowed to access social media sites are 39% more productive than those who are not. But before everyone does their bit to break the company bandwidth barrier with an extended spot of virtual farming, it's worth noting that for every report of this nature, there seems to be an equal and opposite one indicating that time wasted online is just that: time wasted. And that's before anyone's factored in the cost or, increasingly, the security implications of too free-and-easy an attitude to social media.

As with so many things in life, the truth rests somewhere near the middle. As Clearswift's WorkLifeWeb 2010 research found, cracking the whip on employee surfing time might give a greater sense of control over a delicate situation to some managers, but it has an unwanted side-effect of eroding employee job satisfaction and sense of trust. Add to this the reality that blocking a tool that most managers now accept as vital to the future success of their business is both short-sighted and likely to stifle innovation, and it's obvious that a more sensible, less black-and-white approach is the way to go.

A unified, flexible approach to policy, drawing on a single, shared set of rules means that businesses can apply the same standards and limits to all their communications channels, whether it's email or Web 2.0 tools and services. Security should be about policy, not policing, creating the confidence to tackle the negative side effects of communications while taking advantage of the benefits these tools bring. With rules that can be tailored right down to employee level, enabling time quotas and usage rules for particular websites and services, businesses can keep the communications channels open without losing sleep over security. By making security policy relevant to all users and educating employees to understand exactly why the rules are in place, businesses can support productivity and security without undermining staff morale.

By Richard Turner
Posted by CMI at 05:24 0 comments

Going on ‘worliday’?


It’s that time of year again, when many of us (well, those of us in the UK, at least) are enjoying the last few weeks of the summer break, perhaps going on a final getaway before the schools go back, or maybe just a long weekend to take advantage of the last summer bank holiday.
But it’s not as simple as that for many people these days.
Jetting off and forgetting all about work is far less common than it used to be and mobile devices make it all too easy to ‘do a quick email check’, whether from the comfort of a poolside sun lounger or a remote ski slope.
The phenomenon of working on holiday has even been given its own name, the ‘worliday’. As coined by Financial Times journalist Lucy Kellaway, who described a ‘worliday’ as “bit like holiday and a bit like work”.
So how is all this talk of worlidays relevant to a security blog? Surely this is a time when security is the last thing on our minds? Well that’s precisely the point...
Regular readers will be aware that a lot of our focus over the past twelve months has been on changing technologies, attitudes and behaviours in today’s global workplace and their implications for IT security.
Our last phase of ‘WorkLifeWeb’ research in 2010 found that 47% of employees believe web collaboration and social media are changing the way that people work, with 48% of office workers and 71% of managers saying tasks overlap at least twice a week.
This blurring of lines between personal and work tasks presents a new challenge to IT security professionals, made worse by the vastly different behaviours and attitudes human beings tend to adopt in their professional and personal lives. For even the most diligent of workers, when sipping sangria by the pool on holiday your mindset is not the same as when you’re sat in an office surrounded by colleagues, and you might not pay the same care or attention to who or what you are emailing.
Worlidays may sound like a good thing for businesses (after all there’s no denying that 24/7 contact with employees when something goes wrong can be crucial), but from a security perspective it does present challenges. Ultimately, businesses must realise the need to educate employees, encouraging them to take their role in securing sensitive data and information seriously. By highlighting the potential risks and also the individual responsibilities, people can make an educated decision as to whether or not it’s safe to send that password in an attachment on an unsecure network as they relax in the sun.
By Nick Peart
Posted by CMI at 05:23 0 comments

Data Privacy: The law on its own won’t solve the problem


The UK’s Equality and Human Rights Commission (EHRC) has released a report criticising the British government for the way it collects, stores and uses personal data. According to Protecting Information Privacy, current privacy laws simply aren’t up to the task of preventing frequent breaches of personal information.
I agree – albeit for different reasons than those given by the commission. The commission says that many government agencies don’t realise when they’ve broken data protection laws and are unaware of their obligations. But the UK’s Data Protection Act is very clear on what those obligations are – the failure isn’t really the law itself, it’s the failure to understand that privacy laws in and of themselves won’t stop data breaches. The only thing that can stop that is greater awareness and the simplification of the law.
To be fair, the Commission calls for more simplicity in the law and regulatory framework. But that on its own won’t solve the problem; as with so many things in life, it’s all about the human factor. Organisations that collate personal data need to engage in a culture shift, stop viewing themselves as owners of data and start thinking like custodians – with all the responsibilities that come with that role.
Even without the current regulations, many organisations will find that a lot of the controls and policies that can protect them from a data breach are already in place – they just need to manage them correctly. While debate around the current data privacy legal landscape has been very focused on the financial penalties transgressors face, many organisations are adopting a policing approach to data security, blocking sites or only referring to policy after something has happened. Organisations need to work harder on making policy a living, breathing part of their business. This means making security more visible in the business, educating and updating end users on what’s expected of them and employing technologies like encryption to make sure that, if the proverbial does hit the fan, at least the damage done can be limited in a meaningful way.
By Nick Peart
Posted by CMI at 05:22 0 comments
Subscribe to: Comments (Atom)