Smart Mobile Devices — “Stress Test” for the WIPS of the Future

Traditionally, talking of wireless security in the enterprises we talked about embedded Centrio Wi-Fi, Linksys rogue APs, open source DoS tools, and compliance requirements (PCI, DoD, HIPAA). While these topics continue to be important today, the upcoming proliferation of the smart mobile devices is the new frontier for the enterprise wireless security to address. The inundation of smart mobile devices will result into new monitoring requirements, not hitherto discussed. These requirements would amount to ”stress test” for the WIPS and only the best of the breed can hold up. While the new monitoring requirements will be many and varied ranging from unauthorized BYOD to heightened rogue AP risk, in this post I wish to discuss some interesting and unique scenarios (numerous soft mobile hotspots, Nintendo chat blocking, wireless geo-fencing) I already encountered this year working with the customers.

Soft mobile hotspots in hundreds and thousands:

If the GoogleWiFi in the neighborhood of your office bothered you before as a network/security administrator because your employees could connect to it to bypass the Internet access policies; then there will be hundreds and thousands of GoogleWiFi’s soon on your premises. These are all the iPhones and Androids carried by your employees, which have mobile hotspot features in them. They can act as Wi-Fi access points and backhaul the traffic directly into 3G/4G network bypassing your enterprise firewall controls. To deal with them, your security system will need to have the following capabilities:

• The WIPS now needs to support mobile hotspot detection on multiple platforms. Earlier it used to be mostly the Window 7 laptops, which included the first consumer grade virtual AP capability. Now Apple iOS and Androids also provide this capability. And in the future, Windows 7.5 and Blackberry will have it too.
• The WIPS infrastructure will need to have capacity to address many simultaneous policy violations. This is  simply the effect of numbers, because order of magnitude increase in the triggers which catalyze policy violation means similar increase in the actual policy violations on a day to day basis.

Zero day scenarios requiring fast, automated response:

As Wi-Fi gets embedded in quite a variety of gadgets, some new and unique monitoring requirements will continuously emerge. I recently worked with an account which had such unique requirement: This was a rehabilitation and correctional facility, which wanted the WIPS to be able to block Nintendo chat. Nintendo devices support chatting application over Wi-Fi, with the proprietary modifications and optimizations to the 802.11 protocol to provide instant chatting. This was almost like a “zero day” policy enforcement requirement when I first examined it, because I realized Nintendo chat is not the standard .11 ad hoc network. Also, the chat uses just some bursts of packets, so quick blocking response was necessary (quite different from traditional connection blocking measures like “ping loss”). We put the AirTight SpectraGuard Enterprise WIPS up for this stress test. See the accompanying video to see for yourself how it fared in the test. While this may not be the mainstream or relevant monitoring requirement in many networks, it points to the real possibility of the emergence of the hitherto unknown (“zero day”) monitoring requirements in the future. To be future proof against the zero day scenarios, the security system will need to have strong foundations on the following fronts:

• Strong behavioral analysis logic, since signatures and thresholds can’t catch up with the evolving monitoring scenarios.
• Fast response time to threats, to tackle the new and optimized attack and policy violation triggers.

Wireless geo-fencing:

Empowered with Wi-Fi in the tablets and smart phones, people connect to networks from anywhere and everywhere. This presents a challenge in location based wireless policy enforcements. Earlier, it was as easy as turning off wireless on the machines which permanently resided in the no-wireless areas. Now smart mobile devices come in and go out. Recently, I worked with couple of customers intending to implement what they called “Wi-Fi geo fencing” (I like the term!). At the very basic, it means enforcing diverse Wi-Fi policies on the same wireless client depending on where the client is located. For example in one room, the client is allowed to connect to the guest AP, but the room next door can be strict no-Wi-Fi policy. So as the client moves from the first room to the second room, its Wi-Fi communication needs to block; but when it returns to the first room, it should be able to communicate over Wi-Fi. There are more scenarios like this, depending on the exact application. Faced with this application, I appreciated some unique strengths the security systems needs to exhibit to support such scenarios:

• Strong foundation for auto-location tagging for devices and ability to quickly detect change of location is necessary to determine the governing policy at any instant.
• Rich options for location based policy enforcement — in terms of device auto-classification and automatic prevention — are required to fine tune the Wi-Fi behavior to be enforced at each location.
• Finally, a thorough predictive RF planning complemented with some on-site surveys can help tighten the location zone boundaries.

Above scenarios are simply some examples pointing to the fact that wireless monitoring scenarios will continue to evolve and change in the future, particularly driven by the commoditization of Wi-Fi and proliferation of the smart mobile devices. If the WIPS you choose today has solid foundations for detection, prevention and location; you can be future proof against the new requirements that will prop up in your own network settings. With these foundations in place you can be secure today, and also tomorrow!

by Hemant Chaskar

(source)

Accellion Unveils kitedrive - Dropbox for the Enterprise

Accellion today announced Secure Mobile File Sharing solutions for enterprises, businesses and individuals that include kitedrive™ file synchronization capabilities to enable business users to be securely connected to their files anytime, anywhere. Accellion is filling an important business need by addressing security concerns related to BYOD, and the use of free consumer file sharing applications within enterprise organizations. Included within the Accellion Secure Mobile File Sharing solutions is kitedrive sync, a new file sharing capability from Accellion, that enables business users to synchronize files across devices, including iPad, iPhone, Android and BlackBerry, for secure anytime, anywhere access to information, while at the same time providing IT and Security teams management over mobile access to content.

“There are real security concerns with the use of free mobile file-sharing and synchronization platforms by business users who need anytime access to enterprise data,” said Chris Hazelton, Research Director, Mobile and Wireless at 451 Research. “In place of consumer-based offerings, IT needs to provide alternatives that offer control and management capabilities to protect confidential information. Providing these enterprise-grade services to government and business users, especially those in regulated industries, will ensure much-needed awareness and control of corporate data that moves across the multiple devices that employees use today.”

As a welcome enterprise-class alternative to free consumer-grade file sharing and syncing solutions such as Dropbox, Accellion provides enterprise, business and individual users with ease of use and simplicity in addition to increased security features, including most importantly IT and Security controls and management of users and privileges to address mobile security.

“The influx of personal smartphones and tablets into enterprise organizations is threatening information security as IT and Security teams scramble to address BYOD and Mobile Security,” said Yorgen Edholm, CEO of Accellion. “Balancing employee demand for increased mobile access while ensuring enterprise-class security and control is now possible with Accellion Secure Mobile File Sharing Solutions.”

“Everything we do is based on a collaborative, team-based approach, so we needed a solution that supported this philosophy,” said Noman Ahmed of Halsall Associates. “Now, we don’t have to think twice about how to share documents. Accellion is the go-to source for all external interactions. We are looking forward to implementing Accellion's new sync features especially with mobile devices."

The Accellion Mobile File Sharing solutions all include Accellion Mobile Apps and the new Accellion kitedrive sync capability that provides secure cloud storage, file sharing and sync for business users. In addition, the Accellion Mobile File Sharing Solution for Business provides secure collaboration features including secure workspaces, commenting, notifications, versioning, and secure uploads and downloads. Accellion Mobile File Sharing for Business can be seamlessly upgraded to the Enterprise solution allowing deployment of more advanced enterprise file sharing features including private, hybrid cloud deployment, LDAP/AD integration, SAML/SSO, DLP integration and Archiving.

• Accellion Mobile File Sharing for Individuals: Single user with 2GB cloud storage free
• Accellion Mobile File Sharing for Business: 5-500 users with 1,000GB cloud storage
• Accellion Mobile File Sharing for Enterprise: 500+ users with unlimited cloud storage (public, private, hybrid cloud) enterprise options include: Archiving, DLP Integration, SFTP, LDAP/AD integration

A New Angle on Content Control

American companies with 1000+ employees each hold more data than the U.S. Library of Congress; approximately 293 billion emails are exchanged globally every day while Facebook users share 30 billion pieces of content every month.

No one said information management and protection was easy. It’s human nature to want to break things down into more manageable pieces, but reducing data control and protection to an inbound threat issue is a classic case of shooting alligators when what you’re really there to do is drain the swamp.

Managing information in today’s business environment has become increasingly complex: Data leakage is a critical issue for CIOs. Companies are hitting the headlines for all the wrong reasons, and human error is one of the biggest culprits. With many organisations focusing on in-bound threats, there’s a genuine risk that vulnerability inside company walls will be overlooked. As Deloitte’s 2011 Global Security Survey has pointed out, ‘external attacks get most of the headlines, but internal security risks are just as onerous.”

It’s time for a new angle on content control.

Communications tools like email and social media have become an almost reflexive thing for end users – combined with easy access to sensitive information, it’s a heady mix that can spell trouble for those charged with preserving the integrity and security of data. Stopping and blocking might seem like the easiest route to take, but this doesn’t reflect the realities of the way we communicate and do business today. To really protect organisational IP and other high-value information assets, monitoring the data leaving the network is just as important as watching what’s coming in.

There’s no patch for irresponsible or careless behaviour, but you can control the consequences. Technology that recognises the difference between an innocent Tweet and potentially damaging data sharing can be automated to prevent users from engaging in risky behaviours without cramping their style as ambassadors for the company brand online. Similarly, context-aware content controls can help guard against accidental data leakage via email – either through automating the decision to encrypt any data that meets specific organisational requirements or inserting an extra “Are you sure you want to send that?” step into the email process when certain kinds of information are being shared.

As companies increasingly understand that inside risk is as serious a concern as outside threats, context-aware content management plays a key role in ensuring that threat doesn’t impede your capacity to communicate and get on with business. Tackling the obvious risks – i.e. shooting alligators – without addressing the broader issues of information explosion and human error (the swamp) is setting yourself up for failure. Sooner or later, you’re going to run out of bullets. And the swamp will still be there.

by Alyn Hockey

(source)

Don’t let BYOD turn into “BYOR” in your network

BYOD (Bring Your Own Device) seems to be the dominant theme for 2012 in the Wi-Fi infrastructure and security space. As people increasingly bring in personal smartphone devices on the enterprise premises, the network/security administrators are grappling with the security implications. Given how engaging the new smartphone and tablet apps are, conflict arises between the users’ desire and the network/security administrators’ intentions. You need to ensure that this conflict does not turn BYOD into BYOR (Bring Your Own Rogue AP)!

Peep into history

This is similar to what happened 5 years ago when laptops started to embed Wi-Fi radios, but organizations had deployed only spotty Wi-Fi coverage, often of the experimental type. Employees would often not get adequate Wi-Fi signal in their offices and they would be prompted to bring in Wi-Fi access points of their own and connect them into the enterprise LAN jacks, often with unencrypted wireless links and with default wireless configurations. That is how the rogue AP threat of the unassuming user type came into being. Administrators became concerned that some open AP showing up on the Wardriving maps of their area could in fact be connected in the corporate networks that they manage. This history can repeat itself with BYOD!

Employees can install rogue APs for unrestricted smartphone use

The BYOD user, frustrated with the smartphone usage controls on the managed Wi-Fi access points, may bring in a personal access point and plug it into the enterprise LAN jack to be able use the smart mobile device in the office without restrictions. Not only will this result in the violation of the corporate smartphone use policy, but as a side effect, will expose corporate network to outsiders through the rogue access point. The urge to connect rogue access point can be even more in the no-Wi-Fi environments.

Visitors can install rogue APs for high-speed, free Internet for their smart mobile devices

Another trigger to install rogue APs could come from visitors, contractors, maintenance personnel, etc. on the enterprise premises, who may want to connect their smartphone devices to the Internet and may install their own APs on the enterprise network without administrator knowledge or permission. Of course, the smartphones can work on the 3G/4G network, but the user experience is way too good with Wi-Fi and it is free. Apple even sells a product called AirPort Express which is 802.11n Wi-Fi access point not larger than size of a power plug, designed for plug and play portability, and use with iPhones, iPods and iPads. Anything Apple sells, does get used a lot; I don’t think there can be any debate about that.

Retail networks

Highly distributed nature of retail networks makes security monitoring difficult. The local staff at the store locations will invariably carry smartphone devices on them (iPhones, gaming consoles, etc.) and thus will be incented to use them despite the corporate policy. Such staff can install rogue APs in stores on retail networks, thereby violating corporate policy and also adversely affecting PCI (Payment Card Industry) compliance which has explicit requirements for the rogue AP prevention.

BYOD security as a whole has many aspect to it, ranging from installing security agents on the IT assigned smartphone devices to deploying access controls in the Wi-Fi infrastructure to prevent personal mobile devices from connecting to the managed Wi-Fi network assests. However, the more difficult you make it to use smartphone device on the enterprise facility through the managed Wi-Fi network, the bigger catalyst it is for rogue APs to be installed on the network. Hence, effective rogue AP detection and containment also becomes an important component of the comprehensive BYOD security.

by Hemant Chaskar

(source)