The human factor

News of a data breach at the UK’s Scotland Yard has pushed the issue of data management and control back into the public eye. The Yard admitted accidentally sharing the personal email addresses of more than a thousand crime victims with other victims on its database. It was an easy mistake to make: In the course of sending a survey to 1,136 people, email addresses were entered in the wrong box, making them visible to all recipients.

In a worst case scenario, the maximum penalty for a data breach in the UK is £500,000.

No one sets out to lose data, but a glance at some of the most recent incidents reveals a common thread: human error. At a time when organisations across sectors are under increasing pressure to adhere to the often competing demands of transparency, cost-effectiveness, privacy and collaboration, data leak incidents are in danger of undermining reputations, brands, revenues and effective business strategies. It’s a high price to pay for an accident and if government privacy agencies are increasingly less forgiving of mistakes, customers – both existing and potential – are even less tolerant. According to research undertaken by the Ponemon Institute in October 2011, data leaks cost a minimum loss of 12 per cent in terms of brand damage; in some instances, this rose to an almost 25 per cent loss of brand value as a direct result of a data leak incident. As I’ve said, it’s a high price to pay for an accident that could easily have been prevented.

Data leak prevention, Web and Email Gateways and strong, flexible policy-based encryption work in tandem with effective education and management policies to reduce the potential for costly human error. Encryption and decryption, for example, can be performed automatically and centrally within flexible policy parameters and without the need for user interaction.

This doesn’t mean limiting end user ability to share and communicate – recognising the content is important, but so too is the ability to apply context to the data before making the decision to encrypt whether or not the end user selects that option.

It’s all about striking a balance between risk and real-world working requirements – and making sure that human error doesn’t get in the way.

by Alyn Hockey

(source)

Even at Shmoocon, Security Can’t Be Taken for Granted

Shmoocon labs is a group of vendors and attendees who get together before Shmoocon begins for a learning experience. The task – build a stable and SECURE network infrastructure to meet the needs of the convention. The idea is to teach people how to use the hardware from various vendors and make it all work together as a network that remains secure, stable and functional throughout the conference, no matter what.

This year, AirTight’s® SpectraGuard® wireless intrusion prevention system (WIPS) was handed the responsibility to protect this network from wireless threats. As soon as I deployed the AirTight wireless Sensors in the convention center and fired up the SpectraGuard management console to give a demo at the AirTight booth, I noticed an unusual number of Rogue APs had popped up. More concerning was one Rogue AP that was unencrypted and on the main management network of the conference. Although AirTight’s WIPS had automatically detected and blocked the device immediately, a little detective work was in order. I used SpectraGuard’s location tracking to pinpoint the exact placement of the device.

A quick physical search revealed an Apple Airplay device plugged into the management network. These devices are small and look just like normal Apple power plugs, however, they can also connect to wired networks, create wireless networks, and stream music! The AP was quickly removed from the management network (and placed on the hacker’s playground network). However, the AP was on the management network for over 5 hours of the convention; who knows what would have happened if SpectraGuard was not around to take care of business – switches, firewalls, Wi-Fi, almost anything on the network could have been reconfigured.

I guess it can happen to the best of us, but, once again, it makes the case for layered security – having someone watching your back. As a security professional your job is never done

by Rick Farina

(source)

There's opportunity in difficulty

Faced with increased penalties and significant reputation damage for serious data or information compliance breaches, it’s hardly surprising to find data protection topping TechTarget's list of enterprise IT priorities in 2012.

Challenging times lie ahead for organisations that don’t adapt to the new risks and opportunities that come with new ways of communicating but organisations that focus only on network security risk taking their eye off the ball. IT consumerisation, smart device proliferation, web-based services and workplace mobility all call for a data-centric approach to information management and protection.

Information is only as good as your ability to use it effectively; organisations looking to achieve high-quality data protection need to know, manage and understand the value of all the data entering and leaving their networks, as well as how it’s being used and by whom. The organisations that meet this challenge will be the ones that are most able to make effective use of their data while mitigating the risks inherent in information exchange.

To this end, more traditional, network-based data protection approaches should be implemented in tandem with contextual information management systems. This allows organisations to simultaneously control and empower their data without impeding its flow. Stopping and blocking might seem like the easiest route to take, but it simply isn’t up to the task and doesn’t reflect the technological realities of the way we do business today – or in the future.

by Alyn Hockey

(source)

A tale of the two WLAN controllers, do we need to be chasing our tail for the WLAN security?

Right when the Wi-Fi access and security management are moving towards the controller-less architecture, another interesting architecture seems to have evolved at the other extreme. This architecture seems to be advocating not one, but two WLAN controllers in tandem – and that too from two different vendors. And, some optional (additional?) security management servers on top of the tandem. You think I am kidding? Then check this announcement from Aruba Networks, which is a leading controller-based WLAN vendor: http://www.arubanetworks.com/solutions/by-application/byod-services-on-your-existing-wi-fi/. The stated business case seems to be to put a band-aid on the Cisco WLAN’s (another leading controller-based WLAN vendor) insufficient security features.

In this case, the tandem is only for BYOD security, but as a matter of fact there are many more security gaps that will still remain to be addressed even after the twin tandem controllers are deployed. Would we need a third WLAN controller in the tandem to fill the remaining security gap, and who might provide that? Or, is it just easier to deploy a controller-less comprehensive WIPS solution (and that too with the onsite or cloud option) and secure the Cisco WLAN once and for all. Just a practical thought.

by Hemant Chaskar

(source)

Security Earthquake That Nobody Felt: McAfee Endorses Application Whitelisting

Folks in California are so used to earthquakes that sometimes they barely notice when one happens. Folks in the security business are so busy and swamped with the noise of the market that we often miss tectonic shifts in our own world. Let me help you with that last one:

BREAKING NEWS: “Endpoint Security Earthquake Hits: McAfee Actively Endorses Application Whitelisting. Magnitude & Ramifications Are Significant.”

This week, McAfee, one of the two dominant forces in reactive, blacklist-based endpoint security,actively and unequivocally endorsed Application Whitelisting. Ironically, in hard coverage of Symantec’s recent problems with pcAnywhere, the industry is actively recommending application whitelisting too.

First, let’s cover the major quake: McAfee’s active endorsement of application whitelisting—for corporate desktops and laptops. In a series of videos on the popular video sharing site, YouTube, McAfee joins CoreTrace in educating the market about the shortcomings of traditional blacklist-based solutions, the advantages of application whitelisting, and McAfee Application Control’s purported advantages (most of which are unique compared to other whitelisting solutions but are not unique compared to CoreTrace (e.g., trusted change and memory protection)). You can view the initial video here here . While you are at YouTube, make sure to check out CoreTrace’s video channel too.

While CoreTrace has successfully competed with our friends from McAfee on application whitelisting projects on fixed function systems (e.g., critical infrastructure, POS terminals, servers), the antivirus giant has never publically announced that whitelisting can and should be used on corporate desktops and laptops—until now. In the introductory video, McAfee senior product manager Swaroop Sayeram directly states: “Simplistic whitelisting might fit just fixed function systems… Dynamic whitelisting is a great fit for servers… and it is now a good fit for corporate desktops as well. These days, most of the deals we are seeing are to secure servers and corporate desktops.”

Second, let’s cover the story of the related tremors: The industry’s recommendations to utilize application whitelisting to solve problems like those created by Symantec’s pcAnywhere code theft. While Symantec’s own advisory to pcAnywhere users only includes its boilerplate old-school recommendations, experts throughout the industry are recommending whitelisting as one of the main solutions. As an example, as a part of his recommendations in a FoxNews.com interview , Anup Ghosh, founder and CEO of Virginian security firm Invincea, told FoxNews.com “Businesses should deploy application ‘whitelisting.’ This will prevent unauthorized malware from running on computers.”

So, McAfee has dramatically shifted the endpoint anti-malware landscape. Now the question is, with the ground shifting beneath its feed, what will Symantec do? Stay tuned for future coverage of this developing story…

by JT Keating

(source)

MegaUpload: What You Need to Know

There is a lesson to be learned here.  While online storage sites like MediaFire, Dropbox, YouSendIt and Box immediately jumped to defend legitimate file storage sites, like themselves, in the New York Times article, “Antipiracy Case Sends Shivers Through Some Legitimate Storage Sites” by Nicole Perlroth and Quentin Hardy; as reported by Perloth and Hardy, these public, cloud online storage sites “are inherently ideal for anyone looking to illegitimately upload and share copyrighted video and audio files.”

For the most part, the way the sites mentioned in the New York Times article work is that their users share files using a link to a file exposed publicly, and stored in a public, multi-tenant cloud.  These sites are often architected in such a way that one copy of a file, for instance a photo, is stored once and shared by multiple users to save storage space for the site.

So what is the lesson to be learned?  Data shows that employees at enterprise organization are using consumer online storage sites at work and are putting their organization at risk for copyright infringement and exposure of intellectual property.  According to a recent study by Palo Alto Networks, MegaUpload usage was found on the networks of 57 percent of the 1,636 enterprise organizations in the study.  76 percent had Dropbox and 57 percent had Box on their network.

An enterprise organization’s business users – employees, partners, and customers — trying to get their jobs done and be productive often turn to consumer online storage sites to share sensitive corporate data.  If an organization wants to protect themselves against copyright infringement and exposure of intellectual property they need to offer their users another way to share files.

Accellion works differently from these sites and is a secure, managed alternative architected for enterprise organizations, while still offering users an easy, simple way to share files.  Using Accellion, enterprise users are granted their own secure, online storage while they access, collaborate and share files anytime, anywhere and the majority of Accellion customers using a private cloud deployment behind their firewall to ensure maximum protection and control of intellectual property,  Accellion encrypts information in transit and at rest and is the safe, secure option and business users.

Whether Accellion customers use a public, private or hybrid cloud deployment they can manage, report and track files so they know who downloads what file, from what device and when they download it.  Accellion also integrates with Data Loss Prevention technology (DLP).  This inherently discourages employees from sharing illegitimate files, watching copyrighted entertainment via the corporate network, or sharing other files that are not in line with corporate policies.  Accellion helps protect an organization from inadvertent IP leaks, and helps our customers maintain compliance with HIPAA, PCI, SOX and other global government data regulations.

The recent MegaUpload news is yet another wake up call for global enterprises to take control over file sharing within their organization, and this means deploying a secure enterprise solution that enables easy file sharing for business users without exposing intellectual property or enabling copyright infringement.  In addition, organizations need to continue to monitor updates to government regulations and the impact they have for their organization’s data. This will continue to be something we watch and discuss on this forum.  Subscribe to our blog for the most up-to-date information.

By Yorgen Edholm - President and Chief Executive Officer at Accellion

(see source)

Defeating Defacement: File Integrity Protection via Application Whitelisting

It is a PR disaster. A group of ‘hacktivists’ have somehow managed to attack your company website and changed your content (which is actively being displayed to the entire world). Your phone won’t stop ringing, and your mailbox just melted down. So many questions running through your mind: ‘What just happened?’, ‘Who did this?’, ‘How did they do this?’, and most importantly ‘How can I prevent this from happening again???’. It certainly doesn’t help that this has the highest level of visibility within your organization. It’s going to be a very long day.

Sadly this scenario is now playing itself out more than ever. This is especially true with a loosely managed group of hactivists that call themselves ‘Anonymous’. The list of companies affected by Anonymous is large enough to raise national media attention—which is not exactly where your company wants to have its name mentioned.

The Problem:
Despite significant improvements to website server security, major companies continue to be the victimized by this type of vandalism. The motivation behind such attacks range from citizen protestors (“hacktivists”), to good old fashion revenge. Regardless of the motivation, you now have a very embarrassing problem on your hand.

Despite best practices of ‘locking down’ your website data files to prevent changes to them, it does no good if someone is able to gain root level access to the server; the attacker can simply open up the privileges for the data files with a single command. You need to be able to lock down these files at a lower level than standard operating system controls provides.

A Solution:
What can be done to prevent these defacements? The fundamental problem boils down to the fact that unauthorized changes are being made to the website files. The affected files could be simple html, cgi, or php, etc., but even a simple change to a .htaccess file can ruin your day. Regardless of how someone gains access to these files (there are many, many techniques that can be used to gain access such as sql injection, javascript vulnerabilities, etc), wouldn’t it be nice to know that they would not be able to modify or delete these files in any way? If you can tell your management team that the website is secure from defacement, then everyone would rest a lot easier at night.

As readers of our blog know, CoreTrace Bouncer is an application whitelisting product. The main benefit of this technology is that only programs that are explicitly defined on the whitelist are allowed to execute. Any programs not on the whitelist are considered to be ‘unauthorized’ so Bouncer prevents these unauthorized programs from executing. Bouncer takes the firewall paradigm of ‘default deny’ for network ports and applies it to program execution within the operating system.

Not only does Bouncer enforce the whitelist but Bouncer must also protect the integrity of the whitelisted applications as well. How effective would a whitelisting product be if someone could simply delete an authorized application such as notepad.exe, and replace it with a tainted program that has been renamed to notepad.exe? Bouncer blocks (from the kernel) all modifications to program files that are on the whitelist by default. Bouncer Administrators are able to define vectors of authorized change which enables transparent changes to these files so that upgrades and patches can easily be applied without difficulty.

CoreTrace has extended this kernel level ‘file integrity protection’ capability to any file which you wish to protect. While the html files will never execute, you can rest much more easily knowing that any file you wish to add to the list has this low level extra measure of protection available. This can also be applied to any file that you wish such as c:\boot.ini or the hosts file.

by Greg Valentine