Accellion and MobileIron Announce Partnership

Most IT organizations have minimal visibility into what’s on an employee’s phone and how it’s being used, and even less control or insight into information being accessed and shared.

MobileIron and Accellion announced a partnership today to provide our customers with secure mobile device and content management. Together, MobileIron and Accellion help an IT organization to regain control over mobile devices and how employees collaborate and share information from them.

As part of the partnership, Accellion will be one of only seven applications chosen to participate in MobileIron’s AppConnect program.  The goal of AppConnect is to secure MobileIron-developed apps as well as third-party apps on the App Store, Android Market and other mobile app services.

The benefit of the Accellion and MobileIron partnership was summed up by Jason Otani, Director, IT Infrastructure, Curtiss-Wright Corporation, a mutual customer:

Using Accellion Secure Collaboration’s native mobile apps, our teams really appreciate being able to securely collaborate on contracts and engineering plans with internal and external business partners.  MobileIron’s ability to wipe the device clean remotely any time a device is lost or stolen adds another level of security protection against a possible data breach.

For the most up-to-date news and information about this partnership, follow us on Twitter, Facebook, and LinkedIn.

Security’s a boardroom issue

It’s not that long since responsibility for information security lay firmly at the door of the IT department. Not viewing it as a business critical issue, boardrooms were happy to take a watching brief; after all, they had a company to run.

Recent times and a changing threat landscape have driven a change in attitude, however. From privacy and compliance legislation to high profile data breaches, intellectual property protection and network security, it’s a lot easier to make the business case for IT security. As such, security has climbed up the business agenda for many organisations, moving from a ‘nice to have’ to an essential component of the day-to-day business.

There’s nothing like the threat of financial penalties, criminal proceedings or serious reputational damage to focus the business mind on the need for a high quality, unified security strategy. The current economic climate has, however, put some IT departments under significant pressure to run security programs on ever-tightening budgets. A survey released by PricewaterhouseCoopers this week found that only half of global respondents said they planned to increase their spend on security over the next year; in the UK, that figure’s 35 per cent. This despite the fact that 85 per cent of PwC’s respondents claimed to have experienced a security breach of some kind over the previous six months.

To maximise return on information security investment, it is vital that any programme has senior management buy-in. Security is no exception and, in order to retain priority status, needs to evolve alongside the changing technologies that have become pivotal in the workplace. But it’s a two-way street: just as security technologies and policies need to evolve, so too do the humans involved. Security should never be a silo-based activity; the key to gaining buy-in across all levels of the organisation is advocacy from the highest level.

Nick Peart

Security without the hype

Anonymous. LulzSec. Stuxnet. A Digital Pearl Harbour. Cyber attacks are bigger than the global drugs trade.

Recent high profile data breaches might well suggest that some corporate networks have all the security of a sieve, but is a lot of the rhetoric and war-room talk that accompanies so much of the discussion of cyber security really necessary?

There’s only so much hype people can take before they switch off or start making assumptions about the true value of the message. And it’s only fair to say that a lot of the fear and negativity that’s associated with digital and network security could be having the opposite effect on end users. In the face of the seeming inevitability of an attack, it seems that many end users are adopting a resigned approach that borders on carelessness or worse: passing the buck and assuming someone else will look after it.

Clearswift’s recent WorkLifeWeb research found that 31% of employees surveyed said they believed information security to be entirely the responsibility of their company. 21% of those employees admitted to not thinking about security at all when using the web or email at work, with 19% saying they’d work around any company blocking policy. Hardly surprising, then, that 50% of managers believe employees are oblivious to security concerns.

It’s that last figure that’s so interesting to me, because it raises some pretty obvious questions: If your employees are oblivious to security concerns, whose fault is that? Similarly, why is it that, with more managers expressing concern about data loss via employees than via external hacking, other Clearswift research has found that 38% of employees had received no training at all on security issues in their current job?

As Andrew Wyatt put it in a recent blog post here, technology on its own is a skimpy fig leaf. Modern information security is about a lot more than just inbound threat detection. It’s about the value and benefits beyond it. Being able to implement flexible policies that work with, rather than against, employees; simplifying solutions and reducing administrative burdens so IT staff can dedicate more time and effort to proactive vigilance; educating your workforce and creating a visible, flexible policy that they are not only aware of but understand the need for...

These are just some of the more positive steps that companies can take towards securing their information assets. Hype might help to sell products. It might even help to push security higher up the business agenda in some firms, but unless we start to see a trickle down to all levels of the business, it’s a waste of breath. Worse still, with 87% of businesses we surveyed saying security fear was the biggest single inhibitor of the adoption of the kinds of technologies that 57% of them described as critical to their future success, it’s worth remembering that some cures are worse than the disease.

By Nick Peart

The Social Media Stalemate

Earlier this week, I commented on some of the trends revealed by our WorkLife Web research. One area I didn’t touch on, however, was the insatiable demand for consumer mobile devices such as iPads and smartphones and how these are impacting on the workplace.

This ‘consumerisation of IT’ – where users bring their own devices to work – poses a number of new challenges to businesses, creating new headaches for IT security staff as they battle to secure boundaries and prevent data loss via unauthorised devices. In fact, 87% of the companies we surveyed said they are so concerned about security and data loss that it’s preventing technology adoption.

Another interesting aspect of this year’s WorkLifeWeb research is its reflection of what appears to be a growing divide between workers and management when it comes to social media use in the workplace. While 48% of managers say social media use is either allowed or encouraged, only 25% of employees agree that this is the case. This development of a social media stalemate between managers and employees is further highlighted by the fact that while 60% of companies state that they allow personal device use at work, only 40% of employees think this is the case.

There is clearly a growing tension between the two groups: one feels the need to manage, restrict and control, while the other believes it should be trusted to use technologies that can empower and enhance communications. This friction currently looks unlikely to abate. Perhaps companies should note that stricter social media policies would detrimentally affect over 40% of the workforce.

On the whole, the 2011 research indicates that companies are clamping down on new communication channels rather than embracing them. This in turn is stifling potential avenues of growth. One saving grace is that while this is happening, the research shows that businesses do recognise the important role that social media has to play. We can only assume that the clampdown is a knee jerk reaction rather than a long term trend.

Comparative Review: Active Directory Auditing Tools

NetVision was recently featured in a Windows IT Pro product comparative review on Active Directory audit solutions. The full article is available in the September issue and on the Windows IT Pro web site under the title Comparative Review: Active Directory Auditing Tools. But, we just wanted to call out a few of our favorite quotes:

Trying to find the culprit using Event Viewer is like looking for a needle in a haystack. You need a tool that can lay out the data in a clear and concise manner—you need a good Active Directory (AD) auditing tool.

NetVision should be your first choice if you’re looking for a turnkey solution. No matter whether you want to use the physical appliance, virtual appliance, or managed service, it’s the best for hands-free AD auditing.

Overall, I was impressed with [NetVision's] product. It’s extremely robust…

Each one has its own strengths and weaknesses, but the one that impressed me the most was [NetVision] NVAssess, which is why it earns the Editor’s Choice award.

Well said Windows IT Pro!

Of course, to get the details, please read the full article. And let us know if you have any questions.

The business case for compliance

Last week Adrian Leppard, City of London Police Commissioner, wrote an article that discussed how an increasing number of criminals were targeting businesses that failed to encrypt customer data to a high enough standard. He commented that the financial loss and reputational damage inflicted on a company from a data breach will always outstrip the investment cost of putting in place the correct security systems and policies. This is a very valid point.

There are many sector specific security standards in the marketplace, with the Payment Card Industry Data Security Standard (PCI DSS) being one of the best known. This mandatory regulation was put in place by prominent industry players such as American Express, Visa and MasterCard Worldwide, to establish a common framework for data security compliance.

By becoming PCI compliant, your business adheres to the PCI DSS requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. In operational terms, it means you are playing your role in ensuring your customers' payment card data is kept safe throughout every transaction, and that they – and you – can have confidence that they're protected against the pain and cost of data breaches.

Unfortunately, too many companies have a rather lax approach to compliance, seeing it as another bureaucratic tick box rather than a business imperative. This seems a rather strange attitude to take when you consider that non-compliance means you are not only jeopardising the security of your customer data but are also gambling with your reputation and brand. All companies that handle customer data should conduct regular data discovery exercises to ensure that unprotected cardholder data is found and correctly secured.

Another consideration is that criminals are always using new methods to obtain data, which is why data standards constantly evolve: PCI DSS is currently in version 2.0. Security vendors should therefore pay close attention to evolving standards to ensure the solutions they offer are relevant and mitigate client risk.

Police Commissioner Leppard made the point that what is needed is not just a change of process, but a change in attitude; only reacting when things go wrong is not the mark of a strong business. In essence, having the foresight to implement a flexible security strategy is one of the first steps you should take if customer retention is important to your business model.

By Richard Turner

New Windows worm highlights prevalence of weak admin passwords

Last weekend, Microsoft’s Malware Protection Centre (MPCC) detected a new worm that exploits weak passwords to infect Windows workstations and servers.

Dubbed ‘Morto’ the worm is similar to Slammer or CodeRed from years back, but with a twist: The attack exploits Remote Desktop connections, giving it command-and-control to access the network through the infected machine. Once in, Morto connects to a remote server, updating its components and downloading further information. The worm can then terminate processes for local security applications as well as perform Denial of Service (DoS) attacks against specified targets.

Clearswift Chief Software Engineer Paul Singh says this is the first time we’ve seen an attack of this nature. “This is probably a proof of concept attack that has worked a bit better than the perpetrators expected,” he says. While the attack utilises RDP, the weak point is not remote desktop access over the internet; the initial “in” for Morto is most likely to come via an infected email or visiting an infected site, says Singh. “As such, using VPN as a defence mechanism isn’t relevant. Perimeter security that scans email and web traffic to prevent infections in the first place is important.”

Singh says that Morto highlights just how easy it is to crack the most commonly used passwords. Worse still, the worm exposes “How lazy some administrators are, as Morto is targeting the passwords for admin accounts.”

“Recent attacks on popular sites like Gawker, RockYou and PSN gave hackers access to passwords that can be used to increase the statistical probability of guessing admin passwords correctly,” says Singh. And while some might question the relevance of Gawker users’ choice of passwords to IT admins, the list of user account names and password combos Morto has tried includes some real eye-openers: admin, root, owner, 1234, 123, password and 123123...

According to Singh, the simple solution to attacks of this nature is to adopt a more robust, well-defined and enforced password policy in the workplace. This can include clear guidelines around password complexity and the setting of basic password requirements such as length, mixing upper-and-lower-case letters and numbers.

Singh adds that the worm was detected through the unusual levels of network traffic it creates on certain ports: RDP scans, downloads, receiving commands and DNS queries for command-and-control servers. “This highlights the need for IT departments to constantly and proactively examine log files for unusual activity,” he says.

You can read more about Morto here.

Pamela Weaver