BYOD Risks & Rewards

Whether you’re an end user or an IT administrator, Bring Your Own Device (BYOD) is becoming the rule rather than the exception in today’s workplace. Although BYOD may be a convenience to your employees, you need to think about its impact on corporate security models.

What BYOD means for business

Today’s IT leaders face many security challenges and rapid changes, all while having to do more with less. They must provide end users with the latest, most advanced technologies to remain competitive. And they have to protect company, customer and employee data while thwarting attacks from cybercriminals.

New technology brings more ways to access data, new types of devices and alternatives to the traditional PC platform. Apple CEO Tim Cook appropriately called this the “post-PC era.”

These dynamics have created a shift toward BYOD, a trend in the workplace that’s rapidly becoming the rule rather than the exception.

BYOD encompasses more than personal computers. It means employees using smartphones, tablets, BlackBerrys, ultralight books and more for their work. The concept of BYOD broadens to include software and services, as employees use cloud services and other tools on the web.

The shortcomings of technology which made BYOD unrealistic a few years ago have given way to broad popularity and use of these tools.

These include: 1.Web: Today’s web is the singular way to access any application—business, financial, customer support, sales or technology. 2.Wireless: No matter where you are or what device you’re using, you have access to the back office infrastructure through extensive Wi-Fi networks. 3.Mobile devices: Device form factors have become more sophisticated, cheaper and more portable, with more robust memory and battery life.

Implemented properly, a BYOD program can reduce cost while increasing productivity and revenue. As BYOD goes mainstream in IT departments, security should be front and center for users and IT administrators alike.

What BYOD means for security

It’s risky to assume that prohibiting personal devices solves the problem, because employees end up using their own devices anyway, unmonitored and undeterred by your security policies.

Whatever you think of BYOD and however you choose to implement it, IT managers should treat it the same way as any introduction of new technology: with a controlled and predictable deployment.

Ask yourself: 1.Who owns the device? That’s a question that has changed over time. In the past, the company owned the devices. With BYOD the devices are owned by the user. 2.Who manages the device? Previously this was an easy question to answer. Today it could be either the company or the end user. 3.Who secures the device? Accountability is not something that goes away for a user just because they personally own the device. After all, the data carried on it is company-owned.

Answering these questions is fundamental to both understanding the risks and taking advantage of the rewards of BYOD.

All organizations have the flexibility, based on their corporate culture and regulatory requirements, to embrace BYOD as much as they deem reasonable. For example, there are companies who have decided the risk is too great and choose not to implement a BYOD program.

In May 2012, IBM banned its 400,000 employees from using two popular consumer applications over concerns about data security. The company banned cloud storage service Dropbox, as well as Apple’s personal assistant for the iPhone, Siri. Siri listens to spoken requests and sends the queries to Apple’s servers where they are deciphered into text. Siri can also create text messages and emails on voice command, but some of these messages could contain sensitive, proprietary information.

Ultimately, the success of your BYOD program is measured by your employees’ willingness to use their personal devices within the rules you set for them. Your organization’s security procedures and policies should determine whether and how you adopt BYOD.

You need to have the ability to enforce security policies on a device level and protect your intellectual property if that device is ever lost or stolen.

What is BYOS

The same technologies driving the turn to BYOD also allow users to access non-company software. This effect is known as Bring Your Own Software (BYOS).

End users may be using free public cloud storage providers as way to collaborate on and transfer large documents. Those documents, however, could contain data that falls into scope of regulatory guidelines, which could place your data at risk.

You should evaluate how cloud storage providers transport and store your company’s files.

Consider these questions: 1.How are they encrypting the data? 2.Are they using a single key for all of their customers? 3.Who has access to the key to decrypt the data? 4.Will they surrender the data to authorities if it is subpoenaed? 5.In which countries are the servers located that are housing the data? 6.Does your organization have an agreement with customers that their data won’t be stored in certain countries?

How to secure BYODs

The first and best defense in securing BYODs begins with the same requirements you apply to devices that are already on your network. These security measures include: 1.Enforcing strong passcodes on all devices 2.Antivirus protection and data loss prevention (DLP) 3.Full-disk encryption for disk, removable media and cloud storage 4.Mobile device management (MDM) to wipe sensitive data when devices are lost or stolen 5.Application control

You should always extend encryption to both data in transit and data at rest. Protecting your devices with strong passwords means you make it incredibly difficult for someone to break in and steal data. But if somehow your device-level password is compromised, encrypting the data stored on the device provides a second level of security a hacker must get through in order to steal your data.

You should encourage users to think of the extra layers of security as helpful tools that give them the ability to use their own devices within the workplace. By password protecting devices, a user acknowledges accountability and responsibility for protecting their data.

In addition to applying passcodes and antivirus prevention to your devices, you should apply a custom level of application control to BYODs. If applications are available to employees on the internal network, they should be able to access them offsite through a VPN or email software.

A successful BYOD program allows your users to be productive outside of their scheduled work hours while also giving them the flexibility to do the things they like to do when they’re not working—like update their status or enjoy playing an interactive game.

Whatever decision you make for your BYOD policy, be sure that it’s enforceable and enables IT to deploy software remotely.

How to set policy and compliance standards

You need to formalize policies specifically around BYOD. For example, will your policy include any and all devices currently available? Or will you limit use of personal devices to specific hardware and software platforms? What about devices that aren’t yet available but could reach consumer markets in the next few years?

The handheld mobile device market is evolving rapidly with new versions and new manufacturers. Keeping that in mind, your BYOD policy should be adaptable. You should maintain written strategic policies based on what you know today and what you think will generally be available tomorrow. And you must apply technology that enforces your written policies to provide management, audit proof modeling, control and security.

Implementing a solution designed to verify that devices can be remotely managed can help you in the ongoing battle to keep security policies relevant and reliable, especially if you’re in an industry with strict compliance and auditing standards.

Additionally, being aware of the service plans your employees have can help you offer the best services while reducing cost. Using a data plan’s hotspot or tethered options can result in an overall better experience for end users. Consider data-only plans for personal Wi-Fi devices in place of maintaining a home office long distance and ISP service plans.

7 steps to a BYOD security plan

Your company’s security and BYOD can co-exist. And it starts with planning. Here’s how:

1. Identify the risk elements that BYOD introduces Measure how the risk can impact your business Map the risk elements to regulations, where applicable

2. Form a committee to embrace BYOD and understand the risks, including: Business stakeholders IT stakeholders Information security stakeholders

3. Decide how to enforce policies for devices connecting to your network Mobile devices (smartphones) Tablets (e.g., iPad, Surface, Android) Portable computers (laptops, netbooks, ultrabooks)

4. Build a project plan to include these capabilities: Remote device management Application control Policy compliance and audit reports Data and device encryption Augmenting cloud storage security Wiping devices when retired Revoking access to devices when end-user relationship changes from employee to guest Revoking access to devices when employees are terminated by the company

5. Evaluate solutions Consider the impact on your existing network Consider how to enhance existing technologies prior to next step

6. Implement solutions Begin with a pilot group from each of the stakeholders departments Expand pilot to departments based on your organizational criteria Open BYOD program to all employees

7. Periodically reassess solutions Include vendors and trusted advisors Look at roadmaps entering your next assessment period Consider cost-saving group plans if practical

Implemented properly, a BYOD program can reduce cost while increasing productivity and revenue. As BYOD goes mainstream in IT departments, security should be front and center for users and IT administrators alike.

Dexter malware infects point-of-sale systems worldwide

Researchers from Israel-based IT security firm Seculert have uncovered a custom-made piece of malware that infected hundreds of point-of-sale (PoS) systems from businesses in 40 countries in the past few months and stole the data of tens of thousands of payment cards.

The malware was dubbed Dexter after a text string found in some of its components and infected Windows-based PoS systems belonging to big-name retailers, hotels, restaurants and even private parking providers.

It was determined the destination was a server hosted in the Republic of Seychelles, where the malware uploaded the stolen payment card data.

Since this is an ongoing attack it’s hard to determine exactly how many PoS systems have been compromised so far, but it’s probably between 200 and 300, Raff said. The total number of compromised payment cards is equally hard to estimate, but tens of thousands seems to have been compromised just in the past few weeks.

The origin of the attackers is unclear, but strings found in the malware suggest that the developers are fluent English speakers.

The method used to infect these systems has not been determined yet, but given that many of them run Windows Server and are most likely not used for Web browsing, it is believed that the attackers probably compromised other computers on the same networks first and then infected the PoS systems.

When researchers found the Dexter sample, there were some antivirus programs that already detected it as malicious. These companies have since shared it with other vendors from the security industry.

If the targeted companies would have encrypted the data directly on the hardware PoS terminals before sending it out to their payment processing providers, a method commonly known as end-to-end encryption, attacks like the ones based on the Dexter malware could have been prevented.

How to Disable Java in Three Common Browsers

The ongoing security problems with Java mean that many people will want to disable the

Java plug-in for their web browsers. Here is how to do it for the most common browsers.

Google Chrome

  1. In the Chrome address bar enter: chrome://plugins
  2. Find the entry for the Java plug-in and click “Disable”

Firefox

  1. Open the Firefox menu
  2. Click “Add-ons”
  3. On the left side of the Add-ons manager that opens, select “ Plugins”
  4. Click “Disable” by the entry for Java   Firefox may have already done the disabling automatically

Internet Explorer

Disabling Java in the various versions of Internet Explorer (IE) is more complicated than it seems at first. You can use the IE Add-ons manager to disable  “Java(tm) Plug-in 2 SSV Helper” and “Sun Microsystems -Deployment Toolkit ” but that isn’t sufficient. There are apparently multiple ways that Java can be invoked from IE. It is sufficiently complicated that Microsoft has a special article on how to disable the Java plug-in for Internet Explorer. It isn’t pretty. The article involves Registry editing and its gory details are at this link – http://support.microsoft.com/kb/2751647. You can also check out this Homelands Security bulletin about IE – http://www.kb.cert.org/vuls/id/636312#disable_java_in_IE

What Ransomware is and How to Deal with It

A number of people I know have had their PCs infected with the form of malware that is being called “ransomware”. Here is what ransomware is and what you should do if you get infected by it.

Ransomware is a more vicious form of the widespread category of malware known as “scareware”. In this variant of scareware, crooks take over your PC and threaten to destroy your files if you don’t pay up. The malware then starts erasing your stuff if you don’t provide a hefty bribe to some account that they provide. Another variant claims that you have child pornography on your PC and threatens to report you unless you pay. These extortion scams are why the name “ransomware” is used.

Scareware and ransomware are particular problems because they use trickery and social engineering to get around anti-virus programs. They use false messages to fool people into clicking links on pop-ups. These pop-ups are triggered by rogue JavaScript present on web pages that are visited. Well-known legitimate sites have had these scripts planted on them in advertising. The pop-ups look like a warning from your own anti-virus program and trick you into clicking on a link that gives the malware permission to install. Once installed they are a real problem to get rid of because they disable your anti-virus defenses. An example of a phony warning is shown below.

scareware

Click on this and you really are infected.

Note that browser extensions like NoScript and AdBlock Plus can help prevent these pop-ups.   If you do get infected, one way to deal with the problem is to use an external disk with security software to remove it. This gets around the problem of the malware disabling the local security software and blocking efforts to clean it.

Another way is to use the free Sysinternals tool called AutoRuns. Mark Russinovich, co-founder of Sysinternals and now a senior scientist at Microsoft, has a post about ransomware and describes how to use AutoRuns to find and eradicate an infection. (http://blogs.technet.com/b/markrussinovich/archive/2013/01/07/3543763.aspx)

Some of my colleagues preference for dealing with this sort of infection is to reformat the disk and then restore the backup image that you should be making at least weekly. Sadly, the great majority of average PC users that I encounter don’t back up regularly and they have to go through one of the tedious procedures mentioned above. In the meantime, ransomware may continue to wipe out files before you can get a fix on it. One more reason why regular backups are so important.

A Key Step to Being Safer Online That is Frequently Overlooked

So you have a nice long, complicated password and think you’re safe online. Maybe not. Unfortunately, online security requires more than that. A good password is certainly necessary but that is not all that is needed. You also need a secure answer to the challenge question that you are asked to use if you forget your password.

For example, anyone who finds out your email address can go online to your email provider, claim that the password has been forgotten, and ask to reset it. Typically, the service will then ask a security question like, “What is your mother’s maiden name?” The problem is that this is information that is easily found on the Internet. Armed with that information, a hacker can then reset your password and start using your account.

Once a hacker gets access to your email account, he/she can find all sorts of information in your saved messages and your list of contacts. If you use your email address as a log-on name at other accounts, the hacker can repeat the process of claiming the password has been forgotten and asking for a reset.

It is essential to use an answer to security questions that can’t be easily guessed or found online. One solution is to use a security question that has an uncommon answer. However, many services provide only a limited choice of questions. In that case, use a false answer to a common question. Instead of providing your mother’s actual maiden name, make one up. Whatever security questions you choose, don’t use a plausible answer but instead try nonsense combinations like “Mxplxqwb”. Or use highly unlikely answers such as “Elizabeth Taylor” for your favorite color.

Naturally, you then have to make sure you can remember the answer to the security question that you have used.

Java Update Released

Oracle, a company not known for its speedy release of patches, has released a fix for the security flaw mention this past week. While the patch has not had full testing by security experts, we are advising all users to patch their Java software immediately.

Most web apps use either Java or Flash for providing content and both platforms have had security flaws and require constant patching.

US gov’t tells computer users to disable Java

The malware has currently been seen attacking Windows, Linux and Unix systems, and while so far has not focused on OS X, may be able to do so given OS X is largely similar to Unix and Java is cross-platform.

Luckily with the latest versions of Java, users who need to keep it active can change a couple of settings to help secure their systems. Go to the Java Control Panel that is installed along with the runtime, and in the Security section uncheck the option to “Enable Java content in the browser,” which will disable the browser plug-in. This will prevent the inadvertent execution of exploits that may be stumbled upon when browsing the Web, and is a recommended setting for most people to do. If you need to see a Java applet on the Web, then you can always temporarily re-enable the plug-in.
The second setting is to increase the security level of the Java runtime, which can also be done in the same Security section of the Java Control Panel. The default security level is Medium, but you can increase this to High or Very High. At the High level, Java will prompt you for approval before running any unsigned Java code, and at the Very High level all Java code will require such approval, regardless of whether or not it is signed.

While most business have programs requiring Java – and it cannot be disabled, care should be taken to have users either highten their security or to avoid non-work web sites for now.
 

The malware has currently been seen attacking Windows, Linux and Unix systems, and while so far has not focused on OS X, may be able to do so given OS X is largely similar to Unix and Java is cross-platform.

Luckily with the latest versions of Java, users who need to keep it active can change a couple of settings to help secure their systems. Go to the Java Control Panel that is installed along with the runtime, and in the Security section uncheck the option to “Enable Java content in the browser,” which will disable the browser plug-in. This will prevent the inadvertent execution of exploits that may be stumbled upon when browsing the Web, and is a recommended setting for most people to do. If you need to see a Java applet on the Web, then you can always temporarily re-enable the plug-in.
The second setting is to increase the security level of the Java runtime, which can also be done in the same Security section of the Java Control Panel. The default security level is Medium, but you can increase this to High or Very High. At the High level, Java will prompt you for approval before running any unsigned Java code, and at the Very High level all Java code will require such approval, regardless of whether or not it is signed.

While most business have programs requiring Java – and it cannot be disabled, care should be taken to have users either highten their security or to avoid non-work web sites for now.