The National Institute of Standards has released a new draft of recommended guidelines on cell phone & PDA security, helping companies to navigate this overlooked area of data security. Mobile devices pose an increasingly large risk to data security. Lost or stolen laptops are currently one of the main causes of data breaches, so the increased data access capabilities of even smaller mobile devices increases the risk of data breaches as the result of lost or stolen devices.

Publication SP 800-124 provides an overview of mobile devices in use today and insights on making IT security issues regarding their use. Threats increase for handheld devices due to their size & portability and the available wireless services. These two issues increase the risk for loss / theft, unauthorized use, malware, spam, electronic eavesdropping, electronic tracking, cloning and server-resident data.

The guidelines give many examples of these types of threats as well as safeguards that can be put in place. The safeguards suggested include:

• Central management of devices - have organization-issued devices with a system to centrally configure and manage devices & their updates
• User-oriented measures - teaching employees about procedures to follow using organization devices (understanding the security features & how to use them)
• Authentication - require user authentication with PINs and passwords
• Backup data
• Reduce data exposure - avoid sensitive information being on, or accessed by, any handheld device. Encrypt any sensitive data.
• Turn off wireless interfaces - minimize risk by only turning them on when needed
• Add security software such as firewalls, antivirus, VPN, etc.

There are very detailed suggestions about how to centrally organize devices and their capabilities. Download the study here [PDF]: “Guidelines on Cell Phone and PDA Security (Draft).” In addition, you may wish to review the “Performance Measurement Guide for Information Security” Study [PDF].

Absolute Software also provides security solutions for handheld devices with Computrace Mobile. Check it out here!

Hat tip to Dan Lohrmann Tags: mobile security, data security, mobile security policy, it security, cell phone security, pda security, handheld devices

A new paper on web browser security has been released by researchers from Google, IBM and CENL (the Computer Engineering and Networks Laboratory). The paper is entitled “Understanding the Web browser threat: Examination of vulnerable online Web browser populations and the ‘insecurity iceberg’” and can be viewed here.

The paper puts some data behind the well-known risks associated with web browsers, and how the browser has become increasingly targeted as an infection vector. Unlike traditional attacks that would need to remotely connect to a vulnerable host (server), browser vulnerabilities are exploited when the user visits a malicious website.

The vulnerabilities in the browser are expansive, affected by each rendering technology (interpreter/built-in like JavaScript or plug-in like Flash). An estimated 637 million people are not using the latest & most secure browsers, and thus are vulnerable to these attacks.

According to the research, the following percentage of users were using the latest browser version:

• 83.3% Firefox (38 million not on latest)
• 65.3% Safari (17 million not on latest)
• 56.1% Opera (5 million not on latest)
• 47.6% Internet Explorer (577 million not on latest)

I am not surprised by the figures, although I’d be interested to see a breakdown by business vs. consumer users. I think the level of security knowledge is quite low among consumers, particularly those who use the default Internet Explorer browser. Many users may not know to, or know how to, upgrade their browsers. Such upgrades require manual intervention, something that immediately hinders the security of the browser. Given also the threat that “trusted” sites pose to malware, no end to the issue is in sight.

The study is very thorough in its analysis of browser vulnerabilities, and in recommendations to stem the issues. You can read more here.

Via eweek ; image: microsoft clipart ; Tags: web browser, browser, security, it security, web security, firefox, IE, internet explorer

Verizon Business has released a comprehensive study based on 4 years of data entitled the “2008 Data Breach Investigations Report” [PDF]. They have also released a podcast to go along with their study (Part 1 here).

The study looks into 500 forensic investigations and 230 million records, looking into hundreds of corporate data breaches. The report is very detailed, revealing a lot of information that could help companies understand the nature of data breaches better.

The study found that:

• 73% of breaches result from external sources (39% from business partners, a number that is growing steadily)
• 18% of breaches result from insider threats
• Most breaches result from a combination of events, not a single hack or intrusion
• 62% of breaches were attributed to significant internal errors
• For deliberate breaches, 59% were from hacking and intrusions
• 90% of known vulnerabilities exploited in hack attempts had patches available for at least six months prior to the breach
• 90% of breaches involved an “unknown” system, data, network connection or user account
• 75% of breaches are discovered by a third party, not the victimized organization
• In 59% of data breaches, security policies and procedures existed but were not implemented
• 66% of breaches involved data the company did not know was on their system

The study indicates that many data breaches are avoidable, and steps should be taken to prevent them. Dr. Peter Tippett, VP of Research and Intelligence for Verizon Business Security Solutions, says that companies must be “proactive in their approach to security — [it is] the absolute key to safeguarding data.”

Have a policy and implement it. Know what data you have and who has access to it. Monitor event logs. And have an incidence response plan. Increase awareness and keep them well trained - run drills.

Via databreachwatch.org, CNet Tags: verizon, verizon business, data breach, data breach prevention, breach, breach prevention, security, it security, data security, business security

A new survey released by Symark and eMediaUSA indicates the security vulnerabilities associated with orphaned accounts. Orphaned accounts are user accounts that remain active after an employee has left a company. The study reveals that 42% of businesses do not know how many orphaned accounts they have, and 30% have no procedure to locate and remove them.

800 security, IT, HR and C-level executives in all industries were surveyed about orphaned accounts and the processes in place to find and remove them. When an employee leaves an organization, IT and security administrators should make it a priority to shut down access immediately. However, many IT staffers are overworked and this step is overlooked. Failure to terminate employee access creates holes in security that hackers or malicious insiders can access.

Other findings from the survey:

• 27% of respondents say that >20 orphaned accounts exist in the organization
• 30% say it takes more than 3 days to terminate access, 12% say it takes more than a month
• More than 38% have no way to know if an orphaned account was used to access information
• 15% said an orphaned account has been used to access information at least once

The survey indicates, at the very least, that there is a hole in IT security that needs to be patched. In some cases, it is clear that orphaned accounts are still being used, and this is a significant risk to security.

“Controlling access to proprietary systems and information continues to present an IT security challenge… gaps in access and entitlements control — and the significant audit defects resulting from them — are one of the concerns most frequently mentioned in focus interviews,” said Scott Crawford, research director at Enterprise Management Associates.

Larger companies face more complex challenges in managing employee access. Limiting access, and revoking it when an employee leaves the company, is a vital step to ensuring data compliance. Policies and technologies should be put in place that can manage and revoke user access easily.

If your company were surveyed, how well would you fare with these questions? Are there orphaned accounts you may not even realize you have?

Via tech target, business wire ; image anitapatterson @morguefile ; Tags: it security, data security, data access, business security, orphaned accounts

Last month, a United States court ruled [PDF] that border agents have the right, without cause, to search your data devices as you enter the country. If your device is encrypted, you have to hand over your encryption key.

The US government has the right to download the entire content of your laptop or data device, and to keep it indefinitely. And according to security expert, Bruce Schneier, these types of searches are happening at the borders of many countries. There has been a major backlash to this from every corner, including from civil liberties groups and from the business community.

Business travelers who carry sensitive information may have to expose this information - aside from breaking confidentiality, it can also result in a data breach incident. Copied and seized data may be subject to breach notification laws, since such data has been exposed and can no longer be accounted for. If you want to take action against this violation of digital privacy, you can learn more here.

5 Data Device Security Tips for International Travel

1. Hide Your Data

Bruce Schneier is advising one solution: hide your important data in a second encryption on your drive. Programs like PGP Disk or Truecrypt will allow you to encrypt a portion of your hard drive with a strong password, and you can hide the icon for added protection. The data would be invisible upon inspection, though smart forensic software could find it. Take note that if asked by security officials if there is an encrypted partition, you are legally required to answer truthfully.

2. Limit Your Data

This is the easiest solution - if you don’t have data, it can’t be found. Delete any un-needed information (old emails, photos, confidential information) with a secure file erasure program. Delete your browser’s cookies, cache and browsing history before heading through security. Also, IT administrators using Computrace can use its Data Delete function to securely erase files. And turn your computer off before heading through. Clean out your other devices in the same way.

3. Use a VPN

Some companies are issuing laptops for travel that are “clean” of any pre-existing data. Once the traveler is at the destination, the data can be downloaded over an encrypted virtual private network. The data can be re-synced before exiting the country, and the laptop wiped clean once again.

4. Ship It

Put sensitive data onto an encrypted drive or card and let FedEx get it to your destination for you.

5. Store It Online

If you don’t have a VPN set up to download information onto a clean laptop, you can set up a similar system on your own. After deleting what information you don’t need, Chris Sogholan of CNet recommends encrypting the data and uploading it to one or two secure places on the web such as Amazon S3. Then make your laptop clean with a secure file erase.

Sources: guardian, gizmodo, eff, cnet, info week, us politics, idg
Photos: morguefile by pdell, ppdigital, somadjinn
Tags: data security, border, laptop, laptop security, border search, business travel, security, it security, business security

Web 2.0 is changing the way we do business, and the way we do Internet security. With advances in the web that allow for a more "social" sphere of information sharing, collaboration, and ways of doing business. Here is a definition of Web 2.0 from John Battelle and Tim O’Reilly:

"the web had become a platform, with software above the level of a single device, leveraging the power of the "Long Tail", and with data as a driving force…" (Wikipedia)

Web 2.0 encompasses social networking sites like Facebook, blogs such as this one, Skype, Wikipedia, and so much more. No matter how you define Web 2.0, companies are in a transition period of adopting and developing around this new way of doing things.

All of these new tools and technologies of the interactive web have shepherded a new era of security vulnerabilities. Research group Fortify gave a talk at the Web 2.0 Expo in San Francisco recently about the new wave of internet security threats.

"Security was a challenge to begin with, but, if anything, it’s getting harder in the Web 2.0 world." - Jacob West, Manager, Fortify

Fortify foresees that JavaScript will be a growing issue in security as the adoption of Ajax (based on JavaScript) increases and the existing vulnerabilities become more widespread. At the same time as vulnerabilities are spreading, attack techniques are improving at a rapid rate. Some of the makers of JavaScript & Ajax toolkits are proactively closing up security issues, but others (particularly the big ones like Microsoft) are not.

This is just one example of the security issues associated with Web 2.0. Many issues with integrating Web 2.0 technologies internally or into the company website come from poor planning. A "rush to embrace" to what is trendy (InformationWeek). Additionally, social networking sites such as Facebook and MySpace can be laced with malware. Cyber criminals are co-opting social networking sites as the delivery vehicles for cyber attacks.

Companies are going to be faced with many Web 2.0 challenges, from planning the integration of new technologies to creating effective security policies outlining the use of such technologies.

"Companies need to adjust their security policies for Web 2.0 world today, they need to tailor their Internet use policies and create rules that include social Web sites, blogs, and all the other types of sites being created out there, the usage policies need to be spelled out specifically and enforced.

Beyond that they need technical safeguards to back those policies, but the outlook for all this is still pretty grim. Most companies are barely providing sufficient protection in the context of Web 1.0." - Paul Henry, Secure Computing (via InfoWorld)

Via CNet Tags: web 2.0, security, internet security, it security, business security, web security, internet, website, flaws, security policy, security planning

Absolute Software has announced some big news during the course of this week. In the first announcement, Absolute Software will be working with Qualcomm’s Gobi to provide increased security to enterprise customers in the mobile environment. In the second announcement, Absolute Software has paired with Intel to provide strong anti-theft technology for Centrino laptops.

Yesterday, Absolute Software announced at the CTIA Wireless Show in Las Vegas that they will be adapting Computrace to work with Qualcomm’s Gobi mobile Internet and GPS platform. This will allow for real-time communication between laptops and the asset management and security services in the Computrace suite. This would mean that IT audits and remote data delete commands can be carried out in real time, no matter where the laptop is. You can visit Absolute software at Qualcomm’s booth number 1948, Mobile Enterprise Partner Pod, during the CTIA Wireless Show on April 1, 2 & 3.

Announced today, Absolute Software and Intel are to collaborate to provide integrated anti-theft technology for next generation notebook computers. Absolute Software’s Computrace will be integrated into the Intel Anti-Theft Technology suite later this year. Absolute’s core expertise in IT asset management, data protection and computer theft recovery services will enhance a whole suite of new Intel Centrino laptops.

You can read more about these releases here:

• Absolute Software to Integrate Computrace with Qualcomm’s Gobi Global Mobile Internet Solution
• Absolute Software Announces Collaboration and Support for Intel® Anti-Theft Technology for Next Generation Notebooks

Tags: computrace, absolute software, intel, qualcomm, gobi, mobile internet, wireless, laptop security, data security, mobile security, notebook security, laptop recovery, anti theft, theft prevention, compliance

Matt Hines has posted The top 10 security land mines to InfoWorld. These are mistakes that undermine the security precautions that companies put in place.

1. “Slip of the finger” mistakes - e.g. using email address autofill, mistakes in encryption
2. Giving away passwords - phishing and spyware are still prevalent because people are not careful about where they hand out their data.
3. Third-parties - you have a security policy, but are your partners following your policy? Employees may assume it is ok to send sensitive information to business partners. Unencrypted data can easily end up in the wrong hands.
4. Web-based applications - webmail, file-sharing services that bypass security filters. Allowing data to be taken home increases these risks.
5. Not planning for a breach - being prepared will make things easier, not harder. You can lessen the breach impact with good response strategies.
6. Lack of leadership - if a single leader or small team is not appointed to respond to the breach, the breach response becomes diluted. Large teams can also hinder the process.
7. Mishandling investigations - in the case of a data breach, the “need to know” approach should be established in order that investigations are not compromised, particularly if it’s an inside job.
8. Trusting technology - technology is not the end to security preparedness. Look at things from a risk management perspective and do more than compliance requires.
9. Not planning spending - know what is important to your company, know your risks, and let that define your spending. Security issues have varying levels of threat to you, so your spending should correspond to high risk areas.
10. Storing information - only save what information you need to do business - delete anything you don’t need. For data retained, protect it.

You can read more details here.

Along similar lines, refer to these past posts:

• 10 Mistakes in Enterprise Security
• 5 Basic Mistakes of Security Policies
• Top 10 Tips for Business Data Breach Prevention & Response

Tags: data breach, breach, breach avoidance, it security, security, data security, business security, security planning, security policy

Who Breached: Hannaford Brothers
Number Affected: 4.2 million
Information breached: Credit, Debit Card Numbers
How: network intrusion

Hannaford Bros. CEO Ron Hodge has issued a statement this week that 4.2 million of its customers have been exposed to fraud due to a security breach. Fraud has been detected already in 1800 cases.

The Maine-based supermarket chain reported an intrusion into its computer network that put 4.2 million customer credit and debit card accounts at risk. The breach affects all 165 of its stores in the Northeast and 106 Sweetbay stores in Florida, as well as a number of independent grocers who sell Hannaford products. The card numbers were stolen during the card authorization transmission processes dating back as early as December 7th. The breach was only contained on March 10th.

Unlike many data breach reporting incidents, the Hannaford Bros. data breach has already been connected with 1800 cases of reported fraud. The fraudulent credit card activity came to light on February 27th. Despite reported fraud incidents, the notification to affected consumers only began on Monday, after the breach had been contained.

Do you think it was socially responsible for Hannaford to wait until after the breach had been contained to warn consumers of their fraud risk?

Via attrition, wmur, cnet Tags: hannaford, data breach, fraud, breach, breach notification, hannaford bros., business security, hacking

According to the 5th annual Global State of Information Security report published by PriceWaterhouseCoopers and several IDG magazines, organizations are improving their IT security programs, but there is a continued disconnect between security and the line-of-business teams they support.

7200 organizations across all industries and more than 100 countries were surveyed for the study. Highlights from the study include:

• 57% say an overall security strategy is in place (up from 37% in 2006)
• 60% employ either a Chief Information Security Officer or a Chief Security Officer
• 52% report that the company engages both business and IT in information security issues
• 57% have a security strategy - of those left, only 13% consider putting a strategy in place a top priority
• Over 70% of security managers, administrators and technicians believe the security policies and spending can be improved
• Over 50% do not encrypt information on laptop computers
• 22% have hired a Chief Privacy Officer

The first three results of the survey indicate a positive growing trend that organizations are embracing a strategic approach to protecting information. Companies are taking business continuity, reputation, and compliance strongly into consideration for security spending, versus the ‘defending the perimeter’ approach seen in years before.

However, the other results show why so many companies are still struggling to turn security investments to have measurable business value. Some companies still are not investing in security, or taking the creation of security policies as seriously as need be.

The report indicates that security departments do not communicate well with the business people they interact with. A common lack of understanding of security goals cuts into the ability to get support for stronger data protection and for more funding.

“This idea of misalignment and opportunity for better [communication] between security and business workers is one of the top themes coming out of the data,” Lobel said. “If senior executives don’t understand where funding is coming from, if they don’t know who is in charge, that’s going to hurt your efforts in the long run.”

The report looks at much more about information security, including another indication that the perceived threats have shifted from outside influences (hacking) to insider issues. The survey points out that people have not become worse, but the ability to track and monitor activities has given light to issues that previously went unnoticed.

Download the whitepaper here [PDF]

Via infoworld Tags: it security, business security, information security, study, pwc, it spending, security, data security