The National Institute of Standards has released a new draft of recommended guidelines on cell phone & PDA security, helping companies to navigate this overlooked area of data security. Mobile devices pose an increasingly large risk to data security. Lost or stolen laptops are currently one of the main causes of data breaches, so the increased data access capabilities of even smaller mobile devices increases the risk of data breaches as the result of lost or stolen devices.

Publication SP 800-124 provides an overview of mobile devices in use today and insights on making IT security issues regarding their use. Threats increase for handheld devices due to their size & portability and the available wireless services. These two issues increase the risk for loss / theft, unauthorized use, malware, spam, electronic eavesdropping, electronic tracking, cloning and server-resident data.

The guidelines give many examples of these types of threats as well as safeguards that can be put in place. The safeguards suggested include:

• Central management of devices - have organization-issued devices with a system to centrally configure and manage devices & their updates
• User-oriented measures - teaching employees about procedures to follow using organization devices (understanding the security features & how to use them)
• Authentication - require user authentication with PINs and passwords
• Backup data
• Reduce data exposure - avoid sensitive information being on, or accessed by, any handheld device. Encrypt any sensitive data.
• Turn off wireless interfaces - minimize risk by only turning them on when needed
• Add security software such as firewalls, antivirus, VPN, etc.

There are very detailed suggestions about how to centrally organize devices and their capabilities. Download the study here [PDF]: “Guidelines on Cell Phone and PDA Security (Draft).” In addition, you may wish to review the “Performance Measurement Guide for Information Security” Study [PDF].

Absolute Software also provides security solutions for handheld devices with Computrace Mobile. Check it out here!

Hat tip to Dan Lohrmann Tags: mobile security, data security, mobile security policy, it security, cell phone security, pda security, handheld devices

A new survey released by Symark and eMediaUSA indicates the security vulnerabilities associated with orphaned accounts. Orphaned accounts are user accounts that remain active after an employee has left a company. The study reveals that 42% of businesses do not know how many orphaned accounts they have, and 30% have no procedure to locate and remove them.

800 security, IT, HR and C-level executives in all industries were surveyed about orphaned accounts and the processes in place to find and remove them. When an employee leaves an organization, IT and security administrators should make it a priority to shut down access immediately. However, many IT staffers are overworked and this step is overlooked. Failure to terminate employee access creates holes in security that hackers or malicious insiders can access.

Other findings from the survey:

• 27% of respondents say that >20 orphaned accounts exist in the organization
• 30% say it takes more than 3 days to terminate access, 12% say it takes more than a month
• More than 38% have no way to know if an orphaned account was used to access information
• 15% said an orphaned account has been used to access information at least once

The survey indicates, at the very least, that there is a hole in IT security that needs to be patched. In some cases, it is clear that orphaned accounts are still being used, and this is a significant risk to security.

“Controlling access to proprietary systems and information continues to present an IT security challenge… gaps in access and entitlements control — and the significant audit defects resulting from them — are one of the concerns most frequently mentioned in focus interviews,” said Scott Crawford, research director at Enterprise Management Associates.

Larger companies face more complex challenges in managing employee access. Limiting access, and revoking it when an employee leaves the company, is a vital step to ensuring data compliance. Policies and technologies should be put in place that can manage and revoke user access easily.

If your company were surveyed, how well would you fare with these questions? Are there orphaned accounts you may not even realize you have?

Via tech target, business wire ; image anitapatterson @morguefile ; Tags: it security, data security, data access, business security, orphaned accounts

CSO Online’s Michael Overly has a good article about businesses trusting their sensitive information to consultants, and what best practices to follow. The first guideline: do not let your consultant store any of the information on a laptop.

There are practical considerations that make it difficult to ban the use of laptops in all situations. Consultants may need to move from site to site easily, with constant access to the data. One solution is to provide laptops to the consultant yourself - that way you can be satisfied with the security systems in place. When that is cost prohibitive, here are some suggestions offered for a laptop security policy to enforce with contractors:

• WiFi access should be limited to approved secured means, and used only when necessary
• Hard disk must be encrypted
• All ports on laptops to be disabled
• Strong authentication required (e.g. biometric)
• Security software installed and kept up-to-date
• Secure and irreversible erasure of data to be enforced at end of data-use period
• Tracking software with remote data delete should be used (like Absolute Software’s Computrace products)
• Breach notification protocols should be in place in the event that the laptop goes missing

You can read more suggestions here.

Tags: breach, data breach, security, data security, laptop security, it security, business security, contractors, security policy

Web 2.0 is changing the way we do business, and the way we do Internet security. With advances in the web that allow for a more "social" sphere of information sharing, collaboration, and ways of doing business. Here is a definition of Web 2.0 from John Battelle and Tim O’Reilly:

"the web had become a platform, with software above the level of a single device, leveraging the power of the "Long Tail", and with data as a driving force…" (Wikipedia)

Web 2.0 encompasses social networking sites like Facebook, blogs such as this one, Skype, Wikipedia, and so much more. No matter how you define Web 2.0, companies are in a transition period of adopting and developing around this new way of doing things.

All of these new tools and technologies of the interactive web have shepherded a new era of security vulnerabilities. Research group Fortify gave a talk at the Web 2.0 Expo in San Francisco recently about the new wave of internet security threats.

"Security was a challenge to begin with, but, if anything, it’s getting harder in the Web 2.0 world." - Jacob West, Manager, Fortify

Fortify foresees that JavaScript will be a growing issue in security as the adoption of Ajax (based on JavaScript) increases and the existing vulnerabilities become more widespread. At the same time as vulnerabilities are spreading, attack techniques are improving at a rapid rate. Some of the makers of JavaScript & Ajax toolkits are proactively closing up security issues, but others (particularly the big ones like Microsoft) are not.

This is just one example of the security issues associated with Web 2.0. Many issues with integrating Web 2.0 technologies internally or into the company website come from poor planning. A "rush to embrace" to what is trendy (InformationWeek). Additionally, social networking sites such as Facebook and MySpace can be laced with malware. Cyber criminals are co-opting social networking sites as the delivery vehicles for cyber attacks.

Companies are going to be faced with many Web 2.0 challenges, from planning the integration of new technologies to creating effective security policies outlining the use of such technologies.

"Companies need to adjust their security policies for Web 2.0 world today, they need to tailor their Internet use policies and create rules that include social Web sites, blogs, and all the other types of sites being created out there, the usage policies need to be spelled out specifically and enforced.

Beyond that they need technical safeguards to back those policies, but the outlook for all this is still pretty grim. Most companies are barely providing sufficient protection in the context of Web 1.0." - Paul Henry, Secure Computing (via InfoWorld)

Via CNet Tags: web 2.0, security, internet security, it security, business security, web security, internet, website, flaws, security policy, security planning

Well, this is a troubling piece of news. IT Governance in the UK has released a survey this month in Data Breaches: Trends, Costs and Best Practices which will show that two-thirds of employees bypass data security in order to do their work.

The Best Practice Report looks at the global trends in corporate data breaches concerning personally identifiable information. It also considers best practices in avoiding business, regulatory and brand damage as the result of a data breach.

The survey found that 68% of employees admit to bypassing information security controls in order to do their jobs. This is a troubling statistic, perhaps pointing to a failure to understand how to implement security controls: how to balance confidentiality with availability of information. The survey indicates that security controls are being undermined and that employees are putting organizations at risk. This startling information should serve as a wake-up call to the importance of planning in information security.

The survey indicated that 82% of organizations had policies for protecting personal data, but with such a high incidence of employees deliberately circumventing the policies and procedures put in place, it would appear that the security precautions taken were unduly obstructive in design or implementation.

Other interesting findings:

• 55% of employees handling personal data have been trained in their legal responsibilities in respect of the information
• 89% of organizations cover access to personal data in security regimes
• 56% of organizations have policies to detect or report data losses
• 39% of organizations have policies to correct data loss incidents

You can see from the degradation in the above stats that companies are less prepared for data breaches in their security regimes and that, if such a data breach were to occur, they would not have policies to govern the fallout, nor in some cases to detect the breach in the first place. Both the earlier information and the above statistics show a dire need for security training at all levels of the company. To understand the importance, and legal requirements, to safeguard personal information, and to do so in such a way that is manageable for employees.

Via cambridge network Tags: security, it security, data security, security policy, security policies, security training, data management, compliance, breach, data breach, breach prevention

Absolute Software has announced a new service to add to their comprehensive data security Computrace suite. Post-theft forensic auditing services will now be offered through the online customer center IT asset management portal. Organizations will be able to determine if sensitive information on lost or stolen computers has been accessed. It will also be able to determine if an encrypted volume or password has been compromised.

John Livingston, CEO of Absolute Software, notes:

“The ability to track computers off the network, physically recover missing computers and remotely delete sensitive information with the assurance that the data has not been accessed by criminals is essential for true compliance with data protection regulations.’

The ability to determine if information has been accessed provides visibility and accountability in the event of a data breach. Organizations will be able to prove that they have removed sensitive information from lost computers (via the remote data delete) and will also be able to prove that the lost information is safe.

This new service helps companies confirm compliance with data privacy regulations, and can also aid in the breach fallout with stakeholders. By demonstrating that data is safe, an element sorely missing from most breach notification announcements, companies can retain the trust and security of their valued stakeholders.

Tags: absolute software, computrace, it security, data security, compliance, forensic auditing, auditing, data breach, it asset management, it security, business security, laptop security

Absolute Software has announced some big news during the course of this week. In the first announcement, Absolute Software will be working with Qualcomm’s Gobi to provide increased security to enterprise customers in the mobile environment. In the second announcement, Absolute Software has paired with Intel to provide strong anti-theft technology for Centrino laptops.

Yesterday, Absolute Software announced at the CTIA Wireless Show in Las Vegas that they will be adapting Computrace to work with Qualcomm’s Gobi mobile Internet and GPS platform. This will allow for real-time communication between laptops and the asset management and security services in the Computrace suite. This would mean that IT audits and remote data delete commands can be carried out in real time, no matter where the laptop is. You can visit Absolute software at Qualcomm’s booth number 1948, Mobile Enterprise Partner Pod, during the CTIA Wireless Show on April 1, 2 & 3.

Announced today, Absolute Software and Intel are to collaborate to provide integrated anti-theft technology for next generation notebook computers. Absolute Software’s Computrace will be integrated into the Intel Anti-Theft Technology suite later this year. Absolute’s core expertise in IT asset management, data protection and computer theft recovery services will enhance a whole suite of new Intel Centrino laptops.

You can read more about these releases here:

• Absolute Software to Integrate Computrace with Qualcomm’s Gobi Global Mobile Internet Solution
• Absolute Software Announces Collaboration and Support for Intel® Anti-Theft Technology for Next Generation Notebooks

Tags: computrace, absolute software, intel, qualcomm, gobi, mobile internet, wireless, laptop security, data security, mobile security, notebook security, laptop recovery, anti theft, theft prevention, compliance

Matt Hines has posted The top 10 security land mines to InfoWorld. These are mistakes that undermine the security precautions that companies put in place.

1. “Slip of the finger” mistakes - e.g. using email address autofill, mistakes in encryption
2. Giving away passwords - phishing and spyware are still prevalent because people are not careful about where they hand out their data.
3. Third-parties - you have a security policy, but are your partners following your policy? Employees may assume it is ok to send sensitive information to business partners. Unencrypted data can easily end up in the wrong hands.
4. Web-based applications - webmail, file-sharing services that bypass security filters. Allowing data to be taken home increases these risks.
5. Not planning for a breach - being prepared will make things easier, not harder. You can lessen the breach impact with good response strategies.
6. Lack of leadership - if a single leader or small team is not appointed to respond to the breach, the breach response becomes diluted. Large teams can also hinder the process.
7. Mishandling investigations - in the case of a data breach, the “need to know” approach should be established in order that investigations are not compromised, particularly if it’s an inside job.
8. Trusting technology - technology is not the end to security preparedness. Look at things from a risk management perspective and do more than compliance requires.
9. Not planning spending - know what is important to your company, know your risks, and let that define your spending. Security issues have varying levels of threat to you, so your spending should correspond to high risk areas.
10. Storing information - only save what information you need to do business - delete anything you don’t need. For data retained, protect it.

You can read more details here.

Along similar lines, refer to these past posts:

• 10 Mistakes in Enterprise Security
• 5 Basic Mistakes of Security Policies
• Top 10 Tips for Business Data Breach Prevention & Response

Tags: data breach, breach, breach avoidance, it security, security, data security, business security, security planning, security policy

VirtualHosting has put together a very well-researched and extensive list of resources to keep your personal information safe. The resources explain how you can prevent credit fraud, identity theft, and the myriad of other ways your personal information can be used against you.

In addition to listing articles, the post also lists a number of blogs that specialize in providing information about identity theft and data security. A number of applications are recommended to keep hackers and phishers at bay, a list of public and private organizations related to ID theft is available, and several books are recommended.

The resources cover areas such as:

• the importance of shredding documents
• what you should know about bank errors
• protecting your information online
• how to use a credit freeze
• how to opt out of offers
• what identity theft is, and how it works
• protecting your information when online shopping

Visit the site to read more.

Tags: identity theft, id theft, data security, data protection, identity scams, fraud, prevention

Computerworld’s Anton Chuvakin lists “Five basic mistakes of security policy: The essentials can trip you up”. A security policy, whose purpose is to protect, define and minimize risk, is vitally important to organizations of all sizes. The creation of, and dissemination of, said policy is mandated by many corporate regulations. But, mistakes are made in the process that can have costly repercussions.

The 5 basic mistakes:

1. Not having a policy (at all, or if it’s only implied) - After a policy is created, document any deficiencies in current IT systems, analyze risks, assess the costs and get them up to compliance with the new policy.
2. Not updating the security policy - IT security threats are always evolving, so your policy should too. Update as your company network and business processes evolve.
3. Not tracking compliance with the security policy - If you don’t enforce your policy at all levels, it’s just a piece of paper. Make sure everyone knows about it, that awareness training is conducted regularly, and that activity monitoring is ongoing.
4. Having a “tech only” policy - As we’ve also noted before, people are as much of the problem as technology. The policy should cover people, process, and technology. Looking at log data of system and user activity is a good way to monitor compliance.
5. Having a policy that is large and unwieldy - Employees at all levels of the organization must understand it - a document too strict or too legally written will result in non-compliance.

What other mistakes do you think companies make with their security policies?

Image credit: Tags: security policy, security policies, it security, business security, security, data security, compliance