Wednesday, June 26, 2013

6 Steps to Secure Mobile Devices

NIST Guidelines for Managing the Security of Mobile Devices in the Enterprise

When NIST issued in 2008 its initial guidance on managing mobile device security, the Apple iPhone was just a year old and the introduction of the iPad was 15 months off. Even the guidance name, Special Publication 800-124: Guidelines on Cell Phone and PDA Security, sounds ancient to today's ears.

The National Institute of Standards and Technology on June 24 published its first revision of the SP 800-124, renaming it Guidelines for Managing the Security of Mobile Devices in the Enterprise.

NIST says the revised guidance provides recommendations for selecting, implementing and using centralized management technologies, explains the security concerns inherent in mobile device use and provides recommendations for securing mobile devices throughout their life cycles.

The guidance covers enterprise-issued devices as well as the bring-your-own device trend.

Step-by-Step Approach

The revised publication offers six major steps enterprises need to take to manage mobile devices in a secure environment. According to the guidance, organizations should:

  1. Have a mobile device security policy that defines which types of the organization's resources may be accessed via mobile devices, which types of mobile devices - for example, organization-issued devices vs. BYOD - are permitted to access the organization's resources, the degree of access that various classes of mobile devices may have and how provisioning should be handled.
  2. Develop system threat models for mobile devices and the resources that are accessed through the devices. These devices often need additional protection because of their higher exposure to threats than other client devices, such as desktops and laptops.
  3. Consider the merits of each provided security service, determine which services are needed for their environment and then design and acquire one or more solutions that collectively provide the necessary services. Categories of services to be considered include general policy, data communication and storage, and user and device authentication and applications.
  4. Implement and test a mobile device solution before putting it into production. Aspects of the solution that should be evaluated for each type of mobile device include connectivity, protection, authentication, application functionality, solution management, logging and performance.
  5. Secure fully each organization-issued mobile device before allowing a user to access it. This ensures a basic level of trust in the device before it is exposed to threats.
  6. Regularly maintain mobile device security, including checking for upgrades and patches and acquiring, testing and deploying them; ensuring that each mobile device infrastructure component has its clock synced to a common time source; reconfiguring access control features as needed; and detecting and documenting anomalies within the mobile device infrastructure, including unauthorized configuration changes to mobile devices.

The revised guidance also recommends that organizations periodically perform assessments to confirm that their mobile device policies, processes and procedures are being properly followed. Assessment activities may be passive, such as reviewing logs, or active, such as performing vulnerability scans and penetration testing.

Tuesday, June 25, 2013

Steve Jobs Movie Trailer Released

Jobs Official Trailer

Earlier this month we heard that the Ashton Kutcher Steve Jobs movie, which is called Jobs, would launch in the US on the 16th of August, and now the first trailer for the movie has been released.


The Jobs movie was originally scheduled to launch back in April, but after a few delays it will launch in August, have a look at the trailer below.

Monday, June 24, 2013

NIST Publishes Draft Cloud Computing Security Document for Comment

NIST Cloud Computing Security Reference Architecture provides a security overlay to the NIST Cloud Computing Reference Architecture published in 2011

The National Institute of Standards and Technology (NIST) has published a draft document on security for cloud computing as used in the federal government. The public comment period runs through July 12, 2013.

The 2011 NIST Cloud Computing Reference Architecture provided a template and vocabulary for federal cloud adopters to follow for a consistent implementation of cloud-based applications across the government.

This new addition, the NIST Cloud Computing Security Reference Architecture, contributes a comprehensive security model that supplements the NIST Cloud Computing Reference Architecture.

Using this model and an associated set of security components derived from the capabilities identified by the Cloud Security Alliance in its Trusted Cloud Initiative Reference Architecture, the NIST Cloud Computing Security Reference Architecture introduces a cloud-adapted Risk Management Framework for applications and/or services migrated to the cloud.

The NIST Cloud Computing Security Reference Architecture provides a case study that walks readers through steps an agency follows using the cloud-adapted Risk Management Framework while deploying a typical application to the cloud—migrating existing email, calendar and document-sharing systems as a unified, cloud-based messaging system.

Deadline for comments is July 12, 2013. Please use the template for comments and mail to Michaela Iorga at Michaela.iorga@nist.gov with the subject line "Comments SP 500-299."

Friday, June 21, 2013

5 Easy Ways To Secure Android Devices

Here are some basic steps anyone can take -- including enterprise workers -- to improve security on their personal Android BYOD devices

Android isn't exactly the preferred mobile OS in most enterprises, thanks to security concerns. Even as Google's open source platform dominates the mobile consumer market, it lags far behind Apple's iOS in the enterprise, based on activation numbers from mobile device management vendors such as Good Technology and Citrix.

But Android is a presence in the enterprise. Citrix reports that 35% of the devices it activated in Q4 through its cloud-based mobile management platform were running on Android. Even Good Technology's lowball activation figure of 23% in Q4 means nearly one in four new enterprise mobile devices on its MDM platform are Androids.  

As any IT pro can tell you, it's the unmanaged devices you have to watch out for. The personal smartphones employees use to access work data often fly under the radar screen -- that's what sparked the BYOD revolution. Most enterprises no longer fight BYOD, but try to manage it to one degree or another. And even if an enterprise approves the use of Android devices, not all are using MDM vendors or security platforms such as Samsung's SAFE and KNOX. 

1. Always lock your Android device: A no-brainer, but too often ignored because someone doesn't want to go through the hassle of typing in a four-digit PIN to unlock their phone. If that device is lost or stolen, it's an open book -- a book contains personal or work information. In addition to using a PIN, you can secure any device running Android 4.0 or newer versions by using Face Unlock.

This security feature hasn't exactly been air-tight -- it could be fooled with a photograph -- but reportedly Google is rolling out an improved version. Still another way to lock an Android device is a pattern lock, in which you access the device by drawing a specific pattern on the touchscreen. Again, this isn't optimal: Patterns can be detected on the touchscreen by holding it at the right angle, though there's a "secure wipe" feature that limits the number of access attempts.

Bottom line: When it comes to securing your hardware, something is better than nothing.

2. Install antivirus software: People are so used to everything being on their mobile devices these days that some assume they're automatically protected from viruses and malware. Such naivete would be touching if it weren't so dangerous to your enterprise.

Sadly, while Google reportedly now does a better job policing its Play apps store, the sheer number of apps (more than 700,000) mean some nasty malware is going to sneak in and await download from a trusting mobile device owner, who may work for your enterprise.

Further, there are many sketchy websites out there, loaded up with viruses ready to infect an unsuspecting visitor.

3. Always use encryption: Encrypting data makes it impossible for someone else to read what's on your Android device. An Android owner can do this by merely going to Settings, Location & Security, Data Encryption. There's also an option that allows users to encrypt files saved to the phone's memory card.

4. Never download apps from unsolicited emails and texts: Mobile devices are more "personal" and less formal than computers to many users, so some let their guard down and will out of curiosity follow links from mystery emails and texts ("it must be from one of my many social media friends!"). 

This is an extremely unsafe and unnecessary practice. Not only should apps not be downloaded from third-party sites, they shouldn't be downloaded until the user reads a review of the app. Two minutes of research can save a lot of problems down the road.

5. Always check apps permissions: What makes Android versatile -- developers and manufacturers can roll their own versions -- also makes it dangerous. That's because apps developers are free to mess with the permissions, so Android apps can come with wildly different rules for what the app can do on a device.

That may include sharing and sending data from an Android. This is the last prevention step a user can take to control what an app can do to their phone and data. It's worth spending the extra time.


Wednesday, June 19, 2013

SCAM Alert: Puppy Scams & Business Executive Scams

NEVER send money or give credit card or online account details to anyone you do not know and trust.

Almost everyone will be approached by a scammer at some stage. Some scams are very easy to spot while other scams may appear to be genuine offers or bargains. Scams can even take place without you doing anything at all.

Two scams have been identified prominent and needs awareness are:

(1) The “Puppy Scam” which is aimed at the dog lover, has been around for many years and appears to be rising again.

(2) The “Business Executive Scam” looks to victimize businesses in both Canada and the United States of America.

The Puppy Scam Method of Solicitation: Purebred dogs are offered at lower than normal prices. Straight forward ads are placed in free on-line sales sites like Gumtree, Craigslist and community web pages. The use of standard Newspapers ads has also been identified.

A twist to the scam also sees the seller leaving countries to do a ‘Christian Mission’ in other country. They must sell their dog because of their commitment to this mission where they will be helping people less fortunate. Although mobile phones have been used mainly the communication is done through an email address.

Victim Remittances: The use of money service businesses (MSB) is the primary method the fraudster uses to collect victim funds. Once the price is confirmed and the original payment is made the victim can expect many more communications from the fraudsters because the victim has to pay the “certified Transportation Company”, the “out of country tax”, the “Anti-terrorist fee” or the “verification of vaccination fee” just to name a few.

Additional emails will follow until the complainant finally realizes they are a victim and will never get a dog. Most of the destinations of the MSB transfers are West African nations including Nigeria, Ghana and Cameroon.

Refer here and here for more information.

The Business Executive Scam Fraudsters are researching companies on-line via company websites. To make this scam work, the fraudsters need to identify a company executive (IE CEO, President, manager, owner) as well as an email address to the accounting department. Once identified the fraudster creates an email address using the free emails of Yahoo, MSN or Google. The email address will be for instance “The executives name@ Yahoo.com”.

A message will be emailed to the accounting department advising that the executive is working at home or off-site and the executive has identified an outstanding payment that needs to be made ASAP.

The Executive instructs that a payment be made, generally in the amount of 25,000 to 80,000 dollars to an identified person and bank account.

Bank accounts associated to this fraud have been identified across North America thanks to the efforts of the complainants and the banks. Currently the victimization rate is very low but it has the potential for high dollar loss. Identified bank accounts require prompt action.

Refer here to learn more types of Business Executive Scams.

Sunday, June 16, 2013

Why Mobile Security Matters

How do Enterprises secure the increasing flow of data in and out of their doors?

The widespread adoption of intelligent mobile devices has transformed the way we work in innumerable ways. In 2012, IDC calculates that 712.6 million smartphones were shipped globally – 44.1% more than in 2011. In 2013, it predicts worldwide mobile tablet sales will reach 190.9 million, increasing the adoption of cloud and app-based solutions.

By 2016, mobile data traffic will have increased 18-fold, with smartphones, laptops, tablets and other portable devices driving around 90% of that traffic [Cisco]. Yet, alongside the countless new opportunities that these handy communications tools present for flexible workers, the continued rise in mobility also brings with it a myriad of potential security threats.

Most enterprises are already well-accustomed to protecting corporate data, including everything from commercial information to intellectual property and customer/employee information. However, the fact that mobile phones and tablets are small, portable and frequently used in public places or for downloading applications makes them particularly vulnerable to attacks and difficult to manage, especially compared with PCs.

In effect, these devices take corporate information out of the ‘safe’ corporate network and into unsecured environments, such as public Wi-Fi hotspots, and invite users to access a huge range of apps and websites.

The consequences of unwittingly falling foul of security threats can potentially go beyond the need for a simple repair to become far reaching. Whether it’s connecting to a bad Wi-Fi network in an internet café or downloading an app which contains malware, a single unintentional mobile security breach could potentially lead to financial and information loss, a privacy breach, loss of intellectual property or even damage to reputation.

As with other aspects of business, the cost of prevention is far lower than the cost of cure. For this reason, it is critical that today’s businesses assess their security environment and put the necessary protection in place to enable employees to work securely and without risk of infection, whenever and wherever in the world they may be.

Refer here to download the white paper (registration maybe required) which covers the following topics:
  • Mobile security challenges and risks faced by large organisations
  • Factors to consider when developing a mobile security strategy
  • How to find a security solution that meets your organisational needs

Monday, June 10, 2013

Securing The Smart Grid

With reports of regular cyber attacks targeting the US smart grid, should UK energy and utilities rethink their approach to security?

"With greater connectivity comes the even bigger need for better energy efficiency, from which the concept of the smart grid was born. The idea of the smart grid is to use IT to gather and act on behavioural information from both consumers and suppliers in an automated fashion to improve the efficiency, reliability, economics, and sustainability of the production and distribution of electricity. However, along with higher energy consumption, greater connectivity also entices a far greater number of security risks."

Continue reading on the Guardian Media Network.

Wednesday, June 5, 2013

Sex Matters: Men & Women differ on data security

Surprise: Women are also more likely to take steps to control what's visible to strangers on social media although they take less security precautions online!

Two Microsoft studies have found that when it comes to technology, men and women may have different priorities when it comes to staying safe and secure.

The first study, which surveyed more than 10,000 mobile and desktop users worldwide, found that 35 percent of men kept their mobile devices protected behind a passcode and used secured wireless networks to go online.

Women, the study found, took those same security precautions at a slightly lower rate of 32 percent.

Following that trend, 32 percent of men kept the software on their mobile devices up-to-date, an important defense against malware attacks. Only 25 percent of women did.

The numbers seem to show that men take mobile security slightly more serious than their female counterparts, but also that both sexes adopt these common-sense security precautions at an abysmally low rate.

Jacqueline Beauchere, chief online safety officer at Microsoft, said in a statement. "We know from earlier research that men and women practice mobile safety very differently."

Despite their slight edge in security, men appear to fall victim to mobile-based attacks more frequently than women. They receive slightly more phishing emails, intrusive pop-ups and messages from impostors.

When it comes to defending their reputations, women tend to be more cautious than men about what they're willing to share online, the study found.

Women are also more likely to take steps to control what's visible to strangers on social media. The study also found that women are less cavalier than men when it comes to the content of their text messages.

A different Microsoft survey, this one conducted on Facebook, asked more than 800 people about their mobile pet peeves.

Many respondents cited loud talkers, constant phone checking and socially inappropriate use of mobile phones as among their top annoyances.

Monday, June 3, 2013

Do You Need an Anti-Virus for MAC?

It's unlikely you'll ever run into malware for the Mac

But you may still want to consider an antivirus tool anyway—if not to protect yourself, but to protect your Windows-using friends from any malware you may inadvertently send their way.

If you agree, Sophos Anti-Virus for Mac maybe the best choice, and it's free.

Many of you may choose to use nothing, but you need to consider that malware is starting to become a bit more prevalent on the Mac, and even the safest browsing habits don't protect you completely. 

Sophos Anti-Virus for Mac

Platform: OS X (10.4+) 
Price: Free
Download: Click here

Features

  • Compact, easy-to-use interface that can be used for custom on-demand scans of files, folders, and drives, or scheduled, periodic full scans of your Mac.
  • Also scans files on your Mac for known Windows malware, trojans, and viruses, and deletes or quarantines them so you don't risk spreading them to someone else via network share, USB drive, or email.
  • Deletes or quarantines known threats, gives you the option to quarantine anything suspicious that may be a new threat or dangerous file.
  • Runs quietly in the background, scanning emails, downloads, and any other files on access, stopping you from opening them before they can do any harm.
  • Light on system resources while running in the background.
  • Installs like any other Mac application, and uninstalls just as easily—no complicated packages or components to manage or configure.
  • Sophos' "Live Antivirus" feature updates your app the moment new threats are detected or found in the wild. The feature also performs real-time lookups to see if files accessed are in the SophosLabs database, even if they're unfamiliar to the app.
  • Supports OS X up to 10.8 and back to 10.4, and is completely free for all versions.