Wednesday, October 28, 2009

Social Media – Friend or Foe

Social Networks are now part of our society for better or worse.  It has allowed us to both connect with current friends and find pals from the past; it offers businesses another outlet for marketing and sales; it allows us to collaborate, discuss and converse on any topic imaginable.  And due to it’s popularity, it also gives thieves and other criminal types an inroad to deliver malware, steal identities, spam, stalk, and many other nasty things to expose personal and corporate information.  Since so many people are on a single platform, where trust is somewhat inherent, it’s much easier to get someone to click a link than it is to technically hack their system.  There has been so much written about this topic, and in the spirit of sharing, I thought I’d offer just a few interesting stats, stories and suggestions from the various pundits on the topic:
Tweet Breach: 140 Characters of Sheer Destruction: This article tells the tale of a seemingly innocent tweet that turned into a nightmare.  He also defines the term - tweet•breach.
NFL restricts Twitter use: This is just one instance of how professional sports is dealing with social media and the instantaneous updates.  We’ve already seen a few players get into some trouble over their tweeting.
Statistics Show Social Media Is Bigger Than You Think: This is a fascinating list of statistics pertaining to Social Media including this gem - Years to Reach 50 millions Users:  Radio (38 Years), TV (13 Years), Internet (4 Years), iPod (3 Years)…Facebook added 100 million users in less than 9 months…iPhone applications hit 1 billion in 9 months.  Many of the comments are just as engaging.
Top 8 Social Media Security Threats: A listing and description of many of the most recent Social Media focused attacks.
Social Networks Increase Risks to Online Privacy: His own personal account of falling for a scam.
Are social networking sites good for our society?: Very detailed article with plenty of stats and stories including the ever popular Franklin T-Chart with Pros/Cons of Social Networking.
Identity theft is too easy and can even be automated says IT security expert: From RSA Europe, this article describes a co-worker’s challenge to steal her identity and the steps the ‘friendly-perpetrator’ took to do just that.
Breach 2.0: some best practices for protecting company info and employee data.
Developing Social Media Policies for Business: Another with stories, stats and considerations when developing a Social Media policy.
And with that, I’ll let you get back to mingling on Twitter, Facebook, MySpace, YouTube, Digg, Technorati, and all the others.  Incidentally, you can follow F5 Networks tweets at (@f5networks) and mine is @psilvas. 

Wednesday, October 21, 2009

Will you Comply or just Check the Box?

Some of both, apparently.  A recent Ponemon Institute PCI-DSS Compliance survey revealed that 71% of companies actually admitted that data security is not a top priority and 55% say they are only protecting credit card data and not other sensitive information like bank account info, social security numbers and drivers license data.  Additional statistics show that a miniscule 28% of smaller companies (501-1000 employees) are PCI-DSS compliant and around 70% of large companies (>75,000 employees) say they meet the Regulations.  The one that jumps out for me is the small merchant stat.  I understand that cost is a large factor for smaller companies to be PCI compliant but just imagine how many companies and industries that fall into the 501-1000 employee category.  And that doesn’t count all the even smaller ‘Family Owned’ restaurants, auto repair shops or any other service where you say, ‘I like them because they are local or family owned.’  Unfortunately, those friendly establishments might not be a BFF with your sensitive data.  I’m not saying to avoid your favorite Chinese take-out but also be aware that the numbers are against you.

There are a couple interesting PCI developments coming over the next  year.  As I mentioned in Regulation Roundup back in February, the PCI deadline for unattended, Point-of-Sale PIN entry devices is July 10, 2010.  These are those standalone ‘Pay for your parking’ machines, gas station terminals, ticket kiosks, vending machines and any other terminal where a PIN might be entered.  First, July 1, 2009, was the deadline for Triple-DES to be mandated for all debit transaction processing.  And next July, all fuel pumps (and like terminals) will need to have encrypted PIN entry pad, be able to encrypt the PIN itself and process using TDES.  I imagine there will be another mad dash next spring for merchants to get in compliance.
The other PCI piece is come summer 2010, PCI will be making some regulatory changes to update PCI standards including 3rd party audits (Level II), tokens, end-to-end encryption and potentially Virtualization Security.  Some of these changes should help in protecting our data.

And if you think skirting regulations might be a money saver, take a look at this article where the FTC has recently fined ChoicePoint for not adhering to the agreement made in 2006 for the huge 2005 data breach.  They just got whacked with another $275,000 for removing a database security monitoring tool.

As I finish up the 18th entry of 26 Short Topics I’ve noticed Regulatory Compliance, especially PCI, comes up frequently.  Maybe it’s the constant surveys, startling numbers, never ending breaches and media reports or maybe, it’s that PCI-DSS, while not perfect, affects almost all of us and it’s like we’re in it together.  You might not know, get along with or like your neighbor but if you shop at the same store and they are breached, suddenly you’re both in the same boat - ‘Hey, that happened to me too!’  It’s one of those things that we all should care about.


UPDATE - Added 10.22.09:  ChoicePoint would like to clarify the characterization of the FTC situation and I'm happy to include this for accuracy:

"Your piece titled "Will you Comply or Just Check the Box" touches on recent ChoicePoint/FTC news and the company would like to request a clarification.

1.      In regards to your report that a "fine" was levied by the FTC
a.      While the Commission has authority to seek a civil penalty, it expressly did not do so in this case, as the language of the Order and the amount of monetary relief indicate.  The Supplemental Stipulated Order itself in Part I provides for "monetary be used for equitable relief, including, but not limited to consumer redress and any attendant expenses...."  The FTC incorrectly characterized the monetary payment as a "penalty" in its initial press
release and has since revised its press release to correct this point.  The payment was made pursuant to the courts equitable authority to address compliance with its orders.  The payment is not punitive in nature and neither the Order nor the FTC press release (as modified) characterizes the payment as a fine or a penalty.

Thank you so much for you time and attention. We would very much appreciate your correction of the record."

- Not a problem, thanks for the update and appreciate the clarification.  ps 

Thursday, October 15, 2009

Don’t say a Word

………………………………………………….….oh, you’re waiting for me?  This will probably be a short post since there are not that many security terms that begin with the 17th letter of our alphabet.  However, keeping Quiet is a common theme in security.  As mentioned numerous times, locking passwords, logins, and other sensitive information in your mouth vault keeps them from leaking to others.  Social Engineering has always been about compromising that vault.  Recently there was a post by Roger Thompson, AVG’s Chief Research Officer, which actually suggested to Write Down your passwords, especially complex, hard to remember passwords.  While this practice has been frowned upon for many years – as in the ever popular post-it’s stuck to laptops – there is some sense in creating (and writing down) difficult passwords that are extremely hard to guess.  Just put that paper in a safe location.  Our own Alan Murphy offered some advice about passwords just a few months ago.

Keeping Quiet is also what most companies do when they discover a breach, at least initially.  A survey from the 2008 RSA conference showed that 89% of security incidents go unreported.  More often it’s the insider breaches that say under the covers.  Some of that could be due to just being undetected but many companies don’t want the public exposure of a breach.  Laws have changed some of that and huge breaches, like the Heartland incident, must be reported so people can protect themselves.  Even the Heartland incident wasn’t detected for a couple months, and when it was, it didn’t get reported for yet another month.  Granted, sometimes law enforcement does ask victims not to say anything so evidence can be gathered and, as to not tip off the crooks.  In any event, keeping quiet about a breach happens more often than you think and it’s often due to the fear of a damaged reputation.  Of course there is an opposing view to the damage factor by Larry Walsh where he talks about the multitude of brands who have suffered major breaches and how consumers have either forgotten or forgiven.

While silence can be golden and rests are written into music for effect, when it comes to Data Breaches not saying a word can put your business in jeopardy and in the cross-hairs of the law.

Thursday, October 8, 2009

This time, it’s Personal

Nearly 80% of companies reported an increase in the number of employees wanting to bring their own devices into the workplace in the last 6-12 months according to ‘The Device Dilemma,’ a report by Vanson Bourne and Good Technology. In addition, two thirds of IT Managers have been under more pressure to increase compatibility with people’s personal handsets in the workplace with 82% saying the most requested device is the iPhone.

Personal devices pose a difficult challenge to IT departments and it’s not just iPhones/personal cell phones; mp3/music players, portable video/game consoles, personal laptops and just about anything with an internet connection or USB hookup can pose a risk.  The age of social networks, streaming video, tele-work lifestyle and the basic computing power of mobile devices have made them constant companions in our daily lives since they do more than just make calls.  We have grown personally attached to these mini-computers (even customizing them) and don’t want to carry around 3 different mobile devices.  Employees now want to use their own devices for work related tasks. 

It can be a Catch-22; IT might save a little money by not having to procure new corporate hardware but could spend significant time dealing with all the variants and security risks unauthorized personal devices pose.  With all the different types of models, manufactures, operating systems and capacity, configuring and securing each device is not an easy task.  Even if IT is able to apply a policy to individual devices, there still is no real guarantee that each device will support/enforce it.  Management and control of those is a huge concern.  The report also noted, ‘IT Managers don’t want to prevent people from using their own devices, almost half (44%) said they would let people choose if they were assured of security and configuration.  Even then, 74% of IT Directors think that employees will still use their own devices even if IT doesn’t support it and more than 25% have experienced a security breach due to an employee using an unauthorized device. 

Work Styles have changed also.  Employees are now more dispersed: Different time/different location, Same time/different location, Same time/same location or working alone.  While this model has enabled employees to work from anywhere, the need for collaboration has become critical especially with a global enterprise.  What can you do?  Don’t panic, as indicated in this article by Kim Boatman (hope I Linkedin the correct journalist) called Personal Tech Checklist for the Workplace.  She has a checklist of steps IT can take when dealing with personal tech issues:
Establish or re-evaluate usage policies. Many businesses wrote Internet usage policies a decade or so ago and haven’t revisited them.
Evaluate how you expect employees to use – or not use – social networking. After all, there can be a business benefit to your employees’ presence on Facebook or Twitter.
Inventory employees and equipment. Keep track of the level of access granted to each employee.
Understand the security implications of your policy. For instance, says Storms, allowing employees to install proprietary information on their personal devices is a high-risk proposition, while permitting access to social networking sites at work is less risky.
Educate users. It’s not enough simply to establish plain-language guidelines. If you want employee buy-in, explain why certain actions are limited and what the consequences could be.
Involve IT. It makes good sense to vet policies and practices through the people that keep your systems going.
Give yourself wiggle room. Create that clear usage policy, explain it, and publicize it. But give yourself leeway.

Related links

Tuesday, October 6, 2009

F5’s BIG-IP system with Oracle Access Manager

Honestly, this was not timed and I actually had a different topic to discuss for #15 of 26 Short Topics but this cool news today.  F5 and Oracle have announced plans to unify access management for web applications.  Press release can be found here.  The solution will combine F5’s BIG-IP system with Oracle Access Manager to enhance single sign-on (SSO) capabilities and simplify access control.

The Authentication Alternatives Today

Code in the Application
  • Costly, difficult to change 
  • Not repeatable
  • Decentralized
  • Less secure
Agents on servers
  • Difficult to administer
  • Interoperability
  • Decentralized
  • Less Secure
Specialized Access Proxies
  • Don’t scale as well
  • Often inferior reliability
  • More boxes for network operations

A Better Alternative: BIG-IP and OAM

  • The solution is to replace the OAM Proxy with BIG-IP.
  • Gain superior scalability and high availability
  • Benefit from F5’s Unified Application Delivery Services

Benefits of Oracle OAM & F5 BIG-IP Integration

  • Reduced TCO and dramatically lowers deployment risk and streamlines operational efficiencies.
  • Integration with OAM Single Sign-On (SSO) for superior end-user experience and enhanced user productivity
  • Unified point of enforcement to simplify auditing and control changes in configuring application access settings

Unifying application delivery and web access management. 
Availability in 1H2010 – More to come soon!


Thursday, October 1, 2009

Can my PAN ride the LAN out the WAN?

In 2005, a Preventsys (now McAfee) and Qualys survey found that 52% of companies rely on a ‘Moat & Castle’ approach to Network Security but also admitted, at the time, that once the perimeter is penetrated, they are at risk.  I haven’t been able to find a more recent statistic but I’m still betting that once a network is breached, it’s at risk.  Networks are evolving, expanding and exploding with more data than ever before which means they also need to be smarter about who and what they allow on.  They have become Application Delivery Networks and soon, truly Identity Aware.  At the same time, many Enterprise networks are making  interconnections with other Corporate networks enabling Federation or trust between the two to create an extended network.

The good news/bad news about this is that according to Verizon  Business' "2009 Data Breach Investigations Report (pdf)" 32% of the data breaches implicated a business partner.  The good news is that breaches linked to business partners fell for the first time in years (-7%) but it was still 3rd on the list (behind External Sources and  Multiple Parties).  They conclude that the decline wasn’t due to any additional security focus (in fact, the majority was due to lax security practices at the connection level from the third-party) in that particular area but a change in what criminals were going after.  In 2008, the Food/Beverage industry had a high percentage (70%) of breaches attributed to partners and in 2009, the bad-guys decided to go after higher payouts – like financial institutions.  Only (with a grain of salt) 1,509,000 records were compromised by partners compared to 266,788,000 by external sources based on the report.  Usually it was the third-party systems that were compromised and the attacker used the trusted connection to make inroads to the target.  Since it’s coming from a ‘trusted’ authorized connection, these are difficult to detect and stop.

Exchanging information is critical to this extended ecosystem and some level of trust is inherent.  But you can’t necessarily expect that your security policies will be consistently enforced on a separate network.  It’s important to look at these deployments, consider your visibility/accountability for those partner connections and create policies that enable, benefit and secure both ends.
Source : The 2009 Data Breach Investigations Report by Verizon Business