Tuesday, March 26, 2013

Q. The Safest Mobile Device? A. Depends

Depends?!?  Well, isn't that the answer to a lot of things in this world?  Often our answer depends on the context of the question.  Sometimes the answer depends on who you ask since it may only be an opinion or a feeling.  Sometimes the answer is based on a survey, which is a moment in time, and might change a day later.  I write a lot about secure mobile access, especially to the enterprise, so I'm obviously interested in any stories about the risks of mobile devices.  There were a couple over the last few weeks that really caught my attention since they seemed to completely contradict each other. 

Earlier in the month, SC Magazine had a story titled, RSA 2013: iOS safer than Android due to open app model, patching delays which covered much of what many already feel - due to Apple's controlled ecosystem, the apps that are available are less of a risk to a user.  They made note of the McAfee Threats Report which says Android malware almost doubled from the 2nd to 3rd quarter of 2012.

Then just last week, also from SC Magazine, an article titled, Study finds iOS apps to be riskier than Android appeared.  What?  Wait, I thought they were safer.  Well, no apparently.  But before I go any further, I do need to mention that the author of both articles, Marcos Colon (@turbomarcos)does reference his first article and says, 'Security concerns surrounding the Android platform have always taken a back seat to that of iOS, but a new study challenges that notion,' so slack has been extended.  :-)  Anyway, according to an Appthority report, iOS apps pose a greater risk and has more privacy issues (to users) than Android.  Appthority's 'App Reputation Report' looked at 50 of the top free apps available on both platforms and investigated how their functionality affects user privacy.  They looked for “risky” app etiquette like sending data without encryption, sharing information with 3rd-parties, and gaining access to the users' calendars.  (Chart)

In this particular study, in almost all the cases, iOS gave access to the most info.  Of the 50 apps, all of them (100%) sent unencrypted data via iOS but 'only' 92% sent clear text on Android.  Tracking user location: 60% on iOS verses 42% on Android.  Sharing user data with third-parties: 60% on iOS verses 50% on Android.  When it comes to accessing the user's contacts, something we really do not like, 54% of iOS apps accessed the contact list compared to only 20% on Android.  One of biggest differences, according to the article, is that at least on Andriod users are presented with a list of content the app wants to hook and the user can decide - on iOS, permissions can be changed once the app is installed. 

To claim one device is either 'safer,' or 'riskier' is somewhat a moot point these days.  Any time you put your entire life on a device and then rely on that device to run your life, there is risk.  Any time we freely offer up private information, there is a risk.  Any time we rely on others to protect our privacy and provide security, there is a risk.  Any time we allow apps access to personal information, there is risk.  But like any potential vulnerability, individuals and organizations alike, need to understand the potential risk and determine if it something they can live with.  Security is risk management.

To top all this off and really what made me write this, was an @GuyKawasaki tweet titled Love Logo Swaps and among the many twists on brands, was this one:

And it all made sense.

ps

Related:

 

Connect with Peter: Connect with F5:
o_linkedin[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, March 19, 2013

Every Day is a 0-Day Nowadays

It sure seems like 0-Days are now an every day occurrence.  Headlines containing, 'breach,'  'attack,' 'hack,' 'vulnerability,' 'passwords,' 'compromised,' and 'you' are commonplace in the media these days.  Typically a 0-day is described as a threat or an attack on a (previously) unknown vulnerability - this is day zero of enlightenment.  Often, the developer themselves are not even aware of the vulnerability.  0-days can command multiple zeros after the dollar sign since malicious folks can exploit it immediately.  From plug-ins to extensions to browsers to web apps to SCADA systems, 0-days used to be an every-so-often occurrence yet now, it's almost a once a day adventure.  I propose that we re-define '0-day' to mean when zero vulnerabilities found and exploited or no breaches occur that day.  0-days would instantly become a rare happening.  I should have titled this blog, Eliminate 0-Day Attacks!  ...with a Simple Definition Adjustment.  Now that would be a headline.

March Madness, the NCAA Men's Division 1 Basketball Championship, is also a ripe time for attacks.  As the tournament heats up so do phishing attacks, 0day exploits and malware madness.  From fake wagering sites to score tickers to simple bracket apps, internet scams are all over.  Be on high alert for web sites and emails asking you to enter your predictions, download brackets or any activity that involves clicking a suspicious link and entering info.  Be especially wary of those that ask for your social media credentials to 'share' your predictions.

While 0-days can ruin any day, be especially cautious during these times of the year when internet traffic surges and websites are fighting for your attention - the holidays are another example.  The web app might be the target but you may become the victim.  F5 certainly has solutions that can help organizations protect their critical infrastructures, systems, web apps and visitors.  And with the agility of  iRules, organizations can defend against 0-days in a matter of minutes.  Stay secure and smile all the way through the madness.

ps

Related:

Connect with Peter: Connect with F5:
o_linkedin[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Wednesday, March 13, 2013

This Blog May Have Jumped the Shark

Really?  Already?!?

For whatever reason, the phrase 'Jump the Shark' has been jumping out at me recently.  From the Jump the Shark Hat Tutorial to watching past episodes of Supernatural on Netflix to Cloud Computing to the many #jumptheshark tags added to tweeps tweets.  Originally linked to the Happy Days episode where the water-skiing Fonz jumps over a shark, it has since become the term to describe when writer's storylines have moved into the absurd and the show itself quickly deteriorates.  Today it is attached to almost anything that has either hung around too long, is past it's prime or is simply fallen off the hype-cliff.  I sometimes feel this way after producing a bunch of videos (like the last two weeks) and need to get back to writing...like this entry.  So I decided to investigate a couple recent hype technologies (that I also write about) and if they've already Jumped the Shark.

Rumblings of Cloud Computing jumping the shark came as early as 2009 and 2010.  In 2009 PCWorld ran an article titled, Has Cloud Computing Jumped the Shark? talking about the different definitions of cloud, which company prefers what definition and the rush of vendors into the space.  In 2010, a ServerWatch article titled, Did Cloud Computing Jump the Shark? discusses how various analyst firms view and predict cloud's future along with the differing opinions about it's hype and hope.  Another 2010 article from ebizQ titled Has Cloud Computing Jumped the Shark? references another Infoworld article named Confessions of a cloud skeptic which, in the first sentence says, "the cloud" has jumped the shark.  There are many more articles from 2010 wondering if Cloud has become chum.  I think this was due to the hype, battling opinions on just what cloud is/was and eventually can be, along with the types - SaaS, PaaS and IaaS and the categories of public, private, hybrid.  Now some 3 years later, has it officially jumped, crashed or landed safely on the other side?  Depends on who you ask. 

Throughout 2012, there were plenty of articles titled 'Cloud Computing is Here to Stay' filled with survey results, anecdotal evidence and analyst cites.  At RSA this year, however, I heard a few folks say that the term 'Cloud' was forbidden to be uttered in the Expo Hall.  While the term itself has been overused, abused, misconstrued, and has probably Jumped the Shark, the underlying technology/philosophy will be a part of an organization's hybrid and distributed infrastructure for years to come.  Mobility is one of the main cloud drivers.

Which brings me to my other check.

Has BYOD Jumped the Shark?  Maybe.  Or it might be heading up the ramp.  Almost every pundit thinks BYOD, using one's personal device for work, will be the trend of the year for 2013 but some are questioning that.  A few weeks ago I wrote Is BYO Already D? talking about the few surveys indicating that BYOD could cost more than imagined including The Aberdeen Group who says BYOD could cost organizations 33% more than a IT owned mobile device plan.  The Nov 2012 CITEWorld article titled Has BYOD jumped the shark? One researcher thinks so also talks about the Aberdeen research but adds a research note from Nucleus which predicts that BYOD will decline as enterprise mobility heats up. They explain that support costs, compliance risks and usage reimbursement will lead to higher TCO with no discernable ROI or productivity gains.

While I don't think that BYOD has officially moved to the absurd, for 2013 I do think organizations will better understand the BYOD implications  and how it fits in the overall Enterprise Mobility strategy.  Enterprise Mobility includes BYOD, managed devices and other communication tools, including laptops potentially.  Just like cloud, I think organizations will have a mix of options to support a mash of devices - including those you use at or bring from home.  There will still be IT issued fully managed devices (that require a VPN tunnel) for years to come mixed in with unmanaged personal devices where just the corporate data and apps are under IT control.  This is the BYOD 2.0 stuff we've been talking about with the F5 Mobile App Manager.  So while the term BYOD might be starting to hit saturation, Enterprise Mobility should be the focus.  Access to any app, from any device, from anywhere.

So, has this blog Jumped the Shark?  While some of the topics, err, terms I cover might be candidates, only you can determine if/when I've crossed into that absurdity realm.  I do hope you'll let me know when I start resembling a cool dude wearing a leather jacket while water skiing.

ps

Related:

Connect with Peter: Connect with F5:
o_linkedin[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Monday, March 11, 2013

Thursday, March 7, 2013

Pulse2013 – That’s a Wrap

I wrap it up from the #IBMPulse 2013 conference from the MGM Grand in Las Vegas. Special thanks to Ron Carovano for the invite along with Nojan Moshiri for showing the integration between BIG-IP ASM and IBM’s InfoSphere Guardium along with showing the BIG-IP APM and IBM Maximo solution. And a special Mahalo to Janice Merk for holding the camera this week. And to you, thanks for watching! Aloha.

 

ps

Related:

Technorati Tags: f5,ibm,pulse,ibmpulse,psilva,video,security, sso,maximo, optimized, vegas

Connect with Peter: Connect with F5:
o_linkedin[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Wednesday, March 6, 2013

Pulse2013 – IBM Maximo Optimization & SSO with BIG-IP APM

It’s an all Nojan week at the Pulse2013 conference at the MGM Grand! This time, he shows Peter Silva how to deploy Maximo Asset Management with the new Maximo iApp from F5 found on DevCentral along with how to configure acceleration and SSO for Maximo users. Increased performance for remote users along with the ease of deployment for administrators. Got Maximo? Get BIG-IP APM.

 

ps

Related:

Technorati Tags: f5,ibm,pulse,ibmpulse,psilva,video,security, sso,maximo, optimized

Connect with Peter: Connect with F5:
o_linkedin[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, March 5, 2013

Pulse2013 – BIG-IP ASM & IBM InfoSphere Guardium

I meet with F5 Solution Architect Nojan Moshiri to learn about the integration between BIG-IP ASM and IBM’s InfoSphere Guardium offering real time data security along with contextual meta data associated with the SQL data. Each enhances the other to provide both defense-in-depth protection and contextual security information. Powerful stuff.

 

ps

Related:

Technorati Tags: f5,ibm,pulse,ibmpulse,psilva,video,security, database,Guardium, sql,

Connect with Peter: Connect with F5:
o_linkedin[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]