Mobile Security: Malware Threats

Secure your Mobile !


Mobile devices, of late, gaining popularity with the acceptance of BYOD (Bring your Own Device) policy across the Corporates. Many large organizations are realizing that it’s easier to develop and deploy their own secure apps for employees with off-the-shelf solutions. Barclays bank, one of the world’s largest bank, hits the News this week by giving 8,500 of its employees an early Christmas present: iPads !  According to Baxter-Reynolds, Barclays’ total cost of ownership for 8,500 iPads works out to approximately £13.8 million, or $2,600 USD per unit.

What about Information Security?

While Barclays is focusing on a bigger business gain and employee confidence, security, of course, is a major concern. “With the lockdown offered on iOS devices — including encrypted content — iPads have all the things that reassure the ‘necessarily-paranoid’ in any bank’s IT department,” wrote Charles Arthur in the Guardian UK, commenting on Barclays’ decision to go with iPads.

barclays logo Zack Whittaker at ZDNet agrees, saying Barclays confidence in IPad safeguards sets a trend for other companies, particularly banks. “The huge iPad deployment shows a significant level of trust in the Apple platform — that it’s secure enough for banking,” Whittaker wrote in his analysis. “Finance, after all, is only one-notch below national security in the grand scheme of data protection priorities.”

Mobile Security in General

Yes, Barclays invested huge amounts on the devices, training and security mobile logomanagement of mobile technology. Waht about other companies- big and small – adopting rapidly the policy of BYOD yet not fully geared to understand and prepare to the face the risk? FBI & Internet Crime Complaint Center (IC3are warning the smart phone users of malware targeting mobile devices. Malware seems to be the worst threat to the mobility considering the low levels of mobile security awareness equally among the management & users.

Some tips to secure your mobile 

  • When purchasing a Smart phone, know the features of the device, including the default settings. Turn off features of the device not needed to minimize the attack surface of the device.
  • Depending on the type of phone, the operating system may have encryption available. This can be used to protect the user’s personal data in the case of loss or theft.
  • With the growth of the application market for mobile devices, users should look at the reviews of the developer/company who published the application.
  • Review and understand the permissions you are giving when you download applications.
  • Passcode protect your mobile device. This is the first layer of physical security to protect the contents of the device. In conjunction with the passcode, enable the screen lock feature after a few minutes of inactivity.
  • Obtain malware protection for your mobile device. Look for applications that specialize in antivirus or file integrity that helps protect your device from rogue applications and malware.
  • Be aware of applications that enable Geo-location. The application will track the user’s location anywhere. This application can be used for marketing, but can be used by malicious actors raising concerns of assisting a possible stalker and/or burglaries.
  • Jailbreak or rooting is used to remove certain restrictions imposed by the device manufacturer or cell phone carrier. This allows the user nearly unregulated control over what programs can be installed and how the device can be used. However, this procedure often involves exploiting significant security vulnerabilities and increases the attack surface of the device. Anytime a user, application or service runs in “unrestricted” or “system” level within an operation system, it allows any compromise to take full control of the device.
  • Do not allow your device to connect to unknown wireless networks. These networks could be rogue access points that capture information passed between your device and a legitimate server.
  • If you decide to sell your device or trade it in, make sure you wipe the device (reset it to factory default) to avoid leaving personal data on the device.
  • Smartphones require updates to run applications and firmware. If users neglect this it increases the risk of having their device hacked or compromised.
  • Avoid clicking on or otherwise downloading software or links from unknown sources.
  • Use the same precautions on your mobile phone as you would on your computer when using the Internet.

 
Advertisements

Data Protection & Privacy: Data Breach in Greece

Greek Man Accused of Stealing Data of 9 Million Citizens

Greece is in news again, for all wrong reasons. This time it is not the ever failing economy or bailout plans from one more country or authority. A Greek man has been arrested on suspicion of having stolen 9 million personal data filesin what is believed to be the biggest breach of private information the country has ever seen. The 35-year-old accused was found in possession of the data files that included identity card details, tax numbers, vehicle license plate numbers and home addresses.

General legal framework  in Greece

Personal data processing and protection in Greece is mainly regulated by Law 2472/1997 known as the Data Protection Act (DPA), implementing Directive 95/46/EC. The DPA regulates the automatic or manual processing of data relating to living identifiable individuals in connection with the provision of electronic communications, which are not publicly available. The DPA sets forth the basic terms and conditions relating to data collection and processing, imposes fundamental obligations on data controllers regarding all categories of data-related activities. The DP Authority receives complaints and have been levying penalties on data breach complaints received.

What abets the crime?

Interestingly, data breaches were observed in increased  proportion across the Globe during the years of recession and economic slowdown few years ago. Security experts warn that incidents of crime  are likely to increase during challenging economic times. There is  evidence from the large security monitoring networks showing that cyber crime attacks like phishing have already risen. With rising levels of uncertainty of employment &  negative growths in income, disgruntled employees might take sensitive data when they leave an organisation. Even for the honest worker, there is no guarantee, that he would return all assets like USB token and remember to erase entire company data from his personal devices. Further, with falling incomes, companies would try to cut all expenses, perhaps those on information security administration as well, in order to save few more pennies.


 What can be done?

Organisations should not see this as a case of ‘data loss’ alone,  and what they should remember is that the company’s reputation itself is at stake. In addition, don’t forget the penalties imposed due to Data Protection & Privacy Laws in force.  Organisations handling potentially sensitive data should not routinely invest in some data protection tools and gain false assurance, as these tools, despite having a positive role, suffer from many of the limitations of early intrusion detection and intrusion prevention systems like potentially high numbers of false positives and associated inconvenience to legitimate business users. In addition, these organisations should  invest sufficient time and effort in creating policies and practises – like access controls to key & critical applications, log management –  aimed at preventing data loss.

Educating the end-users  about their responsibilities to organisation and customer data, would be more effective than locking down USB ports or disallowing devices. The problem of data breaches is NOT just with the technology, as popularly perceived, and the solution lies more in focusing at the policies, processes and education. The returns on investment on these are more rewarding than on investments in technology.

 

Information Security Trends: Cloud, Mobility & Social Tools add complexity

 Cloud and Mobility Complicate Security

Cloud computing, mobility, social tools and other technologies that put mor e power in the hands of individual users pose new challenges for organizations seeking to secure data, devices and networks, new research released today by CompTIA, the non-profit association for the information technology (IT) industry, reveals.
This was the big take-home from the latest Information Security Trends study by Computing Technology Industry Association (CompTIA). Among the 308 security breaches reported by participants in the 10th annual study, 54% were caused by human error. Nearly half those errors (49%) were attributed to end-user failure to follow policy and procedure. The study is based on a survey of 508 IT and business and IT executives directly involved in setting or executing information security policies and processes for their organizations; and 368 executives at U.S. IT firms, with most having some level of involvement in the IT channel.

“As users gain more responsibility for their own technology, the human element becomes more and more important,” said Seth Robinson, director, technology analysis, CompTIA.

“There’s a growing need that we see to educate the end users and bring them up to speed with security awareness, and [increase] their knowledge of what an attack might look like,” said study author Seth Robinson. “Educating the end user really should be a bigger priority.”

cloud The message doesn’t seem to be getting through to the people in charge of enterprise security. About 60 % of survey respondents cited malware, such as viruses and Trojans, as a “serious concern.” Other types of security threats from the outside, namely hacking (54%), also outranked human error as major threats. Indeed, only 24% of respondents viewed end-user error as a “serious concern.” The respondents’ focus on external threats does not surprise Robinson. “It’s what they’ve been concerned about for years, and it informs how they’ve built and continue to build security defenses.”

Robinson attributes the  disconnect between resource allocation and rising internal threats to both stagnant budgets and an outdated understanding of what constitutes adequate end-user training. A basic run-through of security policies at the time of hire with a yearly refresher isn’t enough, he said. Today, the advice from top information security experts calls for training that is frequent and interactive. For example, Robinson said a simulated phishing attack among the workforce can be a useful training tool. IT can track the number of employees who click the link, and give those employees additional information security training to recognize that type of threat.

A net 49 percent of companies say they intend to hire security specialists, including those that also plan on training current staff.  Executives have a strong preference for security professionals with industry certifications. A full 84 percent said they experienced a positive return on investment in security certifications,

cloudwith certified staff viewed as more valuable because of their proven expertise and ability to perform at a high level than non-certified staff. Putting employee security training in the hands of a security specialist — and off the to-do list of CIOs — is something experts

strongly advocate. Decisions about device and platform management and application access should be made by infrastructure and operations (I&O) teams. However, security experts should be the ones figuring out what threats their organizations face from different end-user access scenarios.