BYOD: Make it Secure !

BYOD Challenges can be handled through right policies

Bring your own device(BYOD) is a revolution happening at the user end and taken the infrastructure out of the control of ‘Information managers’. While the debate is going on whether or not BYOD policies save organizations money or cost them, it is slowly emerging that these policies increase complexity while decreasing direct control over information resources. Information security suddenly becomes a prime challenge as the devices now owned by the individuals & used for personal information purposes and the segregation & privacy of work information posing difficult practical problems. A robust BYOD policy coupled with an effective strategy can, to a reasonable extent, help restore the control and ensure a smooth transition to the inevitable BYOD revolution.

A strong framework of information security and a supporting policy guidelines are absolutely critical to ensure a smooth transition. The issue becomes more critical in the absence of a clear regulation and require an ironclad policy that is enforced rigorously. Typical tasks that are expected to include in the policy are clearly defined information classification, access policy rules from personal devices, user profiling, locking on security devices/OS, loss of device protection and data recovery methods and also have provisions for remote wipe and remote application management capabilities, the right to confiscate and search devices and the right to dictate which applications are allowed and prohibited. For example, IBM banned access to Apple’s Siri application as well as access to Dropbox, for company-managed devices.

In the extremely nebulous legal landscape, it is highly imperative that these policies should be cleared through the legal team to make sure that language is adequate and that it will work in all applicable jurisdictions. From a legal perspective, it is mandatory to review all licenses for cloud-based applications to ensure that data is handled responsibly in those environments. Review of these agreements should follow the same review and approval process that would be normally used when considering outsourcing partnerships.

The security framework need to answer questions like heavy weight or light security; security at server level or client level; security at device level, application level or information level, and so on. Other issues that cannot be overlooked are like bandwidth, software licenses, data plans etc. Similarly, users’ concerns like confiscating their devices and accessing the personal information need to addressed. Providing a method to secure copies of personal information, as well as a way to protect other pieces of private information (e.g., nonwork text messages, email and instant message logs) will go a long way toward easing those concerns.

Issues arising out of people using unmanned devices (eg.a user does not wish to participate in the officially sanctioned BYOD programme) may represent even greater risk to businesses than those people willingly agreeing to follow the rules.

While an in place, alysts and experts caution the organizations on the importance of having a strong BYOD policy the fact is that many organizations do not pay enough attention to this key fact and simply add a few lines to their existing wireless policy in an attempt to cover their bases. While it’s highly recommended that the BYOD strategy be in line with the corporate mobility strategy, just tweaking the mobility policy to accommodate BYOD is not enough. A separate policy that covers all possible aspects of BYOD is a basic necessity.

A policy is only as good as the people who follow it. Implementing a pilot and revisiting policy guidelines help to understand the ever evolving challenges. Further, policy-making needs to be treated as an evolving process and not a one time exercise to meet routene compliace or adherence to company policies. It is also important to build policies by implementing technical controls like mobile application management (MAM) and mobile device management (MDM) applications. Where possible, enforcing device encryption and passwords will help reduce associated technical risks. Improving access management requirements, such as by mandating two-step or two-factor authentication, can further help reduce the risk of a lost device immediately leading to a data breach.

Advertisements

US banks under cyber attack !!


Security researchers at McAfee labs believe Project Blitzkrieg, a plan to use malware to steal money from 30 banks in the U.S., is a real threat not to be taken lightly. The security company released a report about the project that was originally announced in September on a Russian forum. A cyber-criminal by the handle “vorVzakone” originally posted the intent to hack into 30 banks across the U.S. and steal information and money using a trojan. A trojan is a type of malware that secretly enters a computer system by pretending to be something innocuous.

McAfee says that the forum post originally called for developer help and said the trojan would be launched within a few weeks. Timing for the attacks have not been confirmed, though a number of banks were recently hit with denial of service attacks (DDOS) that took down their websites. DDOS attacks work by flooding a system’s servers with traffic, causing it to overload and shut down. This kind of attack does not actually reach the inside of the system, allowing hackers access, but is sometimes used a diversion tactic while hackers silently gain illegal access to the servers.

“McAfee Labs believes that Project Blitzkrieg is a credible threat to the financial industry and appears to be moving forward as planned. Not only did we find evidence validating the existence of an early pilot campaign operated by vorVzakone and his group using the Trojan Prinimalka that infected at a minimum 300 to 500 victims across the United States, but we were also able to track additional campaigns as a result of the forum posting,” said McAfee Labs threat researcher Ryan Sherstobitoff in the report.

McAfee believes the trojan in use here is called Prinimalka, a piece of malware originally built in 2008. VorVzakone’s forum post also said that the trojan had already stolen $5 million from unknown institutions.(Read more at http://venturebeat.com/2012/12/13/us-bank-threats/#miGWuyOSziGXZhGm.99)

On the other hand, Since September, U.S. banks have been battling with mixed success distributed denial of service (DDoS) attacks from a self-proclaimed hactivist group called Izz ad-Din al-Qassam Cyber Fighters. Despite its claims of being a grassroots operation, U.S. government officials and security experts say the group is a cover for Iran.

“There is no doubt within the U.S. government that Iran is behind these attacks,” James A. Lewis, a former official in the State and Commerce Departments and a computer security expert at the Center for Strategic and International Studies, told The New York Times.

Mr. Lewis said the amount of traffic flooding American banking sites was “multiple times” the amount that Russia directed at Estonia in a monthlong online assault in 2007 that nearly crippled the Baltic nation.

American officials have not offered any technical evidence to back up their claims, but computer security experts say the recent attacks showed a level of sophistication far beyond that of amateur hackers. Also, the hackers chose to pursue disruption, not money: another earmark of state-sponsored attacks, the experts said.

“The scale, the scope and the effectiveness of these attacks have been unprecedented,” said Carl Herberger, vice president of security solutions at Radware, a security firm that has been investigating the attacks on behalf of banks and cloud service providers. “There have never been this many financial institutions under this much duress.”

Since September, intruders have caused major disruptions to the online banking sites of Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC, Capital One, Fifth Third Bank, BB&T and HSBC.

They employed DDoS attacks, or distributed denial of service attacks, named because hackers deny customers service by directing large volumes of traffic to a site until it collapses. No bank accounts were breached and no customers’ money was taken.

By using data centers, the attackers are simply keeping up with the times. Companies and consumers are increasingly conducting their business over large-scale “clouds” of hundreds, even thousands, of networked computer servers.

These clouds are run by Amazon and Google, but also by many smaller players who commonly rent them to other companies. It appears the hackers remotely hijacked some of these clouds and used the computing power to take down American banking sites.

“There’s a sense now that attackers are crafting their own private clouds,” either by creating networks of individual machines or by stealing resources wholesale from poorly maintained corporate clouds, said John Kindervag, an analyst at Forrester Research. How, exactly, attackers are hijacking data centers is still a mystery. Making matters more complex, they have simultaneously introduced another weapon: encrypted DDoS attacks.

Banks encrypt customers’ online transactions for security, but the encryption process consumes system resources. By flooding banking sites with encryption requests, attackers can further slow or cripple sites with fewer requests.A hacker group calling itself Izz ad-Din al-Qassam Cyber Fighters has claimed in online posts that it was responsible for the attacks.

In News:Australia replaces outdated security manual

Australia introduces new Protective Security Policy Framework (PSPF)

Come August 1, 2013, Australia is all set to introduce the new Protective Security Policy Framework, known as the PSPF, replacing the old Commonwealth Government Protective Security Manual (PSM), reports Mike Rothery, First Assistant Secretary at the Attorney General’s Department’s National Security Resilience Policy Division. The policy provides guidance on securing information, physical assets and people.

Protective security is a key enabler for government business. Whether it is protecting the privacy of citizens, preventing the theft of assets, ensuring the safety of workers or making sure critical data is available when it is needed, the new PSPF aims to help agencies get their job done. A key driver for the change was a review of the old PSM by the Attorney-General’s Department, which found that the PSM was ‘compliance driven’ and lacked flexibility; impeding the ability of many agencies to effectively conduct daily business and deliver services.

Whilst effective in protecting national security information, the old PSM did not allow for sufficient flexibility in handling unclassified but sensitive material, such as commercial and personal information.

The new PSPF seeks to deal with these limitations, as well as new challenges posed by information technology. The new policy considers the additional risks from the aggregation of data, in addition to the classification of the individual pieces of information. An aggregation of information may require a higher level of protection than its component parts.
For example, where the harm caused by the unauthorised access of an individual piece of unclassified information might be minor, the harm caused by the unauthorised access to a complete library of information at that same classification level may be significantly higher. This consideration is particularly important given developments in technology enabling vast amounts of information to be stored in the one place. 

Consider the huge amounts of data that can be stored on small devices such as USB sticks, for example.
For this reason, the PSPF includes the Australian Government information security management guidelines of aggregated information guideline.In keeping with the move from hard copy to electronic storage, the guideline relates specifically to the security of electronic aggregations of Australian Government information.

One of the most noticeable changes to the policy is a new security classification system. The old systems of separate classifications for national security and non-national security information have been replaced; the new policy has a simplified single classification structure.

The classifications of Restricted and Highly Protected have been abolished to leave a single structure of Protected, Confidential, Secret and Top Secret. This protected change will assist agencies in conducting their day-to-day business by allowing greater interoperability across government and facilitating both information sharing and information protection.

In place of the term ‘in-confidence’, new dissemination limiting markers have been introduced for use by agencies to restrict the availability of official information where disclosure is limited or prohibited by legislation, or requires special handling. This is particularly useful for information covered by the privacy principles.

In addition to changes to information security, the PSPF initiates important broader changes to protective security, including reforms to personnel security, physical security and governance arrangements.
The biggest change in policy is the move from a compliance based approach to one that is risk-based. This marks a significant departure from the ‘one size fits all’ nature of the PSM, and allows agencies the latitude to find the most efficient controls that suit their business.

While the PSPF specifies controls for the handling of classified information, it recognises that the bulk of sensitive information held by government relates to the private sector and the personal information of citizens. With a growing demand for the online delivery of government services, the new policy allows agencies to determine their own controls for the unclassified information they hold, including when using the Internet for service delivery.

The PSPF is engineered to be flexible, so that individual agencies can use it to develop and implement policies and practices that suit their needs while maintaining minimum requirements to protect their most sensitive information.

By actively managing risk, agencies will be able to use the Internet to engage directly with clients, while at the same time ensuring protection of networks and unauthorised access to data libraries.
In addition to the intrinsic sensitivity of information, agencies are now required to consider the full range of negative consequences from a security breach.

These are described in new Business Impact Levels or BILs. These cover such issues as damage to reputation, risk of litigation and the loss of trust with customers or partners. The BILs have been established to guide agencies in the development of their own risk management policies and procedures.

As security vetting assessments of staff are a snapshot in time, the new policy for personnel security emphasises the importance of ‘aftercare’ or whole of career considerations. The policy also supports the centralisation of the security clearance process in the Australian Government Security Vetting Agency.
The physical security policy remains largely unchanged as a result of the PSPF, with the exception of new advice on protecting culturally significant and valuable assets, achieving security for diverse worksites and incorporating physical security into disaster management.

The PSPF includes core public sector governance principles to support a proactive security culture across agencies. Governance arrangements aim to ensure that agencies adhere to applicable protective security standards, have clear roles and responsibilities for protective security functions and decision making, and make the best use of limited protective security resources.

Executive level leadership is integral to achieving agency-wide commitment to good protective security performance. An important element is the new requirement for agency heads to make an annual statement of compliance against the core security requirements to the relevant portfolio Minister.

Some State and Territory governments have expressed interest in applying selected parts of the PSPF in their jurisdictions. Discussions between the Commonwealth and State and Territory governments on these opportunities are continuing.

To assist agencies in implementing the new policy, the PSPF and its supporting guidelines are now publicly available on a dedicated protective security policy website at ww.protectivesecurity.gov.au. Here you will find all the necessary guidance material required to implement the PSPF at agency level. The Protective Security Policy team at the Attorney- General’s Department are also available to assist with protective security policy advice and can be contacted at pspf@ag.gov.au.

Coming into force in August, agencies are now in the transition stage, leading to full implementation by 31 July 2013.