PKF AvantEdge

Category: Technology (Page 10 of 11)

Tis the Season to be Jolly

December 28, 2012 / / 0 Comments

IT administrators can guarantee one thing after Christmas. Employees will be coming back from their Christmas breaks talking about their holidays, showing off photos of their kids and Santa….and showing off their new toys: Android phones, iPhone 5s, iPads, Galaxy tabs, Kindles and even some Windows Phone here and there.

Apparently device activations went up 332% on Christmas day. Apps download hit 20 million apps per HOUR. That’s a big wow for everyone, because it shows that Santa is a tech geek, and a LOT of people are getting tech gadgets for their presents. I mean, they just don’t wrap a book anymore do they?

As an aside, I wonder why on earth didn’t Blackberry cash in on the Christmas spirit?

Back to our faithful IT admins, the new devices brings in an old headache. How will we control these new, shiny timebombs in the hands of executives, who, through simple carelessness or plain ignorance could send data and information into public domain hell…data that the company has spent millions trying to protect?

We believe in 2013, MDM (mobile device management) will take a firmer hold in the collective consciousness of IT managers. These devices, in essence has taken over the netbooks and ultrabooks out there and should be treated as a device itself in an enterprise. Voice is no longer the primary function of these phones, as users spend less time talking and more time texting, facebooking, googling, youtubing, twittering and all sorts of new verbs invented to describe the new generation of communicating.

While we’re not a system integrator in a strict sense of the word, we do have obligations to get up to speed with new technologies and where we predict that the industry would be heading. We’ve got a few MDMs solutions being tested in our lab, as well as to see how they impact organisations. We don’t need it, yet. Our clients might. We tend to try to bust past the brochure knowledge of products and try them out in behalf of our clients even when there’s no demand yet…in that way, when we talk about technology, we talk about things we’ve experienced, not read about.

We’ll keep up the MDM subject as we enter 2013, and update on the progress on some of the solutions being tested.

IDS: A Technical Understanding

December 20, 2012 / / 0 Comments

With the rapid advancement in information technology, businesses are moving to an intensive IT-integrated model. By utilizing the features of information technology, businesses are able to reach out to more audiences, regardless of geographical aspects and language barriers. This provides an advantage to business; higher audience in a relative lower costs. However, the utilization of information technology is a double-edge blade, as confidential information are stored as data in servers available in the internet, as compared to printed hard copies of documents kept and locked in cabinets.

To ensure continuous availability of information, the network the server resides is connected to an untrusted network, namely the Internet. In order to protect unauthorised access to the information, security measures are needed to be implemented. In this article, we will discuss about the firewalls and intrusion detection systems.

Difference between Firewall and Intrusion detection system

A firewall is a device or group of devices that enforces an access control policy among networks.” Its main function is to control incoming and outgoing traffic, between two networks by allowing and denying such traffic depending on pre-determined rule sets. Therefore, a firewall is a preventive control acting as keys and locks between the networks, as shown in figure 1 below:

An Intrusion detection system (IDS) on another hand, is a device or application that monitors network activities and attempts to detect suspicious activities going through the network. Consider IDS as a burglar alarm for your office; when they enter your office (i.e. unauthorised access), the alarm will alert you. Therefore, IDS is a detective control; its main function is to warn you of suspicious activity taking place ? not prevent them (Refer to figure 2):

Reason for IDS

A firewall is a crucial component of securing your network. The predefined rule set within the firewall provides protection that any traffic going through the closed ports are denied but also allows some of these through the network as well. However this means that the access allowed is just let through, and firewalls have no clever way of telling whether that traffic is legit and normal. This is where IDS comes into play.

Placed between the firewall and the system being secured, a network based IDS can provide an extra layer of protection to that system. For example, monitoring access from the internet to the sensitive data ports of the secured system can determine whether the firewall has perhaps been compromised, or whether an unknown mechanism has been used to bypass the security mechanisms of the firewall to access the network being protected.

Let’s take a look at an example by referring firewalls to locked doors (key and locks) and IDS to alarm systems (as mentioned above). Let’s say that you have lots of confidential documents stored in a filing room within your office: The locked doors will stop unauthorized individuals from entering the filing room. By themselves, they do nothing to alert you of an intrusion, but they deter unauthorized access. The alarm system will alert you in case an intruder tries to get into the filing room. By itself, it does nothing to prevent an intrusion, but it alerts you to the potential of an intrusion. As you can see, both security mechanisms complement each other, providing better overall security towards the access of such confidential documents.

It should be noted that IDS should not be employed as a single security mechanism. By using a layered approach, or defence in depth, a network should have multiple layers of security, each with its own function, to complement the overall security strategy of the organization.

Conclusion

Before implementing security controls within the organisation, it is crucial to conduct a risk analysis based on the confidentiality, integrity and availability of the data. As there are almost no servers that are immune to penetration/intrusion, it is recommended that the security mechanism implemented are capable of minimizing the risk.

In the next article, we will talk about Intrusion Prevention System and the reason for having one within an organisation.

Web Trawling: Your life is on the Net

December 14, 2012 / / 0 Comments

I remember, almost 20 years ago, a movie called “The Net” came out, starring Sandra Bullock. It was one of the first few movies dealing with information security and theft, and invalidation back in the heydays, when we thought the internet was a new brand of spandex.

Fast forward 20 years and here we are. The information highway was incorrectly named. It wasn’t a high way, or even a super highway. It is now an intergalactic, hyperspeed wormhole that every single imaginable information is being collected and stored, and waiting to be trawled.

Trawling is a term we often use when we want to find out more about certain people or things on the internet. We use specialised tools to help us create informational relationships, connecting the dots.

In Avant Edge, we do quite a bit of forensics work. Part of forensics is actually forming the context. If it is an individual, we’d like to know not just what’s in his laptop, but his online habits, the forums he has posted, whether he is active in the social network, who has he been in frequent touch with; and whether he eats green or red apples. So it has to be the CIA or FBI then, right?

Nope, because most information can be obtained freely on the net. It’s scary. You can basically vanity search your own name and you’ll be surprise what’s out there. Private investigators can now conjure up scenarios based on bits and pieces found on the internet.

Web Trawling could be another branch of information audit we will be including for 2013. With some customised tools, we can basically craft relationships of an entity as we trawl entirely through the internet.

Here’s a very scary proposition, illustrating our idea:

 

 

Bring Your Own Destruction

December 7, 2012 / / 0 Comments

There’s a little side bet going on between a few of us.

In 2013, two tech giants will be pitted against one another. No, not Apple and Samsung. Those are the Manchester United and Manchester City clashes. We’re talking about the Southampton and QPR clashes. The battle for survival. The clash for the wooden spoon.

RIM vs Nokia.

It’s hard to believe that not many years ago, these were the darlings of the mobile industry. Blackberries were everywhere. Nokia was the king of the crop. Now, both of them are fighting for their lives. It’s pretty sad to see it. Nokia selling off their headquarters to have money. RIM betting the farm on BB10, and seeing their stock rise a little, but still no where close to the heydays of almost tipping USD150 per share. Now Nokia just won a court ruling regarding the use of WiFi on Blackberries. The whole story can be found on the net, but basically, Nokia is just arguing about RIM having to pay them to put WiFi capability on the BB sets.

It’s like two scrawny kids fighting over a biscuit, when the two fat boys in the park had taken over their lunch sets.

Back in the heydays, Blackberries used to be the defacto enterprise mobile devices. It wasn’t that long ago. 3 – 4 years back. I remember it was the rage back then. Any executive worth his salt would be carrying one of those babies, that looked like ancient handsets with keypads so tiny that guys with fat fingers like me and Homer Simpson would spend longer time typing an SMS than Paris Hilton spends without her makeup per year. Sorry, I ran out of useless, quirky similes.

Anyway, there was a reason why BBs were so good at the enterprise. Security. And of course, Data Compression. The whole deal about running through the Blackberry enterprise server and push email, and data compression through the Blackberry Internet server? It sounds like stone age technology now, especially the global outage that caused outrage a year back….but back then everyone says it was a great idea, and that iPhone with mickey mouse security phones will not be accepted on the enterprise till the second coming….well, I just bought my mum a Hello Kitty Samsung Limited Edition and I bet my house I can take that to work right now without any question.

But of course, there comes a whole new load of pain. BYOD. Bring Your Own Device. To drinkers, this sounds fun, because BYOB has always been in their vocab. Unfortunately BYOD causes a lot more pain for the enterprise than a couple of drunken stooges after a night of partying after closing a big deal. With BYOD comes the crushing annoyance of having spent millions in securing the perimeter, only for one stubborn executive to insist on putting all the nice confidential PDFs into iBooks and then lose it in a cab. Or having taken pictures of his latest enterprise VPN password so that he can remember it, only to lose the phone in the bar. There could be a zillion permutations of how data can be lost, compromised or destroyed through the wonderful habit of human forgetfulness and carelessness.

Whether your phone is locked or not is irrelevant. It’s like saying I locked my laptop, now nobody is going to get to my data. It’s like saying, I locked my Ashton Martin. Now I’m just going to leave it at the city area where the highest crime rate for stolen cars, and the largest population of stores selling crowbars, are.

There are ways to counter BYOD issues, and we’ll explore it in further articles. But as of now, companies that ignore BYOD do so at their own peril.

Nope, BYOD is here to stay, and with the imminent death of Blackberry, the last vestige of enterprise security as we know it will go down with it. Security experts will mourn for it.

A new cadre of Hello Kitty Samsung Limited Edition smartphones with Mickey Mouse security will rise up and overwhelm the enterprise landscape. We’ve been warned.

 

So much for confidentiality

December 2, 2012 / / 0 Comments

Everyone has a similar story.

You print out something, then walk over to to your printer located 20 meters away, shared by the four departments on your floor. Instead of your print out, you have a whole stack of other people’s printout and the paper has run out. You look at the task, groan as you see another 120 pages pending. And the one who printed out that stack is nowhere to be found.

Looking further, you see, well, the stack had some pretty interesting information. Apparently it’s the entire year’s worth of financial information and also a few pages detailing employee’s pay and salary. Now you know how much your annoying colleague who just bought an Audi A8 earns, and you are really, really peeved, because you know he doesn’t do anything but play golf and suck up to upper management.

Where is the problem here?

Whatever confidentiality classification a company has put in place is out the window, when an irresponsible employee just prints out 150 pages and goes out for lunch and says, “I’ll grab it on the way back.”

An interesting article here talks about how some secret files from UK has gone missing or destroyed. According to the article: “The Foreign and Commonwealth Office is unable to confirm whether 170 boxes of classified documents which were returned to the UK at the end of the colonial era have been destroyed.”

Oops.

The article continues on detailing some of the acts that were done during the british rule in Kenya, where prison warders apparently clubbed prisoners to death and blamed it on “Drinking too much water.”

As in, seriously. I’m not sure if that’s British humor involved in the drinking too much water part, but it’s pretty humiliating for the FCO any way you look at it.

In an application audit we did, the team found pretty good controls overall, but flagged an issue: Invoices and documents containing confidential information on partners and payment details were left in a box in a common area before moving to a more secured location. The common area was where many people on that floor walked by. Now, our client reason, nobody would be looking into the box without any business with it. Also, they were all employees of the same company. And finally, it was only a temporary storage, and each day, the stack will be moved to the supervisor’s cubicle for filing.

We insisted on flagging it. The assumption of above’s argument was that all employees can be trusted. And along with that assumption comes: all employees are nice people who does what is best for the company.

Um. That’s very idealistic, like me winning American Idol and going on to become a global superstar. And chilling with Bono at a cafe. Of course we didn’t put that in our audit report.

But here’s the thing, if you’re going to spend millions on technical controls, but not look into the process and people controls, we’re defeating the purpose of holistic security. The weakest link is the people, either through deliberate malicious acts, or just plain unawareness, the company takes the brunt of the oversight. Security should be approached in that holistic fashion, and that’s why IT Audits are still relevant in a world where security companies have invented automated “IT Audits” by installing their software and they would probe for software weaknesses and “Outdated patches”. That only tells part of the story. The other part is breaking down the critical processes and human interaction between systems and technology. Any IT Audit that does not take time to understand the business process of a company isn’t complete.

So back to the FCO, we don’t know what happened. Maybe somebody printed out the whole bunch of secret stuff and went for lunch and somebody picked up the documents and went, “Jeez, this is going to make the honchos in UK look like a bunch of clowns”. And also, what do you know, reveal some seriously critical military secrets. Somewhere along the way, somebody dropped the ball. It’s a human issue. Or it’s a process issue. Unfortunately, when we hear people doing “IT Security Audits” they take the “IT” word too literally and the “Security” word too frivolously. That in itself is worth another article.

So for now, please grab everything you print out before you head out to lunch!

« Older posts Newer posts »

© 2024 PKF AvantEdge

Up ↑