The Sony Hack: Harbinger of Things to Come?

Paula Musich

Paula Musich

Summary Bullets:

  • Although some forensics details point to North Korean government involvement in the Sony hack, it’s impossible to tell whether it was the government or another group mimicking the North Korean government.
  • The fallout from the hack suggests the start of a new era of cyber skirmishes between governments and groups, and private enterprises could become collateral damage in the escalating battles.

Following the ongoing story of the Sony hack has all the twists and turns of a good who-done-it novel. First, the FBI concluded that the North Korean government was responsible for it. More recently, bulletin board rumors, along with cybersecurity company Norse conducting its own research, concluded that it was not the work of North Korean hackers who infiltrated the Sony network, but rather a former Sony security employee who gave security credentials for Sony’s systems to the Guardians of Peace group that claimed responsibility for the hack. Read more of this post

Don’t Assume Your EMM Solution Includes All the Mobile Security Your Enterprise Needs

Paula Musich

Paula Musich

Summary Bullets:

  • Not all enterprise mobility management solutions provide a full set of security controls that also include anti-malware programs.
  • Enterprises looking to secure employee and corporate-owned smartphones and tablets should mandate the use of strong anti-malware programs as part of their in-depth defense strategy.

Unless you’re using an enterprise mobility management (EMM) solution from an anti-malware provider such as Symantec, McAfee or Sophos, your smartphones – corporate or employee-owned – aren’t completely defended against the latest threats designed specifically for smartphones. Many EMM vendors focus their security efforts on controls such as authentication, certificate-based access control, separating out personal from corporate data in containers, remote/selective wipe and securing devices and/or apps using VPNs. But, with the exponential rise of malware focused especially on Android smartphones and tablets, is that really enough? New findings from security researchers at Palo Alto Networks and others suggest it isn’t. Palo Alto Networks’ Unit 42 researchers recently discovered a backdoor placed deliberately by Chinese manufacturer Coolpad, one of the largest China-based smartphone manufacturers. The company estimates that 24 Android models produced by Coolpad, and potentially 10 million devices, have the backdoor, nicknamed ‘CoolReaper,’ installed. The company’s researchers also believe that Coolpad modified the Android OS running in those devices so that it’s harder for anti-virus programs installed on the devices to detect the backdoor. Read more of this post

The Pendulum’s Swing Back to Privacy is Just Getting Started

Paula Musich

Paula Musich

Summary Bullets:

  • The growing use of encryption, especially in smartphones, gives privacy controls back to end users, much to law enforcement’s chagrin.
  • The backlash against government snooping is just getting started, and it will only get louder with time and a potential defining event that will spur widespread calls for reform.

The government met last month with Apple executives to talk about the new encryption technology used in Apple IOS 8 and now Google’s Android Lollipop release that can block government access to information on smartphones, even if law enforcement has a court order. IOS 8 encrypts all data on the device and passcode protects it. Data can’t be accessed without the passcode, which Apple does not have access to. The Justice Department, FBI, NSA and others are demanding access; the industry is saying customers demand their privacy. Who’s right? The widely used WhatsApp chat service also just significantly upgraded its encryption. I think the government over-reached (especially with the NSA’s Prism program) and failed to understand the gathering backlash created by the Snowden leaks, and the high tech industry, including Apple, is seeing a negative impact on business as a result of lost customer trust. Read more of this post

Big Surprise: A New Study Shows the Cost of Cyber Crime is Going Up

Paula Musich

Paula Musich

Summary Bullets:

  • With the cost of cyber crime going up along with the amount of time it takes to contain an attack, organizations should rethink their security spending priorities to focus more on incident detection and response.
  • Assessing your security posture and making appropriate adjustments can help lower cyber crime costs.

The 2014 Global Cost of Cyber Crime Report came out this week, and the news is not good. But that shouldn’t be a surprise, given that about once a week now there is yet another headline announcing the latest big breach. And they seem to get bigger: 40 million customers affected in the Target breach in late 2013, 56 million in the Home Depot breach in mid-2014. The study, conducted by Ponemon Institute and sponsored by HP Enterprise Security, found that the annual cost of cybercrime increased nearly 100% over the five years it has been conducted. The study looked at 257 large companies (with 1,000 or more endpoints) in seven countries, and it found that the average annual cost of a breach is $7.6 million, with a range of between $0.5 million up to $60.5 million. But what’s interesting is that the cost of cybercrime is higher for U.S. companies. A benchmark sample of U.S. companies found that the average cost per organization now stands at $12.7 million. Russian companies were added to the study this year, and they incurred the least cost – $3.3 million on average. Read more of this post

Intel Lures Away Cisco’s Security GM and a Top Sales VP, but Don’t Cry for Cisco

Paula Musich

Paula Musich

Summary Bullets:

  • Despite Intel’s having lured Cisco security GM Chris Young to its ranks, Cisco retains a strong security bench and has already replaced its former all-star GM with a solid leader in David Goeckeler.
  • Intel is obviously looking for faster growth in security than what it has done so far with McAfee in its portfolio, but whether Young can replicate his success in a different culture remains to be seen.

Intel Security poached two high-profile executives from Cisco’s Security Business Group this month, including Chris Young, who was senior VP and general manager of the business unit. Chris Young’s hire came just two weeks after Intel tapped Scott Lovett, Cisco’s former vice president of worldwide security sales, to lead worldwide sales for McAfee. Lovett’s move followed close on the heels of the departure of David Frampton, general manager for Cisco’s Security Access Mobility Product Group. Read more of this post

Notes from the Mobility World: EMM and MADP Coopetition Is Alive and Growing

Paula Musich

Paula Musich

Summary Bullets:

  • As you select your primary EMM or MEAP provider, keep in mind the staying power of the providers you select.
  • Focus less on managing devices and more on how you are going to secure mobile applications, streamline their delivery and preserve a good end-user experience.

Between dueling mobility-focused events at the AirWatch Connect user conference and CTIA/MobileCON, this week produced more examples of how the lines are increasingly blurring between enterprise mobility management (EMM) and the mobile app world. Read more of this post

Black Hat: Hacking the Internet of Things for Fun and Profit

Paula Musich

Paula Musich

Summary Bullets:

  • Vulnerabilities abound in the wide range of elements that make up the ‘Internet of Things’ (IoT), and developers do not have the security skills necessary to code their IoT creations more securely.
  • What’s needed are security standards to help developers create more secure IoT systems and a re-evaluation of the languages they are using to develop them.

Security researchers of all stripes made their pilgrimage to Las Vegas this week for the annual Black Hat/DefCon conferences, and the biggest theme to emerge from presentations was the insecurity of the Internet of Things (IoT). Vulnerabilities were uncovered in a range of devices, including home alarm systems, smart cards, Internet-enabled automobiles, virtual desktops, smart hotel networking, control code on mobile providers’ cellular devices and, of course, POS devices. Read more of this post

How Much More Money Will be Lost Before Companies Begin Strategically Investing in Security?

Paula Musich

Paula Musich

Summary Bullets:

  • Companies aren’t investing strategically in security because nobody really understands the full cost of cybercrime and it’s extremely difficult to measure risk accurately.
  • Getting investors to prod companies to take security more seriously could change that paradigm.

Here’s a thought: Why isn’t security considered a strategic investment? And could the thinking evolve over the next few years to come around to that conclusion? After all, we continually hear about how security has become a board level issue. And CISOs are getting more airtime with the board than ever before. I think there are two main stumbling blocks to getting there, and neither is easy to overcome.

First, it’s impossible to measure the true cost of cybercrime. Last month the Center for Strategic and International Studies released a report sponsored by Intel/McAfee that pegged the global cost of cybercrime at anywhere between $375 billion to $575 billion. Of that loss, $200 billion was attributed to the U.S., China, Japan and Germany. I personally think that those figures greatly under estimate the total economic losses that result from cybercrime because they don’t take into account all the factors that make up a loss, and because a lot of breaches in which intellectual property or other valuable data are stolen are never reported. Read more of this post

Google’s Android and Google Play Apps Still Risky as Ever, but There Is Hope on the Horizon

Paula Musich

Paula Musich

Summary Bullets:

  • New vulnerability exposures highlight the continuing riskiness of enabling the use of Android devices within the enterprise, but carefully crafted BYOD policies can reduce that risk.
  • Google needs to step up its mobile security practices if it truly wants to be an enterprise player.

The steady drumbeat of news regarding Android security weaknesses – whether in the OS or the applications that run on it – does not seem to be having much of an impact on Google’s security practices. It should be well known by now that the vast majority of mobile malware targets Android devices. Earlier this year, endpoint security firm F-Secure found that 99% of new mobile malware targeted Android. This week, it was revealed that most versions of Android in use today include a vulnerability that enables rogue apps to make unauthorized calls or disrupt ongoing legitimate calls. Although Google fixed the flaw in the Android version 4.4.4 that it released last month, very few Android devices run that version. Moreover, given the slow rate at which Android devices are patched or upgraded to the latest version of the OS, the vulnerability could continue to haunt the vast majority of Android smartphones for some time to come. IT, as it crafts its policies for personal smartphone use in the enterprise, can address that issue by requiring users to keep their device OS up to date in order to gain access to the enterprise network from their smartphones. IT can also investigate which handset makers are faster at upgrading their Android device’s mobile OS and put those devices on a list of acceptable smartphones for use within the enterprise. My colleague and mobile device maven Avi Greengart tells me that both Motorola and HTC have formal pledges to rapidly update Android. Other IT folks may go so far as to allow only Apple iOS devices to access corporate networks in their BYOD policies. Read more of this post

Making the Case for the Security Budget Requires Creativity and Clear Communication

Paula Musich

Paula Musich

Summary Bullets:

  • When making the case for the security budget, it is critical to find metrics that succinctly describe the value of information security and do so in business terms.
  • One of the most common methods is benchmarking against peers, although obtaining such information is not easy.

The perennial problem of how to obtain the funding necessary to keep critical enterprise assets secure is a frequent subject whenever IT security executives get together. Judging by a few surveys conducted over the last year, it appears for the most part that security budgets are increasing. A PricewaterhouseCoopers Global Information Security Survey published late in 2013 found a 51% increase in the size of security budgets over the previous year among the 9,600 executives it surveyed. The average budget was $4.3 million – almost double the average reported in the same survey for 2010. Read more of this post