Archive for the ‘mobile security’ category

Identity and Access Management

May 9th, 2016

Research director Felix Gaehtgens at the Gartner Identity and Access Management (IAM) Conference in London mentioned that issuing one-time password (OTP) tokens to third-party organizations can cause many problems. He mentioned that some third-party organizations even hang one-time password tokens on a wall with the name of the companies they belong to, facing a webcam.

“For employees or contractors working internally who need privileged access, having OTP is great. But not for external third party workers,” he said. “Why? Because third parties leave OTPs on their desks; when they go on holiday they leave them for other people to use. It happens all the time.”

Also with shared password comes the biggest risk of accountability. Companies can take various steps to secure there data.

Phone

He suggested to call instead of OTP tokens.

“What you need to do is choose something that is hideous to share, like something linked to a particular mobile phone,” he said. “That’s because a worker isn’t going to leave his phone behind when he goes away on holiday.”

Many Phone-based authentication systems are available in the market.

Dedicated person for IAM

He suggested sponsorship approach where internal employees act as sponsors for external workers and keeps track of them.

“When I suggest this people say ‘Ooh, are you going to delegate third-party privileged access to a third party?’ said Gaehtgens. “The answer is ‘no.’ They have to make a request to your organization for access for a particular employee. But they can de-authorize their own people (for example when they leave the organization).”

Third Party Access

Providing short term access for related resources will secure the data after the work is done.

“So you need to be able to say ‘You can access this system for four hours’ and give out privileges in small chunks,” Gaehtgens said. “Instead of the general sys admin model, you need to give them just what they need.”

Access Management

One can use privilege access management (PAM) and shared account password management (SAPM) tools. to manage third-party access privileges.

IAM on the Record

When third parties have privileged access to your systems, Gaehtgens said it’s important to record at least some of their sessions. “You should let everyone know they are being recorded; at the very least this should make people less sloppy,” he advised.

“Every so often you will see a complete idiot who you never want on your systems again, as they clearly don’t know what they are doing,” he said. “But you may also learn something. Third parties may do something better than you, so you can watch what they do and use it to build up your best practices.”

————————————————————————————————————————————————————-

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Hackers and Sensitive Data

March 4th, 2016

In today’s hacking world, hackers can gain access to sensitive data with little efforts. “It’s a bit depressing,” said Chandra Rangan, vice president marketing, HPE Security Products at Hewlett Packard Enterprise, discussing some of the findings published in HPE’s Cyber Risk Report 2016.

“Attackers are lazy. They want maximum bang for the buck, so they will go for low-hanging fruit,” Rangan said, noting that the most exploited bug in 2015 was over five years old. It was also the top bug in 2014.

As per the new findings, the top 10 vulnerabilities leveraged by attackers in 2015 are more than a year old. Half of them are at least five years old.

According to Rangan, there is a shift in which applications, rather than servers or operating systems, are used as a primary attack vector.

Mobile Insecurity

As per the recent survey:

  • 95 percent of newly discovered malware samples are found on Microsoft Window
  • 42 percent of exploits targeting Microsoft Window
  • 18 percent of the total exploits targeting Android
  • 12 percent of exploits on Java
  • Microsoft Office 11 percent
  • Adobe attacked by 14 percent, evenly divided between Flash and Reader exploits
  • 75 percent of the mobile apps scanned by HPE had at least one vulnerability

Some software developers “seem to be making a tradeoff between speed and security,” Rangan said. “There is a whole new crop of app developers, and they are saying ‘how quickly can I get this app to market and how quickly can I monetize it?’ When you are in that mode, you are less likely to use the development processes and methodologies that include multiple security checks.”

“You do not need to make a tradeoff, and you do not need to use the old-school waterfall development model. There are plenty of technologies out there where you can build security into the very fabric of your apps.”

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

————————————————————————————————————————————————————-

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Cybersecurity Insights from SC Congress

March 2nd, 2016

Recent SC Congress emphasised on Cyber insurance and new approaches to security patches.

Experts discussed some of the current and emerging issues in cybersecurity.

Cyber Insurance

Most of the panel on cyber insurance believed that the legal wording of policies, exclusions and other factors tend to make it a pricey policy which may not provide the expected benefits in the event of a data breach.

“I’ve never been a fan of insurance; getting the right coverage is always an uphill fight,” said Winn Schwartau, CEO of The Security Awareness Company. “We’ve been at war, but acts of nation-states are excluded by insurance, as are acts of war and acts of God. Is ISIS a nation-state?”

Same Old Cybersecurity Threats

Even though there are new, deeper threats, many cybersecurity vulnerabilities have existed for years which also exists today.

According to Jeffery Ingalsbe, CISO of broker management firm Flexible Plan Investments, in many way, there is nothing new under the sun.

Security Patches

“The problem is that companies are continuing to patch the same way. They’ve had problems with organization and prioritization of patches. They need to understand how to patch and unpatch so as not to impact the users,” Rushing said.

High Cybersecurity Standards

When it comes to securing the network, companies need to score closer to 99.9999 percent in order to be considered safe.

Test Security Software

Don’t try to integrate during proof of concept, or there could be other network issues, Richard Lafosse, CISO for Cook County, Ill added. “Evaluate more than one vendor and remember that the contract terms are king.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

————————————————————————————————————————————————————-

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Phishing Scam and Data Breach

February 22nd, 2016

Saint Joseph’s Healthcare System in New Jersey suffered data breach when it was attacked by phishing scam. According to the statement, more than 5,000 employees at some of its facilities may have affected by identity theft.

According to St. Joseph’s Vice President of External Affairs Kenneth Morris Jr., facilities in Paterson, Wayne and Cedar Grove locations were affected. Patient data and medical information are safe, but employees’ names, social-security numbers and employee earnings for 2015 and 2016 were potentially accessed. However, dates of birth, home addresses, and banking information were not affected.

According to the Morris, there was no indication that the phishing scam was an internal crime. Attack came from external source. He added that the scam included a named company executive using an internal email.

“There was no intrusion or breach of our internal IT system,” he explained. “None of that data was compromised.”

HealthCare system mentioned that affected employees will be receiving free credit monitoring. Local and federal authorities were notified along with system’s insurance carrier.

“Our primary focus is really protecting our employees and their credit health,”he said. “In addition, we’re putting the proper protocols in place so that this doesn’t happen again.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

————————————————————————————————–

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Mobile Authentication and System

February 16th, 2016

Biometrics and multi-factor screen authentication are two ways to access sensitive enterprise systems via mobile devices. Security plays a larger role in the mobile devices used in our daily lives. Todays authentication is evolving tech with more and more security layers being added.

Biometric Authentication

Biometric authentication is a system that relies on the unique biological characteristics which includes retina, voice, fingerprint, signature of individuals to verify identity for secure access to mobile systems.

Advantages:

  • With biometrics for authentication, user never has problem of forgotten password.
  • It is easy to use
  • It is reliable

Disadvantages:

  • It includes high level of dependencies in your organization
  • It is expensive and inconvenient, as initial provisioning of users requires a tamper-proof process to link identity and biometric data
  • Employees may no longer be able to login from devices other than their company-issued devices

Multi-factor Authentication

Adaptive multi-factor authentication (MFA) in the mobile device uses a systems like user name, password.

Advantage:

  • It limits the hacker’s possibilities to compromise the system
  • Employees can always carry their device with them

Disadvantages:

  • It has painful enrollment process

It has still some level of dependency, with users relying on a modem or Web dispatch service to function and send codes.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

 

Apps for Iphone Security

February 14th, 2016

Apple blocks full anti-virus apps from its App Store. According to the company, “Every iOS device combines software, hardware and services designed to work together for maximum security and a transparent user experience”. But still there are Apps which can improve security.

Iphone

Find My iPhone (free) within iCloud is crucial to ensuring the security of your iOS device. You can activate it on your device at Settings -> iCloud -> Find My iPhone.

McAfee Mobile Security

McAfee Mobile Security (free) let users to back up and restore contacts, locate a lost or stolen iOS device on a map, wipe contacts remotely on a lost or stolen device and trigger a loud alarm on a lost or stolen device.

iDiscrete

iDiscrete (Paid) is a digital safe which enables iPhone users to secure a wide variety of file types so that an unauthorized user sees fake “loading” screen.

Spam Arrest

Spam Arrest (Paid) requires everyone who sends you an email to respond to a query to confirm their identity.

SplashID Safe

SplashID Safe (free) enables secure storage of online passwords, credit card data, account numbers, registration codes etc.

Private Internet Access

Private Internet Access (free) provides an encrypted VPN service to protect user privacy and security at Wi-Fi hotspots.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

————————————————————————————————————————————————————-

Alertsec is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec’s Check Point Full Disk Encryption.

Employee Theft and Data Breach

December 16th, 2015

Oregon-based Northwest Primary Care (NWPC) sent data breach notification to approximately 5,300 patients. As per the report, personal information was inappropriately accessed by a former employee. Former NWPC employee stole patient names, dates of birth, Social Security numbers, and credit card numbers.

“Northwest Primary Care will not tolerate any violation of our patients’ privacy,” NWPC Administrator Michael Whitbeck said in the press release.  “The former employee in connection to this violation deliberately and criminally chose to violate established clinic policies, the trust of our patients and the law.  We deeply regret that this crime has occurred and for any burden that this incident may cause.

Whitbeck added that this type of data security breach “is unacceptable,” and that NWPC will support the law enforcement investigation into the incident.

The organization mentioned that additional changes will be made to NWPC’s approach to security. It will expand its technology monitoring capabilities and employee training. Specifically, employee training “on safeguarding and accessing patient records to further bolster privacy safeguards.” Moreover, technical precautions will also be added, in an effort to better ensure patient privacy.

As per the statement:

NWPC is an Oregon Family Practice medical clinic that serves the Milwaukie, Clackamas, Sellwood, and Oregon City area. The practice performs reference checks on all employees.  Additional background checks are performed for highly sensitive positions, including positions with access to financial data. NWPC has comprehensive policies and procedures, as well as a Code of Conduct, which prohibit employees from accessing patient records when there is not a work-related reason to do so.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Centegra Health System Data Breach

December 14th, 2015

Centegra Health System sent data breach notification to 2,929 patients. According to the reports, mailing error may have exposed some of their personal information.

Medical bills detailing “limited” personal information of 3,000 Centegra Health System patients recently were sent to the wrong addresses because of a mail room error at a third-party contractor, a Centegra spokeswoman said.

At the vendor MedAssets, automatic mail filing equipment was accidentally changed.

This led to two Centegra billing statements to be put in one envelope.

“Centegra Health System and MedAssets apologize for this error and are committed to fully protecting patient privacy,” Green said. “Centegra is working closely with MedAssets to ensure it has taken every step necessary to address the incident.”

Affected information included patient names, addresses, account numbers, original account balance, third-party payment, billing discounts and adjustments, and the amount owed. Hospital service dates, a summary of services provided and related charges were also included.

Green mentioned that even though 6,000 Centegra patients were affected by the error, half received two billing statements – One for  their own hospital service and the second for detailed another patient’s service.

There is no reason to believe that the exposed information was inappropriately used, she said.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.

Security Tech Procurement Tips

December 12th, 2015

Ricardo Lafosse, CISO for Cook County, Ill said that procuring enterprise security technology is an involved process that requires numerous steps to ensure it goes smoothly. He also offered below tips for CISOs.

Ask Yourself Why

Lafosse  mentioned that before purchase, identify why you need the technology and how you came to that conclusion.

“You always want to buy the shiny new toy,” he said. “They look cool, but you don’t just go out and buy it.”

Ask Peers

“What’s really key are your peers,” he said. “I cannot stress this enough. Everyone deals with these [security] issues. In the Chicago area, we have a lot of great resources. We have our CISO group and a multi-state group. It is key to be a part of it because you can bounce ideas off everyone in an informal process. You get that actual first-hand experience from your peers.”

Analysis

Start with a needs analysis before going out to the market, Lafosse said.

Consider Staff, Integration Requirements

Ensure that the new technology provides a good operational fit, he said.

Budget

“Unfortunately, we have a lot of examples,” he said. “Use those to your benefit as much as you can from a budgetary perspective. Demonstrate operational efficiency when looking for a new product. For example, if you are going to implement product X, you will reduce the help desk time to re-mediate by 20 percent. Having those rough numbers goes a long way.”

Business Case

“Re-emphasize why you are making this purchase,” he added. “For us, we used the figure from Ponemon of $154 per breach. The network access control was also going to allow people to self-service.”

The self-service capability was critical because Lafosse has only three people in his department.

“One of the key attributes for any new procurement is automation,” he said. “The security controls need to share information with each other. The more automation, the easier us for us to protect our network.”

Guidelines

“Be candid with vendors. If you don’t like the solution, tell them,” Lafosse said. “Don’t waste your time, don’t waste their time. Offer clear-cut guidelines. It’s not fair if you don’t set rules of engagement upfront. If you are seeing everything move south, let the vendor  know right away.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Five Tips for Stronger Encryption

December 10th, 2015

The recent example of NSA whistle-blower Edward Snowden’s revelations has put security of many encryption products into doubt.

Please find the below methods to safeguard your data.

Encryption Ciphers

Robert Former, senior security consultant for Neohapsis, an Illinois-based security services company, says that organizations should stop using older encryption algorithms like the deprecated DES (Data Encryption Standard), and even its relative Triple DES, which is simply DES applied three times to each data block.

“In the last 30 years, no one can prove that the NSA did more than influence minor changes in their development. The bottom line is that in most cases the NSA appears to have actually improved the math.”

Longest Encryption Keys

Use the maximum key lengths possible to make it difficult for those who don’t have access to a back door to crack your encryption. “Today AES 128 is strong, but I say go to 512 or the highest key strength you can implement using what you have today,” Former says.

External Factors

External factors over which companies have very little control can compromise the security of encryption systems.

Encrypt in Layers

“I say if there is a way to encrypt, then encrypt. That means in your database encrypt each field, each table, then the whole database. You have to make it so hard for an attacker that it is not worth the effort,” he advises.

Encryption Keys

“If you can implement an encryption system where you control the keys to the data stored in the cloud, then that is going to be much more secure,” says Dave Frymier, chief security officer at IT services company Unisys. Devices such as cloud encryption gateways that handle the encryption to and from the cloud automatically can help companies achieve this sort of security.

Alertsec strengthens security

Alertsec has created a web based encryption service that radically simplifies deployment and management of PC encryption by using industry leading Check Point Full Disk Encryption (former Pointsec) software.

Organizations, especially corporate giants, have to have an information security policy in place that proves they have taken the necessary steps and measures to safeguard the information they gathered. If these policies are not adhered to, the regulators may prosecute.

Alertsec Xpress is used by organizations that have recognized the need to protect their information. Customers range from single-user sole traders and consultants to multinational companies with a large number of offices around the globe. Over 4 million users worldwide use Alertsec Xpress’s Check Point Full Disk Encryption.