Category: Uncategorized

As the use of handheld devices in the enterprise continues to expand, organizations will need to manage the devices to control costs and limit security risks. Forrester says now is the time for IT to take a more active role in such management.

As the use of handheld devices in the enterprise continues to expand, organizations will need to manage the devices to control costs and limit security risks. Where a limited support policy was appropriate two years ago, IT must now take on a much more active role in provisioning, supporting, and managing mobile devices. Because many employees use their own devices to store company information or otherwise ignore company mobile usage policies, companies often don’t have control of the devices, what information is stored on them, or how the information is protected.

Unmanaged mobile devices represent one of the most serious and often overlooked security threats to the enterprise. As several incidents over the past year demonstrate, the risk of information loss or theft from laptops, PDAs, phones, converged devices, and tablets is increasing rapidly. Organizations should balance the growing requirement for mobility with sensible policies on mobile usage and security, along with technology to enforce the policies.

While more organizations have mobile policies than two years ago, comparatively few companies have invested in technology to manage and protect the devices. The proliferation of laptops, PDAs, and other mobile devices in the enterprise, coupled with the explosion of wireless connectivity options, has led to significant support issues and security risks. Mobile devices are vulnerable to theft and loss, with most companies budgeting for a 20% or higher loss and failure rate for PDAs.

While the cost of replacing the devices is relatively insignificant, more and more users store sensitive information on the devices. Additionally, mobile devices can introduce viruses or worms to the corporate network.

Based on a recent Forrester survey, only 9 percent of companies have deployed mobile management tools; another 20 percent are piloting or plan to deploy mobile management tools within the next 12 months (see Figure 1 on source web page). This report will outline both the challenges posed by mobility and the steps companies can take to manage and secure the devices.

Many of corporate IT’s challenges regarding provisioning and supporting remote workers, including predominantly mobile or untethered ones, can be resolved by articulating – and periodically revising – a formal written corporate mobile usage policy. If the company is not willing to set and enforce standards, the costs and risks associated with the mobile device population could quickly spiral out of control.

Managing and Securing Mobile Devices: Best Practices

Mobile Usage And Security Policies
– Be convenient and easy for the user to follow.
– Balance productivity requirements against security and costs.
– Vary by the users’ roles and type of information they handle.
– Specify how users should synchronize information with mobile devices.
– Include guidelines for data usage and transfer.
– Summarize proper use and care of company-owned or -supported mobile devices.
– Have a definition of corporate standards for hardware selection.
– Outline standards for support of employee-purchased equipment.

Communication and User Education
User education is also critical.
Give users some accountability.
Make it clear what is at stake, including the user’s own information.
Give users the necessary tools and easy means to secure the devices.
Raise awareness by demonstrating real security risks.

Selcting Mobile Management and Security Tools
Asset discovery to identify and track devices on the network.
Synchronization tools for PIM, email, or enterprise data.
Antivirus.
Password policy enforcement.
Remote device kill for any PDAs, laptops, or tablets with potentially sensitive data.
Encryption.
Client firewalls.

Forrester Recommendation: Take Immediate Steps to Secure and Manage Mobile Devices

http://www.csoonline.com/analyst/report2794.html
http://www.gigaweb.com/

Consider this: Gartner Inc. estimates that more than 70 per cent of unauthorized access to information systems is committed by employees, as are more than 95 per cent of intrusions that result in significant financial losses. The “2003 Computer Crime and Security Survey,” meanwhile, compiled by the Computer Security Institute and the FBI, found that 62 per cent of respondents reported a security incident involving an insider, up from 57 per cent in 2002. In such an environment, which is also increasingly beset by so-called blended threats that dynamically target the vulnerabilities of isolated security products, enterprises must adopt an integrated strategy that addresses network security at all tiers: gateway, server, and client.

The traditional perimeter firewall no longer provides adequate protection against intrusions and threats. In part that’s because the very definition of “perimeter” has become blurred. The addition of remote access servers, peer connections to partners’ networks, VPN servers, and wireless access points means that a once well-defined network boundary is no longer so well-defined. As a result, there are now multiple outside paths into the corporate network.

Integrated security uses the principles of defense in depth and employs complementary security functions at multiple levels within the IT infrastructure. By combining multiple functions, integrated security can more efficiently protect against a variety of threats at each tier to minimize the effects of network attacks.

Secures connections beyond the perimeter, enabling organizations to safely communicate across the Internet.

With these security technologies integrated into a single solution, an enterprise is better able to withstand a modern-day network threat, be it a malicious code attack, a denial-of-service attack, unauthorized access (either internal or external), or blended threat.

A client firewall that also includes intrusion detection and antivirus technology works this way: as information is received by the client, it is passed through the client firewall and scanned for network attacks and viruses by the intrusion detection and antivirus technologies.

Moreover, proper controls can be put in place so that, should an incident occur, they can act in a timely fashion.

Enterprises should have a policy outlining their information assets and all access rights to that information.

If relationships with outside contractors call for them to access the network, make sure the access is designated only for the specific services required.

http://www.ebcvg.com/articles.php?id=256

A wide variety of these products stands ready to help identify and troubleshoot security and performance issues related to wireless technology. However, based on our tests of a range of these solutions, we believe companies should carefully assess their wireless security needs because their existing infrastructure devices may already fulfill them.

Wireless IDS solutions range from handheld products that are designed for on-the-spot troubleshooting at a point in time, to capabilities integrated into existing access points and managing switches, to distributed fleets of sensors that provide round-the-clock coverage.

Defensive overlay products enable a host of security and performance monitoring capabilities and have strong policy options that alert administrators to any signs of trouble. Defensive overlay network vendors are rapidly adding features that not only alert but also can be configured to isolate and block wayward connections over the wire or over the air.

Despite recent reports of vulnerabilities in the RADIUS (Remote Authentication Dial-In User Service) authentication mechanism upon which 802.11i is based, 802.11i goes a long way toward equalizing the security of known, managed devices on wireless networks and on wired ones. 802.11i does so by delivering strong standard;s-compliant encryption via AES (Advanced Encryption Standard) and port-based 802.1x authentication to WLANs (wireless LANs). [Editors note Also look to 802.1x]

However, many threats remain outside the scope of 802.11i, including access points and client nodes that are loosely maintained (or are completely outside IT’s control). Employees installing their own unsecured access points on a corporate network leave a wide-open vector for LAN attacks that bypass network firewalls and wireless security measures implemented by IT. And misconfigured and unsecured client devices also represent a significant threat. With the proliferation of WLAN hot spots and wireless devices in the home, users are leveraging their wireless connections in a multitude of locations.

In tests, eWEEK Labs has encountered interesting results from a misconfigured client bridging the internal wired network and an unknown wireless network.

http://www.eweek.com/article2/0,1759,1633282,00.asp

They’re vulnerable, they’re unpatchable, and they’re connected to the Internet.

After he was turned down for a job with the Maroochy Shire Council in Queensland, Australia, the 48-year-old disgruntled techie unleashed his anger in early 2000 by hacking into the town’s wastewater system at least 46 times. On two separate occasions, his electronic attacks (apparently he used a stolen laptop and a radio transmitter) led to pumping station failures that caused as much as 1 million liters of foul-smelling raw sewage to spill into parks, waterways and the grounds of a tourist resort.

But there have been other control system breaches, including, for example, a 1997 control tower shutdown at the Worcester (Mass.) Regional Airport and a Slammer-related disruption of the safety monitoring system at FirstEnergy’s Davis-Besse nuclear plant in Ohio.

Electric utilities, oil and gas refineries, chemical factories and even food processing plants use control systems to digitize and automate tasks once handled by people: opening and closing valves in pipes and circuit breakers on the power grid, monitoring temperatures and pressures in reactors, and managing assembly line machinery. And because these systems are now connected to corporate networks, their vulnerabilities serve as an entrée into the guts of the nation’s critical infrastructure. A malicious hacker or terrorist group could conceivably take down parts of the power grid, throwing the country into darkness; they could take out emergency telephone systems or disable the floodgates to a dam.

Even scarier to terrorism experts is a digital intrusion combined with a physical attack—think 9/11, but magnify the chaos by adding an electronic knockout of regional or national communication and power systems. The intent is clearly present: Raids in Afghanistan in early 2002 discovered that al-Qaida operatives had scoured websites containing information on SCADA (supervisory control and data acquisition) networks in U.S. water systems and the electricity grid. Unfortunately, the people with detailed knowledge of control systems security say no. Control systems are designed for efficiency and reliability—not security. In fact, “It requires very little knowledge” to hack into a control system, says Juan Torres, program manager of the SCADA program at Sandia National Laboratories.

Experts worry that this issue is not getting enough attention from both government and the private sector, for a variety of reasons: technical ignorance, lack of funding and perhaps the absence of a major incident to date in the United States.

Older, legacy controllers can’t handle newer security technologies such as encryption; in fact, many don’t even have enough horsepower to accept operating system updates or software patches. “How a control system works is different from an IT system, technologically,” says Joe Weiss, the former technical manager of the Electric Power Research Institute’s Enterprise Infrastructure Security program, now an executive consultant with Kema. Compounding these technical challenges are a number of entrenched cultural and management obstacles.

The people generally responsible for managing control systems are engineers who often have had little cybersecurity training—or interest.

For years, distributed control systems and SCADA systems were designed with proprietary technology, and were physically and technologically isolated from the corporate networks that run standard IT applications. Fatefully, the drive for efficiencies of cost and time led many companies to knock down the wall that traditionally separated those two types of networks. Manufacturing executives wanted to pull up real-time information from, say, their assembly lines, to monitor how efficiently their factories were running. “As the networking evolution came through and local and wide area networks were installed, they were generally installed by IT. Operations, so as not to spend double the money, started using the corporate LANs and WANs for the control networks,” Weiss says. Ultimately, this meant many control systems were connected to the Internet. Now control systems are exposed—via the Internet, intranets, remote dial-up and wireless capabilities—to hacks, worms, viruses and other dangerous payloads.

That exposure scares Jonathan Pollet, president of PlantData Technologies, who advises companies on control system security. “With each release of worms and viruses, there are more and more customers with downtime,” he says. Pollet says the Sasser worm in spring 2004 took out several oil platforms in the Gulf of Mexico for two days. “They had firewalls, but worms crawled through commonly used ports like ports 80 and 139.

Accentuating the connectivity problem is the growing move away from proprietary software toward standardized and off-the-shelf software and hardware. In a typical corporate IT network, hundreds (or thousands) of PCs, servers and other devices are packed to the gills with processing power and memory. Because SCADA systems were designed for efficiency and ease of use, vendors enable their products to be accessed remotely—through dial-up modems, wireless handhelds and the like—so that customers will have an easier time making fixes to systems, often with no authentication required. Companies often fail to install the same security measures on control systems—such as firewalls and intrusion detection systems—that they use to protect IT systems.

Instead of waiting for market pressures to force them into building more secure systems, they could take a more proactive stance and begin making a concerted effort to beef up the security of their products, and work more closely with customers to identify and mitigate the vulnerabilities of existing systems. Various private industry and government groups are taking steps to make critical infrastructure companies more aware of the flaws in their control systems.

The National Institute of Standards and Technology and the National Security Agency established the Process Controls Security Requirements Forum (members include reps from the electric, water, chemical and oil industries, as well as government labs and control system vendors) to develop security specs for control systems. Other government agencies and major critical infrastructure industries have established working groups to address the issue. Notably, last December, the Department of Homeland Security created a new Control Systems Section inside the Protective Security Division of the Information Analysis and Infrastructure Protection Directorate.

But most managers, engineers and workers with day-in and day-out responsibilities for maintaining control systems may be a long way from putting cybersecurity on the front burner. Earlier this year, Weiss held a conference session attended by 30 to 40 people, some 15 of whom were plant managers. Weiss says that in his informal discussions afterward, every one of those managers thought cybersecurity had to do solely with the vulnerability of their e-mail systems. “They had no idea whatsoever about security around control systems,” he says.

What this article brings to light is not new and not easily going away. These control venues are actively being expanded, ever so quietly, into the MAN/WAN/LAN environments. As SAN and NAS technology increase and new tape systems abound, to name a couple, all of these devices implement new WEB/JAVA interfaces with imbedded technology. These remote sites of equipment whether they are valves or tape systems all need to be monitored, controlled, and reconfigured on a regular basis. Some of these devices, like SAN switches, may even be forgotten after the original installation while the tape drives are manipulated daily, on the open network.

Every day, more of these devices, whether HVAC, Public Utilities, IT infrastructure are all designed with ease of use capabilities. They can all be put to a closed or controlled network but that again, raises the cost.

Security has to be a conscience effort and alas, costs a little more. Some say that the cost is not worth the investment, until someone makes an example out of them.

While the article is right on in many respects, the terrorism aspect is pretty irrelevant. People don’t become terrorists because they’re smart, and you would need to be at least fairly bright and patient to exploit control system commands (or already be on the inside, like the Aussie case).

Low-tech attacks are much easier, cheaper and more efficient. For example, a single person with a rifle loaded with steel-jacketed slugs can take out an entire substation in seconds and is almost gauranteed to escape safely.

You should be aware that this lack of a uniform security standard for HMI/SCADA software has already been dealt with by the OPC Foundation – an International, non-profit standards setting organization.

Also a quick point about the actual threat risk analysis to control systems as the 2000 Australian sewage plant attack is almost always quoted as an example of the types of threats to protect yourself from but there are very few, thankfully, other stories of this type in the public domain. So these threats are either a very low risk or we have been very lucky or the incidents are happening and are not being reported.

http://www.csoonline.com/read/080104/control.html

This article shows which strategies and technologies organizations should adopt to manage them securely.

High data capacity and transfer rates, and broad platform support mean that a Universal Serial Bus (USB) or FireWire (IEEE 1394) device has the capacity to quickly download much valuable corporate information, which can be easily leaked to the outside world. This underlying vulnerability has existed since the release of Microsoft Windows 2000, the first widely deployed operating system able to mount a USB storage device automatically.

Intentionally or unintentionally, users can bypass perimeter defenses like firewalls and antivirus at mailserver, and introduce malware such as Trojan Horses or viruses that, if not discovered, can cause serious damage.

This means there is more risk of legal action if personal information – belonging to corporate clients or employees – ends up in the hands of an unauthorized third party. Companies are at risk of losing intellectual property and other critical corporate data. Portable storage devices are also ideal for anyone intending to steal sensitive and valuable data.

What are company requirements and strategies for deploying these devices in the workplace?
Companies should forbid the use of uncontrolled, privately owned devices with corporate PCs. The prohibition should extend to employees, and external contractors with direct access to corporate networks.

What are the best practices in managing these devices?
– Adopt a suitable security policy on using portable storage devices
– Use tools to help manage port access of USBs and FireWire
– Consider using digital rights management technology as part of a wider protection strategy for proprietary information

http://www.csoonline.com/analyst/report2714.html

With firewalls and patch management now being standard practices, the network perimeter has become increasingly secure. Determined to stay a step ahead, hackers have moved up the software stack, focusing on the Web site itself. According to a Gartner analyst, more than 70 percent of cyberattacks occur at the application layer.
1. “The Web site uses SSL, so it’s secure.”
SSL by itself does not secure a Web site. SSL does not protect the information stored on the site once it arrives.
2. “A firewall protects the Web site, so it’s safe.”
Firewalls allow traffic to pass through to a Web site but lack the ability to protect the site itself from malicious activity.
3. “The vulnerability scanner reported no security issues, so the web site is secure.”
Vulnerability scanners have been used since the early ’90s to point out well-known network security flaws. However, they neglect the security of custom Web applications running on the Web server, which usually remain full of holes. Up-to-date vulnerability scanners now achieve more than 90 percent vulnerability coverage on the average network–but they sparsely target the Web-application layer because there are no well-known security issues present in custom-written Web code.
4. “Web application security is a developer problem.”
Sure, developers are part of the problem, but many factors beyond their control contribute to software security. For example, source code can originate from a variety of locations besides in-house. A company might have code developed by an offshore firm to intermingle with existing code.
5. “Security assessments are performed on the Web site every year, so it’s secure.”
The high rate of change in normal Web-site code rapidly decays the accuracy of even the most recent of security reports. As each new revision of a Web application is developed and pushed, the potential for new security issues increases.

http://www.varbusiness.com/sections/news/breakingnews.jhtml%3Bjsessionid=N241AGHB04JH2QSNDBCSKHY?articleId=22104030