17.1 C
London
Saturday, September 23, 2017
Home Tags BYOD

Tag: BYOD

Bring your own device (BYOD)—also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own Personal Computer (BYOPC) refers to the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications. BYOD usage is primarily driven by perceived enjoyment. The phenomenon is commonly referred to as IT consumerization.

BYOD is making significant inroads in the business world, with about 75% of employees in high growth markets such as Brazil and Russia and 44% in developed markets already using their own technology at work. Surveys have indicated that businesses are unable to stop employees from bringing personal devices into the workplace. Research is divided on benefits. One survey shows around 95% of employees stating they use at least one personal device for work.

Humans still the weakest link South Korean cyber-cops are probing a hacking attack on Bithumb, one of the world's biggest Bitcoin exchanges.…
A study released today gives greater insight into some of the worst fears for security pros trying to manage employees' BYOD mobile phones.
The legal fight between Apple and Qualcomm on licensing modem technology is turning uglier every day.Apple has filed lawsuits against Qualcomm in countries like the U.S., U.K., China and Japan, accusing the chipmaker of using its dominant market pos...
A U.S.

Federal Communications auction of repurposed television spectrum has raised US$19.8 billion and will pave the way for mobile carriers to offer faster and more reliable service across the country.The 70MHz in new spectrum available will allow ...
Medical professionals use stethoscopes to help diagnose problems inside the body. With Netflix's newly open-sourced Stethoscope web application, users receive a security checkup for their mobile and computing devices without having to call IT. Alth...
Apple plans to start assembling the iPhone in Bangalore by end April under a contract manufacturing arrangement with Taiwan’s Wistron.The move by the company comes even as it awaits approval from the federal government for some of its proposals for lowering the import duties on components and for creating an ecosystem of local manufacturers who can supply components for the smartphones, according to sources close to the situation.[ BYOD? Start here: A draft reimbursement policy for mobile users. | Keep up on key mobile developments and insights with the Mobile Tech Report newsletter. ]The Karnataka state, of which Bangalore is the capital, has announced Apple’s intentions to make the iPhone in the city.To read this article in full or to leave a comment, please click here
When I talk to IT managers, I almost always hear fears of mobile devices as conduits for sensitive corporate data to leave the company.
I don’t know why I keep hearing this.

There’s simply no evidence to support this fear.
In fact, there’s solid evidence that says mobile devices are not a significant—or even moderate—risk factor. Every year, I check the Identity Theft Resource Center’s database of personally identifying information (PII) breaches, which require disclosure by both state and federal laws.
I’m sure many losses go unreported, and the database doesn’t cover corporate information not containing PII.

But if mobile devices were a conduit to data loss, they should show up in this database. Mobile-linked breaches haven’t shown up in previous years, and they didn’t show up again in 2016—despite the fact that nearly everyone these days uses a smartphone. What does show up? Paper records, thumb drives, external hard drives, laptops, hacks into databases and storage systems, and successful phishing attempts. Many of the reported breaches involve lost papers, drives, and laptops, where a data thief probably wasn’t involved.

But many involve active hacking of IT systems where data theft is the goal.

And some involve insiders (contractors and ex-employees) steal data to use themselves, bring to new employers, or—least often—sell to others. None of the lost, stolen, or compromised devices were smartphones or tablets.

That’s probably because encrypted devices need not be reported; they’re presumed safe. iPhones and iPads have long encrypted their contents, and professional-grade Android devices have done that in recent years.
In both cases, a simple IT policy can enforce that encryption.
It doesn’t take a fancy mobile security tool; Microsoft Exchange can do the trick. Well, there was one data breach involving a smartphone: A former hospital manager, after resigning, took patient-identifying information by forwarding certain documents such as patient lists to her personal email account.
She had work email set up on her personal smartphone—a common BYOD scenario—and simply forwarded the work emails to her personal email account.

That’s not a mobile-specific issue—she could have done that from a work computer or a home computer. IT’s remedy for this case is the same no matter the device running the email app: Use restricted email accounts where possible and data loss prevention (DLP) tools where not to identify and perhaps prevent such odd email usage.

And don’t distribute PII or other sensitive information in routine documents in the first place! Also not in the breach list were the cloud storage services that IT managers fret about after they’re done worrying about mobile devices: Apple iCloud Drive, Box, Dropbox, Google Drive, and Microsoft OneDrive. But that omission may be misleading because if a lost (unencrypted) laptop has stored the access credentials for such services—which is common—then the data on that cloud drive is available to a data thief, just as the locally stored data is.

The Identity Theft Resource Center database doesn’t go into great detail of each case, but because a lost (unencrypted) laptop is presumed to be a data breach, that breach extends to any data on that laptop, including cloud-accessed data. Still, we didn’t see cases of these popular cloud storage services as the specific vector of a data breach—despite frequent IT fears to the contrary. In this day and age, IT pros have plenty of security threats to deal with.

Active hacking is the biggest threat, of course, and should get the lion’s share of the resources. The client side should be addressed but not dwelled on. Of the clients in use, mobile is the least risky.

Based on the actual risks, a good place to start is securing laptops, then external drives that people use when they don’t have access to a corporate cloud storage service.

Those devices compromise the biggest client risk.

Encryption is your main line of defense for these devices—for cloud storage, too. For the much smaller risk posed by mobile devices, mobile management tools are both mature and effective; there’s no excuse not to have them in place already.
Arxan is adding much-needed mobile security management capabilities.

Apperian's platform provides granular security and policy controls at the application level. Arxan Technologies, a provider of application attack prevention and self-protection software, on Jan. 11 announced the acquisition of Apperian, which makes mobile application management and security software.Terms of the transaction were not disclosed by either company.Arxan is adding much-needed mobile security management capabilities.

Apperian's platform provides granular security and policy controls at the individual application level for deployments in the enterprise and in supply chains where traditional mobile device management-based approaches are not possible or desired.

These instances include such factors as BYOD, contract workers and other unmanaged devices.Its platform has enabled more than 2.5 million enterprise app installations and earned 12 granted and pending patents.

Apperian claims that its contracted user base has grown by more than 180 percent in the last 24 months. Apperian to Operate as Subsidiary Apperian will continue to operate as a subsidiary of Arxan and will be led by long-time Apperian executive, Mark Lorion, who will become president and general manager for Apperian.Apperian was founded in 2009 and backed by investors Bessemer Venture Partners, Kleiner Perkins Caufield & Byers, North Bridge Venture Partners and Converge Venture Partners.

The company has become one of the mobility industry's key platforms for securely distributing enterprise mobile apps and has been listed as a representative vendor in the Gartner Market Guide for Mobile Application Management."Companies that simply want to manage apps, app licenses and operate a branded app store are well-served with stand-alone MAM tools," Gartner has reported. "These tools are also a fit for large populations of nonemployees (like contractors) for whom the organization cannot insist upon installation of an MDM profile.”San Francisco-based Arxan claims that its patented IT defends applications against attacks, detects attempted attacks at runtime and deters attacks by stopping, alerting or repairing detected attacks.

Arxan software runs on mobile devices, desktops, servers, and embedded platforms, including those connected as part of the Internet of Things (IoT).Mobile Expertise Welcome at ArxanWith the majority of Arxan customers also having enterprise mobile apps, the company contends that its users will benefit from easy access to Apperian's products to securely deploy those apps to all potential users–whether or not those users are using MDM-enrolled devices."We share an app-centric philosophy with Arxan and believe that mobile apps should be protected so that they can be safely distributed to any user leveraging any device," Lorion said. "Enterprises are realizing the significant benefits of applying security and management at the app-level to maximize the secure adoption and reach of their mobile apps."For more information, go here.
Forrester predicts that more than 500,000 internet of things (IoT) devices will suffer a compromise in 2017, dwarfing Heartbleed.

Drop the mic—enough said. With the sheer velocity of how the distributed denial-of-service (DDoS) attacks spread through common household items such as DVR players, makes this sector scary from a security standpoint. “Today, firms are developing IoT firmware with open source components in a rush to market. Unfortunately, many are delivering these IoT solutions without good plans for updates, leaving them open to not only vulnerabilities but vulnerabilities security teams cannot remediate quickly,” write Forrester analysts. The analyst firm adds that when smart thermostats alone exceed over 1 million devices, it’s not hard to imagine a vulnerability that easily exceeds the scale of Heartbleed.
Security as an afterthought for IoT devices is not an option, especially when you can’t patch IoT firmware because the vendor didn’t plan for over-the-air patching. Alex Vaystikh, co-founder/CTO of advanced threat detection software provider SecBI, says small-to-midsize businesses and enterprises alike will suffer breaches originating from an insecure IoT device connected to the network.

The access point will be a security camera, climate control, an old network printer, or even a remote-controlled lightbulb.

This was demonstrated in September in a major DDoS attack on the website of security expert Brian Krebs.

A hacker found a vulnerability in a brand of IoT camera and caused millions of them to simultaneously make HTTP requests from Krebs’ site.  “It successfully crashed the site, but DDoS attacks are not a great way to make money. However, imagine an IoT camera within a corporate network being hacked.
If that network also contains the company’s database center, there’s no way to stop the hacker from making a lateral move from the compromised camera to the database,” Vaystikh said. “This should scare organizations into questioning the popular BYOD mentality. We are already seeing a lot of CCTVs being hacked within organizations.”  Florin Lazurca, senior technical manager at Citrix, believes that consumers will be a target of opportunity in 2017.
Innovative criminal enterprises will devise ways to monetize on potentially billions of internet-facing devices that many times do not meet stringent security controls. “Want to browse the internet? Pay the ransom. Want to use your baby monitor? Pay the ransom. Want to watch your smart TV? Pay the ransom,” Lazurca says. Florin Lazurca, senior technical manager at Citrix Mike Kelly, CTO of Blue Medora, agrees, stating that, “the inability to quickly update something, such as your home thermostat, is where we will see the risk.
It’s not about malware getting on the devices, the focus will need to be on the ability to remediate the issue. Like we saw with Windows, there will be a slew of vulnerabilities, but unlike with a computer, patching won’t be as easy with IoT devices,” he says. More connected devices will create more data, which has to be securely shared, stored, managed and analyzed.

As a result, databases will become more complex and the management burden will increase.

Those organizations that can most effectively monitor their database layer to optimize peak performance and resolve bottlenecks will be in a better position to exploit the opportunities the IoT will bring, he says. Lucas Moody, CISO at Palo Alto Networks, says security has to be baked into the IoT devices – not be an afterthought.

The bloom of IoT devices has security practitioners in the hot seat, with industry analysts suggesting a possible surge up to 20 billion devices by 2020. “Given the recent upward trend in both frequency and intensity of DDoS attacks of late, 2017 will introduce an entirely new challenge that security teams will need to contend with; how do we secure devices, many of which are by design dumb and, for that matter, cheap?,” he says.  Large corporations are still challenged with finding security talent to manage security in the “traditional” sense, leaving IoT startups to fend for themselves in a digital economy.  Moody asks, can they keep up? For the interconnected future of cars, televisions and refrigerators, maybe, but maintaining the security of smaller – and seemingly less critical items – such as toasters, thermostats, and pet feeders, it seems unlikely. “Security has to be baked into these technologies from the conception and design stages all throughout development and roll-out.
Security practitioners will need to do more than just scramble to develop strategies to address this pivotal trend,” he says. Corey Nachreiner, CTO at WatchGuard Technologies, predicts that IoT devices will become the de facto target for botnet zombies. With the shear volume of internet-connected devices growing every year, IoT represents a huge attack surface for hackers. More disturbingly, many IoT manufacturers do not create devices with security in mind, and therefore release devices full of potential vulnerabilities. Many of their products have vulnerabilities that were common a decade ago, providing easy pickings for cyber criminals. Many IoT devices coming on the market have proprietary operating systems, and offer very little compute and storage resources. Hackers would have to learn new skills to reverse engineer these devices, and they don’t provide much in terms of resources or data for the attacker to steal or monetize. On the other hand, another class of IoT products are devices running embedded Linux.

These devices look very familiar to hackers.

They already have tools and malware designed to target them, so “pwning” them is as familiar as hacking any Linux computer. “On top of that, the manufacturers releasing these devices seem to follow circa 2000 software development and security practices. Many IoT devices expose network services with default passwords that are simple for attackers to abuse,” Nachreiner says. He cited the leaking of the source code for the Mirai IoT botnet.

This botnet included a scanner that automatically searched the internet to find unsecured, Linux-based IoT devices, and take them over using default credentials. With this leaked code, criminals were able to build huge botnets consisting of hundreds of thousands of IoT devices.

They used these IoT botnets to launch gigantic DDoS attacks that generated up to 1Tbps of traffic; the largest ever recorded. In 2017, criminals will expand beyond DDoS attacks and leverage these botnets for click-jacking and spam campaigns to monetize IoT attacks in the same way they monetized traditional computer botnets.

Expect to see IoT botnets explode next year, he says. Mike Davis, CTO at CounterTack, believes IoT will continue to be a part of the threat conversation in the coming year, but fundamentally there will be a massive change in the risks associated with the devices—it won’t be about security, it will be about patching.  Hold your IoT security hypberbole Stan Black, CSO at Citrix, says we need to dispel security myths around emerging technology like IoT, machine learning and artificial intelligence. “Many people are afraid to adopt these emerging technologies for fear that they may be their security downfall, but as with any technology, the same security 1-2-3s apply.

Change the admin username and password, allow and enable devices on separate networks (separate from the networks used to pass sensitive data), create management and access policies, and above all, make sure that employees are educated about how, when and where to use these kinds of technologies,” he says.  Adoption of emerging tech like IoT can actually have more security benefits than challenges, if implemented correctly, Black says.

The same goes for machine learning.

The security wave of the future includes these technologies, so it’s best for businesses to learn about them early, learn about the benefits and reap the rewards of clouds, devices and networks that can learn from, and adapt to, changing behaviors to make for a stronger security posture. The wave of the future will be computers that can grant or deny access based on fingerprinted keyboards that can sense the normal amount of pressure your fingers normally apply.

Taking advantages of benefits like these will help companies move to a new security infrastructure and mindset, he predicts.  “The mobile devices we depend on every day are loaded with sensors, heat, touch, water, impact, light, motion, location, acceleration, proximity, etc.

These technologies have numerous applications including sensing motion and location to ensure people are safe when they travel,” Black adds. These devices are rarely protected or maintained with the same vigor as corporate IT systems, making them generally more vulnerable to being compromised and drafted into a zombie army.

This situation is nothing new, but in the next year we can expect to see “personal networks of things” reside in homes with gigabit internet connections—like those offered by Google and AT&T—and so make home networks far more interesting, especially if vulnerabilities in popular home devices can be exploited mechanically (e.g., how the Mirai botnet was built). Consumers will need to protect their personal networks from this new version of Mirai botnets, creating demand for services that safeguard them. More importantly, vendors will need to adopt better standards for protection of devices.
If the Mirai botnet is any indication, the lack of security in device design is still quite profound, Black says. Speaking of standards Steven Sarnecki, vice president of federal and public sector at OSIsoft, pointed to the National Institutes of Standards and Technology’s (NIST) National Cyber Center of Excellence for a glimpse of what is to come. NIST is currently piloting a project to assess how energy companies can better utilize connected devices to integrate and increase security with hopes of sharing those best practices and insights across the energy sector.   “As more companies wake up to the reality of IoT security threats, these solutions will become more commonplace, enabling enterprises to markedly increase their security footprint with only minimal incremental cost,” he says. Sarnecki adds that in 2017 he would expect a large portion of IoT users, especially within the enterprise and industrial spaces, to begin to seriously consider the “internet of threats” aspect posed by IoT to their networks.

Energy companies, water utilities, and many other critical infrastructure sectors rely on connected devices to support their missions. Jeannie Warner, security manager at WhiteHat Security, agrees that new guidelines will emerge from organizations such as NIST requiring that application security vendors partner with device manufacturers and testing labs to deliver secure IoT systems.  “The internet of things is growing daily, with smart devices and controlling applications at the core of every business from healthcare to smart cars and smart buildings.
It’s essential to protect smart anything from attackers attempting to exploit their vulnerabilities,” she says. In the same way manufacturing safety testing via the American National Standards Institute controls new releases in devices, she believes NIST SP 800 or a similar body will form guidelines for a comprehensive security assurance through the integration of dynamic application scanning technology and rigorous device controls testing. Commonalities in all IoT systems include controls for tracking and sensing interfaces, combined with web- or mobile-enabled control applications that combine to expand the borders of the security ecosystem, she says. New guidelines will (ideally) force more application security vendors to partner with device control testing labs to support manufacturing earlier in the development process, helping the innovative organizations to manage risk by identifying vulnerabilities early in development, continue to monitor challenges during testing, and help release more secure products. Big data The enterprise has paid attention to IoT for some time, though 2017 will be the year we move past the “wow” phase and into the “how do we do we securely and effectively bring IoT to the enterprise, how do we handle the high speed data ingest, and how do we optimize analytics and decisions based on IOT data,” says Redis Labs Vice President of Product Marketing Leena Joshi. Mark Bregman, Chief Technology Officer at NetApp, believes 2017 will be about capitalizing on the value of data.

The explosion of data in today’s digital economy has introduced new data types, privacy and security concerns, the need for scale and a shift from using data to run the business to recognizing that data is the business. Off-line data analytics and threat hunting become endless money pits, says Gunter Ollmann of Vectra Networks. “We’re told, and we observe, that each year our corporate data doubles.

That power-of-two exponential growth, after merely four years of storing, mining, and analyzing logs for threats, means a 16-fold increase in overall costs—with an accompanying scaled delay in uncovering past threats.” Cybersecurity will be the most prominent big data use case, says Quentin Gallivan, CEO of Pentaho, a Hitachi Group Company.

As with election polls, detecting cybersecurity breaches depends on understanding complexities of human behavior.

Accurate predictions depend upon blending structured data with sentiment analysis, location and other data. This then opens another door for hackers. WatchGuard’s Nachreiner says attackers will start leveraging machine learning and AI to improve malware and attacks. “In the past few years, cyber security companies have started leveraging these technologies to help defend our organizations. One of the big problems in infosec today is we are too reactive, and not predictive enough when it comes to new threats.
Sure, once we recognize a piece of malware or a new attack pattern, we can design systems to identify and block that one threat, but hackers have become infinitely evasive.

They have found techniques that allow them to continually change their attacks and malware so regularly that humans and even basic automated systems can’t keep up with the latest attack patterns. Wouldn’t it be great if we had technology that predicted the next threats instead?,” he says. Machine learning can help us do just that.

By feeding a machine learning system a gigantic dataset of good and bad files, or good and bad network traffic, it can start to recognize attributes of “badness” and “goodness” that humans never would have noticed on their own. “Next year, I expect the more advanced cyber criminals to start somehow leveraging machine learning to improve their attacks and malware,” he says, adding that today, both good and bad guys have easy access to open source machine learning libraries like Google’s TensorFlow. The security community as a whole will utilize big data more effectively in order to identify trends and threats, predicts Matt Rodgers, head of security strategy at E8 Security. “Organizations have the information they need, but they cannot find it.
In 2017, companies will start looking at their data sets through advanced analytics to identify trends and risks.

Big companies are already starting to augment their existing SIEM technology with behavior analytics capabilities to this end,” he says. This story, "Data breaches through wearables put target squarely on IoT in 2017" was originally published by CSO.
With the current Windows Insider cycle previewing the Creators Update for Windows 10, Microsoft has started talking about what it’s going to mean for the enterprise.

There’s a lot in the new release beyond the headline 3D features, with a strong focus on improving enterprise security and management. The current threat landscape is complex, with regular revelations of significant data breaches and an ever-evolving set of attacks and attackers.
It’s good to see Microsoft making a commitment to helping businesses deal with the aftermath of a network intrusion, with support for a new release of its Windows Defender Advanced Threat Protection (ATP) tool as part of the next major enterprise release of Windows 10, due sometime in the first half of 2017. What is Windows Defender ATP? There’s some confusion about the role of Windows Defender ATP, partly because it shares elements of its name with Windows’ Defender antivirus tools.

Although ATP is part of your overall security tools, alongside Defender, the Edge browser’s SmartScreen download manager, and the spam and malware filters built into Office 365, ATP is specifically a post-attack tool, using telemetry from managed PCs to track the path of an attacker through your network. Modern network security is about layering responses and having effective tools that work to prevent, detect, and clean up after breaches.

ATP won’t stop your network being breached, but it will help identify them after they’ve occurred and give you more understanding as to how they happened and what information might have been compromised.

That’s an important distinction from other security tools, one that makes ATP an increasingly important tool in a rapidly changing regulatory environment. Businesses with customers in the European Union will already be aware of the requirements of the U.S.-EU Privacy Shield agreement and the upcoming implementation of the EU’s General Data Protection Regulation breach notification rules—along with the possibility of heavy fines. Understanding what happened during an attack and any resulting breaches is a key component in any active security process. You can’t be prepared for every instance, not when zero-day attacks sell for more than the available security vulnerability bounties.

That means it’s not a matter of if but of when you’re attacked. ATP’s afterbreach analysis Tools like ATP analyze the behavior of possibly compromised systems to give you a picture of what happened and how it happened.

That’s key to developing your response to attacks, working out what policies must be implemented to prevent a reoccurrence, and figuring out what needs to be done to ensure that attackers no longer have access to your systems and you have as complete as possible trace of their actions. A set of endpoint sensors built into Windows 10 delivers behavioral information to Microsoft’s cloud services, which use machine learning to interpret the signals from your devices.

By understanding what the behavior of a normal PC looks like, ATP can then identify the signature of a compromised device—before drilling down to see what had been compromised and how.

The Windows 10 Creators Update version of ATP updates the existing sensors to handle a new generation of attacks, so it can detect in-memory malware, kernel-level attacks, and cross-process code injections. Note that when attack information is shared outside Microsoft, it’s anonymized and only used to build improved detection and response tools. One important consideration: These sensors aren’t delivering telemetry to Microsoft all the time.

They’re only accessed when you suspect you’ve been breached and are using Windows Defender ATP to respond to the attack. ATP is also “a backstop for when threat prevention fails,” says David Weston, the head of research at the Windows Defender ATP group. Using ATP to quarantine infected systems allows deeper forensic analysis, as well as the opportunity to remove malware and close down exploits.

The ability to quickly isolate suspected breaches is key, especially as it’s handled from outside your network, using a cloud service, which reduces the risk of attackers seeing your response to their intrusion because you are using uncompromised systems to manage your response. IT systems management in the cloud Windows 10 Creators Update’s ATP release will build on the cloud-based security tools released with the Windows 10 Anniversary Update, giving system administrators a single portal for examining the security state of all their managed devices, the Windows Security Center. Here, you get access to security intelligence from Microsoft and partners like FireEye, as well share details from your own forensic analysis to improve the ATP machine learning models. You can then pivot from Windows Defender ATP to Office ATP; once you’ve determined what PCs and users have been compromised, it’s then possible to track down the malware or phishing techniques that were used to gain the initial foothold. It’s all part of a renewed focus on Microsoft’s part of moving device management away from on-premises tools to the cloud.

Although that approach may seem to be at odds with traditional device management, it’s an approach that makes a lot of sense with changes in how PCs are deployed and used.

Cloud-based tools and analytics work nicely when used by distributed and remote staff, as well as with BYOD deployments. The days of the regularly replaced fleet of on-premises PCs are long gone, and cloud-based management makes it possible to manage devices wherever they are, as long as they are connected to the internet.
This identity access package not only uses multi-factor authentication abut also pulls in data from social networks and other public sources to zero in on identity. You can't avoid all the chatter about identity access management here in late 2016, bec...