Tag Archives: business threat modeling

skin mounted medical devices

Shock therapy for medical device malware

Israel has over 700 medical device vendors.  Sometimes it seems like half of them are attaching to the cloud and the other are developing mobile apps for all kinds of crazy, innovative applications like Healthy.io ( Visual Input Turned Into Powerful Medical Insight – translation: an app that lets you do urine analysis using your smart phone).

But – let’s not forget that many Medical devices  such as bedside monitors, MRI, nuclear medicine and  catheterization devices all reside on today’s hospital enterprise network.

An enterprise hospital network is a dangerous place.

Medical devices based on Microsoft Windows  can be extremely vulnerable to attack from hackers and malware who penetrate the hospital network and exploit typical vulnerabilities such as default passwords.

More importantly – medical devices that are attached to a hospital network are a significant threat to the hospital network itself since they may propagate malware back into the network.

While a thorough software security assessment of the medical device and appropriate hardening of the operating system and user-space code is the best way to secure a medical device in a hostile hospital network – this is not usually an option for the hospital once the medical device is installed.

Taking a page out of side-channel attacks and using the technique to detect malware, University of Michigan researchers have developed WattsUpDoc, a system designed to detect malware on medical devices by noting small changes in their power consumption.

The researchers say the technology could give hospitals a quick way to identify medical devices with significant vulnerabilities.

The researchers tested WattsUpDoc on an industrial-control workstation and on a compounder, which is used to mix drugs.

The malware detector first learned the devices’ normal power-consumption patterns. Then it tested machines that had been intentionally infected with malware. The system was able to detect abnormal activity more than 94 percent of the time when it had been trained to recognize the malware, and up to 91 percent of the time with previously unknown malware. The researchers say the technology could alert hospital IT administrators that something is wrong, even if the exact virus is never identified.

For the full article see WattsUpDoc

 

Tell your friends and colleagues about us. Thanks!
Share this
safeguard your head office small business

4 steps to small business security

Software Associates specializes in security and compliance for biomed.  Many of our biomed clients are small 3-10 person startups working out of a small office and not having neither the IT budget nor the IT best practices to take care of their own network.

According to the latest statistics from the FBI in their annual Uniform Crime Report, one burglary occurs in the U.S. every 14.4 seconds. As bad as it is to be the victim of a burglary, when you have a home office or small business, the effects can bring your operation to a standstill as you try to reorganize your affairs.

Here are four things you can do to protect your small business systems:

1. Physical security – install an alarm system

Adding an alarm system is an effective way to protect your office from a break-in.  How do you find a reputable service provider for a security system for your home office/small business office?

According to SecurityCompanies.com, a comparison shopping resource for alarm systems, there are over 5,000 home security providers in the U.S. market. That’s a lot – and you will need to do a little research and preparation before you start.

Try Google Local – a Google search for alarm systems will usually pop-up a number of providers in your neighborhood with their phone numbers.

After you have a list of 3 home security providers – prepare a checklist before making the calls.  When you call a home security provider you should get answers to these 6 questions:

  • Do you want a hard-wired system or a wireless one?
  • Do you need professional monitoring or would you prefer a sensor-activated system?
  • How big is your home?
  • Do you want advanced features like home automation?
  • Do you need remote access?
  • Will you be installing security cameras as well?

After getting satisfactory answers  – ask for references (recent ones) and guaranteed service levels – if the alarm goes off when you’re on vacation, what  are your options?

2.  Network security – being a good neighbor and assuring your bandwidth

Working on open  wireless network enables other people to jack in.

This has an upside and downside.

The upside of an open wireless router is that its good neighbor policy.  If a passers-by asked you for a glass of water, you would gladly offer them on.   The risk of having sensitive business information stolen or other private information compromised from your home office/small business office network by a casual surfer is practically zero – there are far more interesting targets for drive-by attacks than your small office.

The downside of an open router is assuring bandwidth.  Guests  and neighbors can dramatically slow down your Internet connection. If bandwidth and fast response time is really important to you –  protect your wireless network with a personal password and share it selectively with friends and colleagues.

Do you regularly have clients over, or other guests, who need access to your Internet connection? Set up a separate network for guests, protecting it with a unique password that you can share with guests.

3.  Access security – protecting passwords

With so many online services requiring you to enter strong passwords – it is hard to remember the passwords to your own network and small office server.   Having said that – the last thing you want is to use the same Google password and/or Facebook password for your small business.  That is a really bad idea because if someone hacks your office password – their first attack will be on your Google and Facebook services.

You can try a password generator program to generate unique passwords that are nearly impossible to hack. Top-rated programs include – KeePass, Sxipper and RoboForm & Data Vault.

Another equally good option is to use phonetic passwords that you can easily remember with combinations of letters and numbers – like Xcntu8B4F6g (Accentuate before fixing)

4. Data security –  develop and implement a backup protocol

How often do you backup your files? Once a day? Weekly or monthly?

Having your computer stolen isn’t your only risk.

While modern hardware is very reliable, it’s  not perfect and even the most expensive, dependable computers can crash without any warning.  Even a faulty motherboard can cause disk corruption.

To protect yourself from the panic and anxiety of losing your work, make a plan to backup your work at the end of each work day. Save files to a free cloud-based storage system, like DropBox, or use a removable hard drive. If using a removable hard drive, be sure to store it in a different area of your home, out of the office, to prevent theft. If any harm should come to your computer in a fire or other natural disaster, you will want your hard drive to be stored in a separate location that is out of harm’s way.

Tell your friends and colleagues about us. Thanks!
Share this
hipaa cloud security

Is your HIPAA security like a washing machine?

Is your HIPAA security management like a washing machine?

Most security appliance vendors use fluffy charts with a 4 step “information risk management” cycle.

It’s always a 4 step cycle, like “Discover, Monitor, Protect and Manage” and it’s usually on a circular chart but sometimes in a Gartner-style magic quadrant or on a line.

It’s a washing machine cycle that never stops.

The problem with the washing machine model is that it tackles the easy part of information security (running the appliance, discovering vulnerabilities, fixing things and producing reports) and ignores the hard stuff; quantification and prioritization of your actions based on financial value of assets and measurement of threat impact.

Modern security tools are good at discovering exploitable vulnerabilities in the network, Web servers and applications. However – since these tools have no notion of your business context and how much you value your information assets, it is likely that your security spending is misdirected.

With reported data breaches and medical devices and information system that doubled last year, and security budgets that are shrinking as the US economy stutters – you need to measure how well the product reduces Value at Risk in dollars (or in Euro) and how well it will do 3 years after you buy the technology.

In order to help make that happen – all you need to do is contact us via the site contact form or pick up a phone and give me a ring at +972-54-447.1114.

This is what we do – help you and your team take a leadership role in the board room and secure your medical devices instead of waiting for vendor proposals in your office.

Through specific Business Threat Modeling(TM) tactical methods we teach you how to quantify threats, valuate your risk and choose the most cost-effective security technologies to protect your data.

Data security is a war – when the attackers win, you lose. We will help you win more.

Tell your friends and colleagues about us. Thanks!
Share this
Bridging the security IT gap with BI

How to use BI to improve healthcare IT security


Information technology
management is about executing predictable business processes.

Information Security Management is about reducing the impact of unpredictable attacks to  your  healthcare provider organization.

Once we put it this way – it’s clear that IT and security and compliance professionals, as dedicated as they are to their particular missions – do not have common business objectives and key results. This is why we have so many software security issues – we have software that is developed and implemented with disregard to best practice security.

In order to bridge the gap – healthcare provider IT and security professionals need to adopt a common goal and a common language – a language  of customer-centric threat modelling

Typically, when a healthcare provider ( whether a hospital, HMO or primary care provider) needs  software application,  an IT consultant will do a system analysis starting with business requirements and then proceed to propose a solution to buy or build an application and deploy it.

Similarly, when the information security group needs an anti-virus or firewall, security consultants  make requirements based on the current risk profile of the healthcare provider, test products, and proceed to buy and deploy or subscribe and deploy the new anti-virus or firewall solution.

The problem is that the two activities never work together – as result, we get islands of software applications that are not integrated with the company information security and compliance portfolio and we get information security technologies that are unaware of the applications and in a worst case scenario – get in the way of business productivity.

Michael Koploy of Software Advice explains well on how BI (business intelligence, once the domain of IT expert consultants) is now highly accessible technology in his article 4 Steps to Creating Effective BI Teams.

Business intelligence–the use of sophisticated software to analyze complex data–is no longer the domain of a centralized group of IT staff or advanced data analysts. Today, powerful and Web-based BI tools are accessible to a wide range of business users.

BI is everywhere, and it’s everyone’s job. But with this proliferation comes new challenges. Teams of BI users today often lack the structure, guidance and leadership to effectively mine data. In this article, I’ll share four steps to establish guidelines, organize teams, delegate data management and allow the success of the BI team to permeate and drive innovation throughout the business.

I agree with Michael.

By using BI – we can explore vulnerabilities in business processes and bring the information back to healthcare IT and security management in a constructive way and start building that common language between healthcare IT  and healthcare security management that is so essential to protecting patient health records.

Tell your friends and colleagues about us. Thanks!
Share this

Five things a healthcare CIO can do to improve security

A metaphor I like to use with clients compares security vulnerabilities with seismic fault lines. As long as the earth doesn’t move – you’re safe, but once things start moving sideways – you can drop into a big hole. Most security vulnerabilities reside in the cracks of systems and organizational integration and during an M&A, those cracks fault lines can turn your local security potholes into the Grand Canyon.

Here are 5 practical things I would recommend to any healthcare organization CIO:

1. Do not rely on fixed controls

Any information security professional will tell you that security countermeasures are comprised of people, processes and technology.  The only problem is that good security depends on stable people, processes and technology. A stable organization undergoing rapid and violent change is an oxymoron.  Visualize your company has ISO 27001 certification but the stock drops by 90% because of an options back-dating scandal at the top, the company fires 900 employees and all of a sudden, the fixed controls are not as effective as you thought they were.  Think about the Maginot Line in WWII.

2. Use common sense when it comes to people

People countermeasures should be a mix of common-sense, background checks (at a depth proportional to job exposure to sensitive assets), and deterrence.  Andy Grove once said

“Despite modern management theory regarding openness – a little fear in the workplace is not a bad thing”.

When a lot of employees are RIF‘d – there is a lot of anger and people who don’t identify with their employer; the security awareness training vaporizes and fear and revenge take over. Some of the security people will be the first to go, replaced by contractors who may not care one way or the other or worse – be tempted by opportunities offered by the chaos. In  a large complex healthcare organization, large scale security awareness training is probably a hopeless waste of resources considering the increasing number of options that people have (Facebook, smartphones..) to do stuff that causes damage to the business.Security awareness will lose every time it comes up against an iPad or Facebook.

Why is  common sense a good alternative to awareness training?

Common sense  is easy to understand and enforce if you keep it down to 4 or 5 rules:  maintain strong passwords, don’t visit porn sites, don’t blog about the business, don’t insert a disk on key from anyone and maintain your notebook computer like you guard your cash.

3. Spend some money on securing your software applications instead of on security theater

It’s a given that business processes need to be implemented in a way that ensures confidentiality, integrity and availability of customer data.  A simplistic example is a process that allows a customer service representative to  read off a full credit card number to a customer. That’s a vulnerability that can be exploited by an attacker.  But – that’s a trivial example – while you’re busy managing processes and using security theater code words – the attackers are attacking your software and stealing your data.

4. Question your defenses 

Technology countermeasures are not a panacea – and periodically you have to step back and take a look at your security portfolio both from a cost and effectiveness perspective.  You probably reply on a defense in depth strategy but end up with multiple, sometimes competing and often ineffective tools at different layers – workstation, servers and network perimeter.

Although defense-depth is a sound strategy – here are some of the fault lines that may develop over time:

  • One – most defense in depth  information security is focussed on external threats while in an  organization undergoing rapid change – the problem is internal vulnerabilities.
  • Second – defense-in-depth means increased complexity which can result in more bugs, more configuration faults and … less security instead of more security.
  • Three – when the security and executive staff is cut, security monitoring and surveillance is suffers – since there are less (or no) eyeballs to look at the logs and security incident monitoring systems. With less eyeballs looking at events – you may have a data breach and only know about it 3 months later – are you still sure defense in depth was protecting you?

5. Invest in smart people instead  (instead of investing in business alignment)

Business alignment is one of those soft skill activities that keep people in meetings instead of mitigating healthcare  vulnerabilities – which requires hard professional skills and high levels of professional security competence. It’s a fact of life that problem solvers hate meetings and rightly so – you should invest in smart people and go light on the business alignment since it will never stop the next data breach of your patients’ data.

Claudiu Popa, president and chief security officer of data security vendor Informatica Corp. told  Robert Westervelt in an interview  on searchsecurity.com that:

…once an organization reaches the right level of maturity, security measures will not only save time and money, but also contribute to improved credibility and efficiency.

This is nonsense – security is a cost  and it rarely contributes to efficiency of a business (unless the business can leverage information security as part of it’s marketing messages) and as  for an organization firing 30% of it’s workforce over night – words like maturity, credibility and efficiency go out the door with the employees.

At that point –  highly competent and experienced security professionals who are thinking clearly and calmly are your best security countermeasure.

Tell your friends and colleagues about us. Thanks!
Share this

The megaupload bust

My daughter was distressed yesterday after the Feds shutdown the megaupload file sharing site – “How am I going to see all those series and Korean movies I love? It’s not fair!”

The FBI have been after Mr Dotcom for 8 years. His big problem was not the file sharing but his other criminal activities.  After all, there is infinite demand for file sharing,  Filesonic is cleaning up now that Megaupload went bust and Viacom didn’t go after Erich Schmidt as Viacom lost their billion dollar copyright case to Google 2 years ago.

But really – beyond the consumer appetite for entertainment, and corporate appetite for filing intellectual property and copyright suites, why isn’t Hollywood getting it right when it comes to content protection?  If they were getting it right, Sony-Columbia would be running the file sharing sites, charging $1/movie and $3 for premium content and driving all the file sharing sites out of business.

Instead – the big studios are making the same mistake that corporate America makes when it comes to content protection – ignoring the attacker economics.

After all, the HDCP black-listing scheme defies the laws of physics and reason. For example, you may be a perfectly law-abiding citizen, but if someone in Sofia hacks your model XY500 DVD player, the device key is revoked, and you will never be able to play discs that came out after the date the device was compromised. If a hacker taps into the HDMI / HDCP signal copies a movie enroute to your model TV Set, the HDCP device key can be revoked and your 80 inch TV will never play high-definition again.

Blu-Ray copy protection was broken 5 years this month (January 2007) (Courtesy of muslix64, the same fellow who cracked HD-DVD). Both HD DVD and Blu-ray use HDCP (High-Bandwidth Digital Content Protection) for authentication and content playing, and both use the AACS (Advanced Access Content System) for content encryption. (AACS is the content protection for the video on DVDs and HDCP is the content protection on the HDMI link between the DVD player and the TV). It appears that muslix64 took a snapshot in memory of a running process, then used selective keying – serially trying bytes 1-4, then 2-5, 3-6 etc as the keys until the MPEG frame decrypted. (much faster than a pure brute force attack). If the video player process stores the key in clear text in memory, this type of attack will always work.

Like most flawed encryption schemes, AACS is vulnerable to threats to due a poor software implementation.

” The AACS design prevents legitimate purchasers from playing legitimately purchased content on legitimately purchased machines, and fails to prevent people from ripping the content and sharing it through bittorrent. The DRM people wanted something that could not be done, so unsurprisingly they winded up buying something that does not do it”

James Donald.

Now we understand why BitTorrent is so popular and why

Tell your friends and colleagues about us. Thanks!
Share this

Security is in the cracks

Yesterday I spent most of the day re-installing one of the  workstation in the office with Ubuntu 11.10. I like what I saw, but the Unity interface is not my cup of tea so I installed Gnome – what they call Classic Ubuntu.

In principle I shut down as many operating services as I can – especially those that call out and/or listen on the Internet but this is supposed to be a development machine with access to our private git repository and sending out email via a Postfix relay.

On our own  small scale of a lab with 6-7 machines for testing network and software security of customer applications, I  got  thinking that most system vulnerabilities live in the cracks of system integration of components and packaged software while most of the industry’s efforts in software security are directed towards new software implementations.

If you are preparing to implement a packaged application for financial management, CRM, data mining or ERP something in the back of your mind probably says that the vendor’s development organization is probably not a lot different than yours (although you hope they’ve thought through the security issues first)..

Here are a 2 ideas to help find the crud in the cracks:

  • Inspect and penetration-test the system; assess infrastructure components, database interfaces and Web applications for vulnerabilities using The Software Associates 6 step Business threat analysis methodology
  • You need to identify fault-prone modules in your particular operation and evaluate those modules with the most impact on system reliability and downtime.
Tell your friends and colleagues about us. Thanks!
Share this
rug salesmen

Why your IT vendor doesn’t want you to do a risk analysis

Did you ever have a feeling that your IT integrator was treating you like a couple of guys selling you a Persian rug?  “Take it now – it’s so beautfiful, just perfect for your living room, a steal  for only $10,000 and it’s on sale” and when you ask if it will last, they tell you “Why do you want it to last? Enjoy, use it in good health, wear it out quickly and come back to the store so that we can sell you Persian Rug 2012”.

I had a meeting with a long-time client today – I’ve developed some systems for them in the FDA regulatory and clinical trial management space. We met for lunch to discuss a new project which involved an extension to an existing multi-center study.

The question of disaster recovery planning and offsite backup came up and  they asked me what I thought about backing up their clinical trial data together with their office file backups taken by their outsourcing IT provider.

I said this is a very bad idea because while their IT contractor specializes in providing Microsoft Windows/Office support for small businesses, they just don’t have the know-how or security expertise for HIPAA compliant data storage.

In general, small business IT integrators are  behind the curve on data security, compliance, disaster recovery and application software security. Their job is to keep Microsoft SBS running smoothly and install anti-virus software, not mitigate data security and HIPAA compliance attacks. The typical SMB integrator mindset is dominated by the Microsoft monoculture, and I would not expect them to be able to analyze data security threats correctly.

Whenever I go somewhere – I’m always looking at things with a security perspective – open doors, windows – things that could be easily lifted. Who might be a threat. Storing clinical data with a bunch of Microsoft Office files is just too big a risk to take. The CEO accepted my recommendation to encrypt data on a secure, hardened virtual server instance in the cloud and monitor potential exposure to new emerging threats as their application and project portfolio evolves.

After lunch and getting back into the office, I realized that Risk analysis is a threat to IT vendors.

Not every security countermeasure is effective or even relevant for your company. This is definitely a threat to an IT vendor salesperson who must make quota.

I am a big proponent of putting vendor suggestions aside and taking some time to perform a business threat analysis (shameless plug for our business threat analysis services,  download our free white paper and learn more about Business Threat Modeling and security management). In a business threat  analysis you ignore technology for a week or 2 and systematically collect assets, threats, vulnerabilities …and THEN examine the cost-effective security countermeasures.

Your vendor wants to sell you a fancy $20,000 application security/database firewall, but it may turn out that your top vulnerability is from 10 contract field service engineers who shlep your company’s source code on their notebook computers. You can mitigate the risk of a stolen notebook by installing a simple security countermeasure – Free open-source disk encryption software for Windows Vista/XP, Mac OS X, and Linux.

Information security vendors often promote their backup/data loss prevention/data retention/application security products using a compliance boogeyman.

The marketing communications often reaches levels of the absurd as we can see in the following example:

NetClarity (which is a NAC appliance) claims that it provides “IT Compliance Automation” and that it “Generates regulatory compliance gap analysis and differential compliance reports” and “self-assessment, auditing and policy builder tools for Visa/Mastercard PCI, GLBA (sic), HIPAA, CFR21-FDA-11,SOX-404, EO13231 government and international (ISO270001/17799) compliance.”

A network access control appliance is hardly an appropriate tool for compliance gap analysis but asserting that a NAC appliance or Web application firewall automates SOX 404 compliance is absurd.

Sarbanes-Oxley Section 404, requires management and the external auditor to report on the adequacy of the company’s internal control over financial reporting. This means that a company has to audit, document and test important financial reporting manual and automated controls. I remember the CEO of a client a few years ago insisting that he would not accept any financial reports from his accounting department unless they were automatic output from the General Ledger system – he would not accept Excel spreadsheets from his controller, since he knew that the data could be massaged and fudged. If there was a bug in the GL or missing / incorrect postings he wanted to fix the problem not cut and paste it.

Appropriate, timely and accurate financial reporting has absolutely nothing to do with network access control.


But the best part is the piece on the NetClarity Web site that claims that their product will help “Deter auditors from finding and writing up IT Security flaws on your network”.

And I suppose this really proves my point best of all.

Information security vendors like NetClarity do not have any economic incentive to really reduce data security and compliance breaches that would reduce  sales, making it better business for them  (not for their customers) to sell ineffective products.

This raises an interesting question about information security business models – but that’s a topic best left to another post.

 

Tell your friends and colleagues about us. Thanks!
Share this

The importance of data collection in a risk assessment

A risk assessment of a business always starts with data collection. The end objective is identifying and then implementing a corrective action plan that will improve data security in a cost-effective way, that is the right fit for the business.

The question in any risk assessment is how do you get from point A (current state) to point B (cost effective security that is the right fit for your business).

The key to cost-effective security is data collection.  Let’s recall that compliance regulation like PCI DSS 2 and the certifiable information security management standard ISO 27001 are based on fixed control frameworks. It’s easy to turn the risk analysis exercise into a check this/check that exercise, which by definition, is not guaranteed to get you to point B since the standard was never designed for your business. This is where we see the difference between ISO 27001 and ISO 27002.

ISO/IEC 27002 is an advisory standard meant to be applied to any type and size of business according to the particular security risks they face.

ISO/IEC 27001 (Information technology – Security techniques – Information security management systems – Requirements) is a certifiable standard. ISO/IEC 27001 specifies a number of firm requirements for establishing, implementing, maintaining and improving an ISMS (information security management standard), and specifies a set of 133 information security controls. These controls are derived from and aligned with ISO/IEC 27002 – this enables a business to implement the security controls that fit their business,and help them prepare for formal certification to ISO 27001.

Let me explain the importance of data collection by telling a story.

After reading this article in the NY Times  An Annual Report on one mans life, I was reminded about a story I read about Rabbi Joseph Horowitz (the “Alter from Novardok”) (1849–1919), relating his practice of writing a daily report on his life.

One of the things I learned from the musical director of the JP Big Band, Eli Benacot, is the importance of knowing where you are really holding in terms of your musical capabilities.  Many musicians, it turns out, have the wrong self-perception of their capabilities.  Sometimes, one sees a professional musician who is convinced of his proficiency and even within an ensemble he (or she) is incapable of really hearing how poorly they actually play.

Many times we feel secure but are not, or don’t feel secure when we really are. For example – a company may feel secure behind a well-maintained firewall but if employees are bringing smart phones and flash drives to work, this is an attack vector which may result in a high level of data loss risk. On the other hand – some people are afraid of flying and would prefer to drive, when in fact, flying is much safer than driving.

After we collect the data and organize it in a clear way, we then have the ability to understand where we are really holding.  That is the first step to building the correct security portfolio.

So, let’s return to the Rabbi Joseph Horowitz, who wrote a daily and annual report on his life. Here is his insight to implementing change – certainly a startling approach for information technology professionals who are used to incremental, controlled change:

“Imagine this scenario: A person decides that he wants to kasher his kitchen. But he claims, ‘Changing my dishes all at once involves throwing out an entire set and buying a brand new one. That’s quite an expense at one time. I’ll go about the kashering step by step. Today I’ll throw out one plate and replace it with a new one, tomorrow with a second and the next day with a third.’

“Of course, once a new plate is mixed with the old ones, it becomes treife like the rest. To kasher a kitchen, one must throw out all of his old dishes at once.

“The same holds true in respect to changing one’s character traits or way of life. One must change them in an instant because there is no guarantee that the anxieties and pressures that deter him on any given day will not deter him the following day, too, since anxieties and pressures are never ending. ”

(Madreigat Ha’adam, Rav Yosef Yoizel Horowitz).

 

Tell your friends and colleagues about us. Thanks!
Share this

3GPP Long Term Evolution – new threats or not?

3GPP Long Term Evolution (LTE), is the latest standard in the mobile network technology tree that produced the GSM/EDGE and UMTS/HSPA network technologies. It is a project of the 3rd Generation Partnership Project (3GPP), operating under a name trademarked by one of the associations within the partnership, the European Telecommunications Standards Institute.

The question is, what will be the data security  impact of LTE deployments? As LTE is IP based and IPv6 becomes more common in the marketplace, will the security requirements of mobile devices become similar to traditional networked devices?  There is already a huge trend  for BYOD or Bring Your Own Device to work, which certainly causes a lot of headaches for information security staffs. Will more bandwidth and flat IP networks of LTE increase the threat surface for corporate IT?

Other than higher performance, LTE features a flat IP network, but I don’t see how that increases the threat surface in any particular way.  The security requirements for mobile networked devices are similar to traditional wired devices but the vulnerabilities are different, namely the potential of unmanaged BYOD tablet/smartphone to be an attack vector back into the enterprise network and to be a channel for data leakage.  The introduction of Facebook smart phones is far more interesting as a new vulnerability to corporate networks than smart phones with a 100MB download and 20MB upload afforded by LTE.

I am not optimistic about the capability of a company to manage employee owned mobile devices centrally and trying to rein in smartphones and tablets with awareness programs.  Instead of trying to do the impossible or the dubious, I submit that enterprise that are serious about mobile data security must take 3 basic steps after accepting that BYOD is a fact of life and security awareness has limited utility as a security countermeasure.

  1. Reorganize physical, phones and information security into a single group with one manager.  This group must handle all data, software IT, physical (facilities) and communications issues with a single threat model driven by the business and updated quarterly. There is no point in pretending that the only phones used by employees are phones installed and operated by the companies telecom and facilities group. That functionality went out the door 10 years ago.
  2. Develop a threat model for the business – this is  key to being able to keep up with rapidly growing threats posed by BYOD.  Update that model quarterly, not yearly.
  3. CEO must take an uncompromising stance on data leaks and ethical employee behavior. It should be part of the company’s objectives, measurable in monetary terms just like increasing sales by 10% etc.

 

Tell your friends and colleagues about us. Thanks!
Share this