Partner for protection or data may be lost in the cloud!

Businesses are increasingly dependent upon partnerships with cloud computing and external IT service providers to provide agile, scalable solutions at a reasonable cost. Just like building systems in-house, success cannot be guaranteed unless there is confidence the service will be predictable and reliable. Many of the data security risks experienced when working with third party suppliers are similar to those encountered internally. Data stored in the cloud can be subject to hacking, accidental loss, as well as theft from internal staff. Employing encryption alone cannot protect a business from this. We can ensure risk is mitigated and profits are protected with due diligence and by ensuring cyber security, IT, business staff and cloud suppliers are working together as partners.

As high-profile data breaches are raising public awareness about data security risks, many IT service providers are seizing the opportunity to differentiate their products and services through security certifications and audits. Popular accreditations include ISO 27001, PCI-DSS and the SSAE 16 SOC- 2 audit types.

The maturity of a suppliers security practices can be determined by their accreditation; however, it does not ensure adequate security is in place. Review of audit results is needed to ensure the scope of the accreditation is accurate for the solution being purchased and that it meets business defined data confidentiality, availability and integrity requirements. Many supplier audits and contracts pass security accountabilities back to the customer. These require verification to ensure gaps are addressed. For example, a supplier may make state-of-the-art tools available for secure access, yet the customer is responsible to maintain processes for how they are used. This means the business must develop their own internal processes to support data movement to the cloud safely. Accreditation does raise confidence of the cloud services provider; yet, businesses concomitantly need to identify and ensure their internal processes and procedures for managing security risks are identified and implemented.

Large suppliers of IT services can often achieve a level of security a business cannot. This is due in part to the economies of scale they gain by servicing multiple customers and maintaining skilled IT staff as part of their core business. Suppliers that utilize security best practices as a normal part of their delivery, tend to be the best choice. A mature supplier is transparent about their security accreditation and commitment. An example of this can be seen at Google – where accreditations and auditor’s attestations are made visible on their Internet site.

A smaller non-accredited business or start-up (or one that is still working towards accreditation) does not necessarily imply poor security. The challenge for the business will be determining how to quickly extract business value while taking necessary steps to ensure reliable secure services. A cyber security professional, incorporating best practices such as those from the Cloud Security Alliance, can help with assessing and identifying priorities to address risks.

In the end, an incident can damage the reputation of all involved. Partnering with the supplier, maintaining open lines of communication, monitoring progress and establishing achievable goals benefits all involved. The key to moving data to the cloud safely is ensuring IT, business, cloud provider and cyber security personnel work as partners towards mutually agreeable solutions.

Preparing for a breach: knowing what your business has done right

I appreciate the below linked article and the reason why is Kickstarter knows what they have done right. If attacks are inevitable, does your business have a good message of what it did do to prevent harm? Would it restore consumer confidence? I suspect many businesses are caught by surprise. There may be some shame if informed by law enforcement your business has been hacked. On the other hand, it shows commitment to security that Kickstarter made this data meaningless to an attacker. It gives me confidence this company cared and tried to do the right thing. Well done!

Will the next iPhone release offer biometrics?

It is rumored the next iPhone release will be in September. I am looking forward to finding out if we can login, make mobile payments or launch applications with fingerprint scanning technology. This would be a real win for both security and usability.

Here is a current article on the subject:

Adoption of two-factor authentication and what the future may hold

Passwords can be a hassle, and keeping track of multiple passwords securely is even more difficult.  Given all the headlines around password breaches, particularly when LinkedIn had a password breach last year, it is surprising to see how slowly two-factor authentication has been adopted. This type of authentication can offer flexibility towards how many passwords one must maintain. Many of the two –factor solutions offered by popular web sites also send a text message to an individual when their password is tampered with, which is helpful. According to a recent article in Infosecurty Magazine, the reasons people are not enabling two-factor authentication on popular web sites are ease of use and privacy concerns.

I can understand both concerns. It is conceivable private phone numbers could be compromised and revealed to the public or used for marketing phone calls and text messages. Also, it takes more steps to set up two-factor authentication especially when a special code is required for each application and computer that communicates with a service.  I now have four services set up to text my iPhone when I log in. This means I must check text messages often when logging into web sites, and I do worry about the  inconvenience this will cause if I lose my phone.

It seems we have not reached the best solution for authentication yet. Most future options for authentication will have privacy concerns. I have noticed an uptake in the use of wearable physical activity monitors such as heart-rate monitors and pedometers. This rise in adoption of wearable devices appears to be motivated by insurers providing people with  discounts for using the devices as part of preventive  care  programs. Perhaps with increased adoption of  wearable devices, we will also see an option to authenticate using them – allowing multiple goals to be met with one device.  Biometric authentication based upon an individual’s heartrate has been a possibility for some time now. Wearable authentication devices such as the Google ring are also rumored to be the way of the future.

There are genuine privacy concerns with most of the options.  Website authentication alternatives attempt to confirm that the individual is who they attest to be when they log in. This requires revealing some information to uniquely identify the individual. What if insurers charge a premium or won’t provide coverage if daily activity goals aren’t met or they detect an abnormal heart rhythm on a wearable device? What if location-based data from a wearable device is used to formulate an opinion about individual habits such as visiting bars or fast food restaurants frequently? I am convinced most authentication options of the future will require a consumer to weigh the tradeoff of privacy vs. the benefit of secure access to email and web sites. Providing users with “choice” for authentication options seems to be a logical next step for the future.


Is your home PC safe for business or sensitive information?

It may not be as safe as you think, and security tools for the home computers are not as effective as  they may be at your business…

There have been a number of articles on the Internet in the past year about anti-virus products becoming ineffective at detecting and defending against today’s malware. A recent report, published by the reputable security firm Imperva, states that the detection rate of a newly created virus is less than 5%. The hackers are ahead of the game; finding new ways to write their code to go undetected. They also package the harmful software and make it available for use by others with prolific tools known as “exploit kits”.  This is of concern for businesses, which have become increasing targets for intellectual property theft, fraud, or theft of employee or customer information. A more important question is what does this mean for the data stored on your home computer and what can you do about it?

What is the risk?

Personal computer users are easy targets for hackers.  Many people do not believe they have data worth stealing, after all, the hackers are not likely interested in the photographs from last year’s visit with Uncle Bob and Aunt Bea. Here are some of the data hackers could be interested in that most people do not think about:

  • The passwords stored in your browser or in a file for accessing business and cloud computing resources such as Citrix, e-mail, online payroll processing, and document storage.
  • The files you emailed to your home for printing or brought home on a portable device to help work with an important client or internal employee matters.
  • Personal data such as social security numbers, e-mail contact information, medical insurance documents, banking or tax preparation information.

Hackers typically do not infect only one computer, they distribute the malware across a range of computers using something known as botnets. While accessing one home computer may not yield a valuable harvest of data, the aggregate data from a number of computers using botnets is quite useful for hackers wanting to commit data theft, fraud, or to steal identities.

Security experts in business are working diligently to install multiple layers of advanced and innovative technologies to detect and defend against these threats. They use terms and implement tools that aid with “sandboxing”, “whitelisting”, “advanced threat monitoring”, “network forensics” and more. These terms have great meaning for business security specialists, yet very little meaning for the ordinary person who is just trying to enjoy their PC or do a bit of work from home. The advanced tools security experts use to defend a business network against attack, are not always readily available in the home-use market. This is a concern as home computer usage can become the weakest link in businesses data protection efforts.

What can be done to minimize data theft from your home computer?

In the absence of advanced technologies for defending against malware for home PC’s, here are some tips that can help keep sensitive data safe if you must take work home:

  • Talk with your IT department: Chances are the IT group has already prepared guidance and options available to keep your business information and personal information protected while working from home.
  • Use a secure laptop: Many businesses offer well configured laptops that have enterprise monitoring tools to defend against threats not available to ordinary home users. If your business offers this facility, be sure to use it.
  • Run anti-virus: While anti-virus products are behind in defending against malware, they are making progress with advancing capabilities to detect configuration changes to a PC or block dangerous web sites and software.  Most would agree, an anti-virus product should still be used. Many anti-virus vendors offer businesses a home use program; ask your IT department if you may obtain a copy through this program. Even if the service has a fee, it is typically at a discount and worth the investment.
  • Separate sensitive data: Keep sensitive data in a separate location from browsing and other personal activities. Consider a separate storage device that requires a password each time the data is accessed. Products are available such as USB drives and portable disks from Imation that require a password to access encrypted sensitive information. The encryption is helpful to ensure data cannot be accessed when the device is lost. Disconnect these disks when the data on them is not in use.
  • Avoid auto-saving passwords: Do not store passwords in the browser using the save button. These stored passwords are fast and easy targets for hackers and are frequently collected by malware.
  • Sandbox your browser: Consider using your web browser with sandboxing enabled. Web browsing, or clicking on web browsing links in e-mail, are often used by hackers to gain access to computers. Sandboxing attempts to shield the computer operating system and data from attacks to the browser. A free browser tool is provided by Sandboxie. Additionally, some anti-virus products, such as Bitdefender for example, offer this capability.
  • Maintain current patches: Be vigilant about keeping your home computer patched and up to date when Microsoft, Apple or the provider of your choosing offers them.

In addition to the above tips, the National Cyber Security Alliance provides up-to-date information for protecting your home computer and network. Consider bookmarking this site and visiting it regularly for news and tips you can use to protect your personal and business information at home: