OnlyHardwareBlog

General discussion, news & views about Hardware

Posts Tagged ‘security’

Security Manager’s Journal: You can’t secure every employee’s home

January 24th, 2012

We recently deployed RSA SecurID software authentication tokens to replace the hardware tokens we had been using to provide strong authentication for remote access via a VPN client. Hardware tokens are more secure for two-factor authentication in some ways (but not in every way, as you’ll see), but the software tokens can be used on mobile devices such as phones; they are much less expensive; and they can be deployed more quickly and easily. What’s more, when a user no longer needs access, it’s much simpler to disable a software token than it is to retrieve a hardware token from somewhere like China, Russia or India.

Of course, RSA suffered a notorious security breach last year, but after I was briefed on the details, I felt comfortable moving forward.

Deployments such as this software token rollout can be interesting, because you have a chance to learn about some scary practices that had been going on without your knowledge.

For example, once employees got word that their hardware tokens will no longer be operational, some of them started asking for software tokens to be installed on their home PCs and Macs. Clearly, they had been taking advantage of the fact that the hardware tokens could be used with any computer. Our VPN client allows full network access, and that, combined with our lack of Network Admissions Control, meant that we were ending up with untold numbers of noncompany computers on our network. Naturally, I can’t vouch for the integrity of any of those noncompany assets. Home PCs are often used by family members and other people, any of whom might install untrusted applications, click on things they shouldn’t and end up infecting our internal production network.

I’m also concerned about protecting intellectual property, which is my responsibility. We are free to inspect the contents of any device we have issued to our employees, but we have no legal right to inspect any personal device, even if that device is connected to our network. In addition, laws are vague in some states and countries regarding our ability to monitor activity when an employee is using a personally owned device. If such an employee were to leave the company, our intellectual property could easily go with him.

For good measure, let’s throw in the risk of license compliance issues.

Help Desk Too Helpful

While employees might not be aware that they shouldn’t be connecting to the network from their own PCs, our help desk personnel should know that, right? Truth is, they’ve been helping employees install the VPN client on their home PCs. As an experiment, I called the help desk with an urgent request for access from my home PC. They actually sent me the full VPN client and walked me through the installation on my computer. After that experience, I reviewed some help desk tickets and found that the techs had also assisted in the installation of the VPN client on PCs at public Internet kiosks and hotel lobbies.

These exception requests are being met with a stern response. If an employee needs to access our network from home or another remote location, then the company needs to issue that employee a laptop. In many cases, the employee already has a laptop and is just too lazy to take it home or prefers using a Mac. But until we deploy a more secure method of remote access, such as a virtual desktop environment or a sandboxed VPN, I will hold the line against these sorts of exceptions.

Source:http://www.computerworld.com/s/article/9223574/Security_Manager_s_Journal_You_Can_t_Secure_Every_Home?taxonomyId=17

Comments Off »

Posted in Hardware News

Tags: Manager's security

DARPA seeks to blend biometrics with passwords in DOD cyber security without new hardware

January 16th, 2012

Share

Military information security experts at the U.S. Defense Advanced Research Projects Agency in Arlington, Va., are asking for industry’s help in developing ways to blend biometrics into U.S. Department of Defense (DOD) military cyber security systems without installing new hardware. The intent is no only to save time and money, but also to help bolster existing DOD computer security that relies primarily on requiring uses to type in long and complex passwords.

DARPA on Friday issued a broad agency announcement (DARPA-BAA-12-06) for the initial phase of the Active Authentication program to develop software-based biometric approaches to verify the identities of authorized DOD computer users not only at login, but also throughout the courses of the users’ computer sessions.

The Active Authentication program seeks to change the DOD’s current cyber security focus from user passwords and common access cards when validating identity on DOD computer systems. Instead, the program seeks to focus on software-based user biometrics that does not require installation of new cyber-security software.

DARPA is particularly interested in user biometrics such as eye tracking on the page; the speed with which the individual reads content; methods and structure of e-mail and other communications; keystrokes; how the user searches for and selects information; and how the user reads the material he selects. These observable traits, taken together, can create a cognitive footprint of the user.

Using this kind of cognitive footprint to verify the identity of DOD computer users would replace or augment using long, complex passwords and common access cards. Today’s approaches, DARPA officials say, only verify’s the user’s identity at login, and have no way to verify the user originally authenticated is the user still in control of the keyboard. As a result, unauthorized users may improperly obtain extended access to information system resources if a password is compromised or if a user does not take adequate measures after initially authenticating at the console.

The Active Authentication program will be in three phases, and this solicitation pertains only to the first phase, which focuses on new ways of capturing the cognitive fingerprint by using biometrics that do not require the installation of additional hardware for information security.

Later, the program will focus developing a solution that integrates any available biometrics using new authentication suitable for deployment on a standard DOD desktop or laptop computer. Future solutions must be developed with open Application Programming Interfaces (APIs) so other software or hardware biometrics available in the future could be added.

Companies interested in participating should submit proposals no later than 6 March 2012.

Source:http://www.militaryaerospace.com/articles/2012/01/darpa-seeks-to-blend-biometrics-with-passwords-in-dod-cyber-security-without-new-hardware.html

Comments Off »

Posted in Hardware News

Tags: Cyber Hardware new security Without

McAfee Predicts the Potential Security Threats in 2012 for Windows 8

December 30th, 2011

Share

McAfee a well known entity in computer security has released their predictions for the upcoming threats for the year 2012.The PDF which was released recently predicts the upcoming security threats for mobiles,embedded systems and the computer specific threats including the rootkits that might pose a threat for the upcoming Windows 8 Operating System slated for release in the second half of 2012.

The report also acknowledges the efforts Microsoft have put to make the next and the best operating system till date to make it fool proof against any sorts of attacks,but it also raises a concern about the hackers growing interest in hacking into the system using the rootkits ,Neowin reports.

Rootkits are used to subvert both the operating system and security software, while bootkits attack encryption and can replace legitimate boot loaders. These are advanced techniques to intercept encryption keys and passwords, and even subvert driver-signing defenses employed by some OS’s. Attacking hardware and firmware is not easy, but success there would allow attackers to create persistent malware “images” in network cards, hard drives, and even system BIOS. We expect to see more effort put into hardware and firmware exploits and their related real-world attacks throughout 2012 and beyond. Advances in the Windows 8 bootloader security feature have already caused researchers to show how they can be subverted through legacy BIOS; meanwhile, the product has not even been fully released yet.

We have already seen the first BootKit for Windows 8 which was demonstrated at the MalCon conference in india earlier this year,though the maker of the Bootkit handed over the code and some suggestions to Microsoft which will benefit the operating system to be more secured than before,we can expect a polished product from Microsoft in the later part of the year.

Source:http://windows8beta.com/2011/12/mcafee-predicts-the-potential-security-threats-in-2012-for-windows-8

Comments Off »

Posted in Hardware News

Tags: McAfee security

The top five SME security challenges

November 2nd, 2011

Share

Best practice in information security and compliance for small and medium-sized enterprises (SMEs) is often seen as a headache and a “grudge purchase”, but SMEs are facing the same threat landscape as larger organisations – but without their budgets.

SME IT leaders met at a Computer Weekly roundtable event, in association with Dell SecureWorks, to discuss the challenges they face around data protection, compliance and the cloud and how to make their organisations secure without following expensive, outdated methods.

The cloud security risk for the SME
Security regulation compliance for SMEs
The changing SME threat landscape
Security education and training for SMEs
ISSA5173 security standard targets SME needs

The cloud security risk for the SME

The cloud is a technology many SMEs are interested in because of the benefits of flexibility, pay-for-use and reduced hardware investment. But there remain questions over its security.

David Lacey, director of research at the Information Systems Security Association (ISSA-UK) said the cloud is a good solution for SMEs if they choose professional, reliable service providers.

“Big companies don’t like the cloud as they can’t get legal assurance from the regulators,” Lacey said.

However, Alan Coburn, director of security and risk consulting at Dell SecureWorks, is more sceptical.

“Who’s responsible for security in the cloud? It is a personal decision, but I am very wary of putting personal information into the cloud,” Coburn said.

Steve Nicholls, technical architect at Ingens, said there had been no major security breach of the cloud, but it could only be a matter of time as cyber criminals wait for the right moment to strike.

“There have been no security scares yet as hackers want everyone to put all their data in the cloud and then do a land grab and get out, which is why it’s quiet for now,” Nicholls said.

Security regulation compliance for SMEs

Compliance is a painful process for many SMEs. The Data Protection Act and PCI-DSS payment card regulations were criticised as time-consuming and expensive.

However, there is no avoiding compliance, even if it does not necessarily lead to better security.

“Before, compliance was not expected but now it is an issue. The world of compliance is not security – it’s a mad world,” said Lacey.

Peter Vangeen, owner of Corporate Chauffeurs, is going through PCI-DSS compliance because his bank asked him to do so.

“It is a lot more complicated than I thought. I have a 48-page document with the best part of 400 questions. I started at question one and gave up at question seven. The whole process for SMEs is very difficult, is huge and costs money and I wonder how different security will be at the end from how it is now,” Vangeen said.

“Compliance is about covering yourself, passing on the problems and ticking all the boxes,” he said.

“I’m running a business. Reading through 400 questions that are meaningless to me is not a way to spend my time. I want to look after customers which I have done for 20 years without a security issue. The tick-box culture large companies perpetuate and wrap up in corporate speak is meaningless for SMEs.”

But Eamonn Sheridan, IT director at Citybond Holdings, said: “If you wade through security guidelines, there are good practices.”

Dell’s Coburn said he can see why PCI-DSS was created – because organisations are not putting the necessary controls in place – but said SMEs should work with trusted advisors on compliance.

“One organisation asked us how much is too much credit card data? But the standard doesn’t prescribe how much is too much. That organisation had been given different advice which could have cost them hundreds of pounds,” Coburn said.

SMEs should try to understand where their assets are and focus security controls there. “It is better than a scattergun approach,” he said.

Andy Bover, head of ICT at finance company 1st Credit, agreed it was important to get the right advice.

“Be wary of any consultant who doesn’t ask you why you need to hold credit card data. There is very little business case for retaining cardholder details,” Bover said.

However, the main benefit of compliance is to get the attention of the board, because the CEO must sign a top-level policy document to ensure confidentiality and integrity to comply with standards such as ISO 27000, said Bover.

“It is signed by the chief executive and if a weakness is found, the chief executive is in court. This is positive, as it means my chief executive will commit to IT expenditure to see it happens, and will say to the CFO, you need to spend money on that,” he said.

The changing SME threat landscape

Like many IT security firms, Dell SecureWorks is constantly surveying the changing threat landscape. Coburn said SMEs are increasingly being targeted, but many believe they are under the radar and not in the sights of cyber criminals.

“Malware is becoming more sophisticated. Aurora and Stuxnet are very sophisticated, all targeted at siphoning financial information,” he said.

Dell SecureWorks trawls the internet and monitors hacker forums to work out the next threat to protect its 3,500 clients’ security.

“We see on average about 50 security events per year per customer which we have to phone or alert someone to. That’s an event every week. If you’re not getting a call, are you any different from those organisations?” Coburn asked.

Ian Crofts, IT director at JBW Group, said revenge hacking is also a worry.

“It’s easy to annoy someone enough to make them want to target you,” Crofts said.

Lacey said organised crime and intelligence services are increasingly targeting smaller companies and looking for useful information about contracts: “There are a large number of targets and criminals are going broader and deeper.”

Bover said most SME IT professionals understand the risks, but their struggle lies in convincing senior executives of the threat.

“They would give you a different answer about being small enough to be below the threat radar,” he said.

Security education and training for SMEs

Constant education and training around IT security is necessary to help reduce human error.

Vangeen said that, even after achieving PCI-DSS compliance, access to credit card details can occur if someone writes them down on a piece of paper and chucks it in the bin. Staff are trusted, but no company is inviolate.

“There’s nothing the industry can do to solve the problem. Human error lets security down,” he said. “Human error means that someone will always walk out of the building with an unencrypted laptop.”

Bover said the only answer is to remove the opportunity for people to make mistakes: “We have no pens or papers in the call centre. Everything is written on whiteboards which are wiped clean.”

Josko Grljevic, IS director at Thetrainline.com, said: “You can have the best technology in the world, then someone has a chat with the receptionist and gets everyone’s details.”

Coburn said awareness and education are essential parts of security.

“Most secure organisations spend time and money on staff. Until you start training awareness, you are not a secure organisation. Common sense only becomes common sense when you know the right thing to do. Organisations that do it well take the pragmatic approach and do it often without making it boring,” he said.

Lacey said training is more important than security qualifications, which are often just a licence to operate.

“I believe in training and education, not qualifications,” he said.

Coburn said security improvements can pay dividends – but don’t overdo it.

“Don’t try and implement controls of big City organisations,” he said.

“Understand your environment. The challenge is if you have a lot of infrastructure, it is difficult to focus, but start small where you are worried about infrastructure protecting assets that might be targeted.”

ISSA5173 security standard targets SME needs

David Lacey is an information security expert with over 30 years’ experience working as a chief information security officer for organisations such as Royal Mail, Shell and the Foreign & Commonwealth Office.

To combat some of the issues SMEs face, the Information Systems Security Association (ISSA-UK), where Lacey is director of research, is creating a new security standard for small businesses, called ISSA5173.

“SMEs are different from large organisations, not in security threats which are the same, but more in the way they operate. SMEs don’t need paper and labour-intensive controls that big companies like. The new standard suggests looking at policies, procedure and education,” Lacey said.

Lacey said the pressure on SMEs is to grow their business and security is often low on the to-do list.

“Small companies lack knowledge, motivation and money. Security is a grudge purchase and someone else’s problem, but the vast majority of UK business is made up of SMEs. They are the soft underbelly of business,” he said.

Lacey said SMEs will have to get to grips with security because compliance and data protection are high on the agenda of the government and big companies.

“Large businesses are increasingly demanding security and SMEs must get PCI-DSS compliance, for example,” he said.

Meanwhile, the security landscape has changed out of all recognition with the impact of the internet and an increasingly mobile workforce, which has transformed the way people communicate.

“The future of security is complex. We are facing a data Tsunami with a 60% growth in mobile data. The threats are more sophisticated, data breaches more damaging, users have left the buildings and the applications have followed,” said Lacey.

There has been an increase in data legislation around the world because it is citizen-friendly and cheap, but reliance on standards and a herd-mentality towards security is leading to a world of compliance and policies, which doesn’t necessarily improve security, said Lacey.

“Auditors judge against security standards that are outdated, and security is judged on the quality of paperwork and procedures,” he said.

SMEs must avoid following the example of big corporations.

“Big-company thinking is about maximising the security budget, whereas SMEs are frugal, and must think about the customer,” said Lacey.

“SMEs require fast cost-effective control measures and solutions that are easy to manage.”

He suggested SMEs use risk-management to support decisions, not shape them: “Focus on protecting data and standardisation and use independent advisers to manage your interests.”

Source:http://www.computerweekly.com/Articles/2011/11/01/248333/The-top-five-SME-security-challenges.htm

Comments Off »

Posted in Hardware News

Tags: Data security

Why B2B for Network security is Needed

November 2nd, 2011

Share

The road to network security is a long one for any business, with many pitfalls along the way. Human personalities can make life difficult when personal preferences and personalized use profiles intervene with intelligent technical design of a network use plan. The concept of a motive in planning a uniform use of network devices needs to be underlined and emphasized to the staff.

A system that was secure last year is open to newer and newer threats each week, especially with patches, upgrades, physical device upgrades and IT overhauls. The more things change in computer system safeguarding the more things in device and computer desktop security stay the same. Aligning personal interests to the device security is key to motivating personnel to remembering best practices for network security. The market for B2B products and services along this industry channel therefore remains robust.

Employees must be advised repeatedly that the investment in computer integrity and device security is not the employee’s to control. Policy updates to any intellectual property uses of a computer can lead any employee can accidentally or inflict harm on a network even through the purest of motive. For company employees to value the total product of what they do and the mission of their organization means to value the total entity. Thus demand for B2B network security services for companies of all sizes and shapes exists and grows daily.

Device security and online threats to networks via malware, viruses and intrusions are now common knowledge. But the lengths to which a computer sniffer or intruder will go to get into a system via various types of device platforms such as cellphone, smartphone and wireless devices may still surprise even sophisticated computer users. Passing through airports and using business machines on “personal time” can compromise a business machine instantly.

The investment a company makes in its employees awareness of network security via everyday best practices can protect every dollar spent in network security and IT tech. In fact, malicious intruders and device sniffers count n the every day users being “fed up” with safety and conservative computer use habits to break the protocol and be careless. They are waiting with a variety of programmed sniffer technologies and hardware to scan and screen for openings into valuable systems and to allow them to seed harmful programs that can cause damage down the line to companies and individuals.

Ironically, these same employees are disappointed and annoyed when their own retail and institutional commercial credit and business companies and vendors fall short in the security department. Software and technology innovate daily and sadly so do network security threats.

Comments Off »

Posted in Hardware News

Tags: B2B network security

Sony account lock down – more detail

October 12th, 2011

Share

60,000 accounts on the Sony PlayStation Network and Sony Entertainment Network, as well as 33,000 accounts on the Sony Online Entertainment servers were briefly accessed by “intruders using very large sets of sign-in IDs and passwords” according to a statement by Sony.

The attacks on the network took place between Friday 7 October and Monday 10 October, after hackers succeeded in verifying sign-in IDs and passwords – though according to Sony credit card information was not at risk during the attack.

“In this case, given that the data tested against our network consisted of sign-in ID-password pairs, and that the overwhelming majority of the pairs resulted in failed matching attempts, it is likely the data came from another source and not from our Networks,” Sony Chief Information Security Officer Philip Reitinger said on the PlayStation blog.

Source:http://mybroadband.co.za/news/quick-news/35874-sony-account-lock-down-more-detail.html

Comments Off »

Posted in Hardware News

Tags: security Sony

McAfee & Intel Tag Team Computer Security

September 15th, 2011

Share

To combat viral threats McAfee is working with Intel to create new sophisticated ways of preventing attacks, combining software and hardware in the virtual war.

Today’s cybercriminals are familiar with current operating systems and can easily create, navigate and implant viruses in smartphones, tablets and computers. McAfee and Intel are working together to create a new security paradigm, offering security beyond a computer’s operating system.
Their collaboration is called DeepSafe and combines hardware and software to create sophisticated security measures.

“McAfee DeepSAFE uses hardware features already in the Intel processors to provide security beyond the OS,” said Todd Gebhart, co-president of McAfee.

DeepSafe technology allows for hardware-assisted security to provide viral protection from a deeper security footprint. Operating below the operating system, it can proactively detect and prevent advanced persistent threats (APT) and malware.

“From this unique vantage point, DeepSAFE can apply new techniques to deliver a whole new generation of protection in real time to prevent malicious activity and not just detect infections.”

Traditional security measures rely solely on software protection. By recruiting hardware in the war against viruses, traditional viruses will be easier to detect and remove.

“At McAfee our customers and partners trust us to help them stay ahead of the cybercriminals and keep their business protected,” said Michael DeCesare, co-president of McAfee.

“This technology and our joint collaboration with Intel is the next evolution of security and will enable McAfee to continue to be the trusted security provider to our largest and most complex customers.”

The announcement was made at the Intel Developer Forum held in San Francisco, and the technology is expected to be incorporated in next generation computers.