Employees increasingly use personal devices, including, tablets, smartphones, and laptops, to accomplish their work faster, more flexibly, and from anywhere. Yet, while BYOD (Bring Your Own Device) offers more control and independence for workers, it can reduce the control organizations have over securing their networks.
Endpoint protection and robust encryption are generally mandated on company-owned devices, but personal devices often lack these safeguards. Moreover, devices used for personal computing and messaging, when off the company grid, lack the protections of the network firewall, leaving the entire organization exposed to hacker exploits, or malware infection, when the device re-connects to the network.
More than a quarter of companies reportedly lack security requirements for smartphones.1 However, companies that do implement security policies for mobile devices still face the threat of employees trying to bypass these requirements. A Ponemon and Websense joint survey highlighted just that—59% of respondents claimed that employees circumvent or disengage security features such as passwords and key locks.2
Lost Personal Devices: A Data Minefield
In the case of a lost or stolen personal device that stores company-owned data, an employee may be unwilling to have their device data wiped remotely. In fact, only 55% of mobile workers report having remote wipe enabled on their smartphones, and just 30% on their tablets.”2 The inability to rapidly dispose of sensitive data, particularly unencrypted data, exposes organizations to considerable risk.
What You Can’t See, Can Byte You!
A Mobilisafe study encompassing 130 million device connection events reported that over a third of the devices with network access and/or corporate data went inactive for more than a month.3 The presence of so many personal devices used for work that are unaccounted for, and that may retain sensitive data and user credentials, poses a latent threat to organizations.
Outdated Firmware and Version Control
The sheer number and variety of personal devices and operating systems that may be in use across an enterprise poses daunting challenges for IT. Mobilisafe found that 71% of mobile devices contained high severity operating system and application vulnerabilities. Mobilisafe theorizes that severe vulnerabilities could be reduced 4-fold simply by updating firmware.3
Malware Breeding Grounds
Smartphone users routinely download music and games, access applications, and execute files with minimal regard to file source or authenticity. Ponemon and Websense reported that, in a one year period, 51% of surveyed organizations experienced data loss resulting from employee use of insecure mobile devices.2
With all the potential pitfalls, it’s easy to understand why some people more cynically refer to BYOD as “Bring Your Own Danger/Disaster.”
Taking BYOD Head-On
Organizations that try to ban personal devices outright, may repel productive and creative workers, or induce employees to work outside the rules.
A successful BYOD security policy should strive to:
As a leader in network security, WatchGuard Technologies develops solutions to make your BYOD environment a safe and productive ecosystem. By enforcing a practical policy, we believe that organizations can enable workforce productivity, foster goodwill and trust across the organization, achieve compliance demands, and maintain strong security–without sacrificing flexibility.
As we coast into the Nation Retail Federation’s (NRF) big annual show in New York City next week businesses of all types face the daunting task of securing their business network from outside threats. Perhaps it’s fitting that online retailers in particular are concerned with the growing number of advanced persistent threats that are poised to make 2013 a potentially busy year in data loss prevention.
So with the NRF just around the corner, here are three network security roadblocks that threaten the success of online retail organizations of all types:
There are many other roadblocks that can hinder growth and expose data, and we’ll certainly be blogging about them in the days and weeks ahead, but these three are certainly important and worth consideration. For online retailers, customer data security is the foundation for success.
If you’re at the NRF Show in New York, swing by booth # 1681 and say hello. We’d love to see you!
In our last blog – Network Security with Virtualization Best Practices – we promoted Cory Nachreiner’s upcoming session at the Gartner Symposium ITxpo in Orlando at the end of this month. We’d be remiss if we didn’t also share Dave Taylor’s session at the same show – The Dirty Secret of Security Breaches. That session is on October 23rd at 7pm.
Is the biggest security risk today Advanced Persistent Threats? Data leakage? No. Experts maintain that 95% of security breaches are due to firewall misconfiguration. Dave’s session will show you how easy it is to use advances in manageability and usability to put pinpoint control in the palm of your hand with our Next-Generation Firewalls.
Think security breaches can’t happen to you? Are you willing to take that risk? Before you answer, here are the largest data security breaches this century (we’re only 12 years in) that may change your mind, and while not all of them are related to a misconfigured firewall, they will open your eyes:
If you have a Next-Generation Firewall, chances are there’s something of value behind it you need to protect. We hope to see you at Dave’s session to learn more about the right way to configure your network security appliance.
On October 23rd, at the Gartner Symposium ITxpo in Orlando, Florida, our own Cory Nachreiner will be speaking on virtualization best practices for network security. His session – Securing Networks in a Virtual, Cloudy World: Virtualization Best Practices – will highlight what you need to know about network security in today’s virtualized IT environment.
Neal MacDonald of Gartner Group has estimated that “60 percent of virtualized servers will be less secure than the physical servers they replace.” MacDonald also identified some of the most common security risks for data center virtualization projects:
Traditionally, network security has been designed as a ‘one appliance, one application’ model and designed with physical networking in mind. Firewalls and UTM appliances are leveraged in network designs based on the fundamental notions of:
With virtualization, these fundamental assumptions may not be true:
In his presentation, Cory will touch on what you need to know about securing your virtual network, and showcase our latest network security solutions designed for virtualization infrastructures, including the XTMv and the XCSv. So mark your calendars and be sure to stop on by.
The Internet provides many exit points for sensitive information to leave your organization. Communications sent by Internet mail, wikis, blogs, and social networks are now a major threat. Adding a web security solution that extends the data loss prevention capabilities provides consolidated visibility and control so you can meet stringent compliance requirements.
When investigating the various methods for data‐in‐motion protection of data leakage, it is vital to evaluate the entire landscape of content that employees use today. Today’s employee has instant access to the web and email through which content can escape, including sending data via popmail systems such as Hotmail®, wikis, blogs, and sending messages and files via email to unlimited, unknown and mostly unrestricted recipients. This fact highlights the risks of data loss prevention as a silo, versus a consolidated platform. The security and administration risks are gaps that place policies into various places in the network versus a single location. Further broadening the gap are disparate scanning of email and web mediums, and reporting data loss prevention activities and violations across multiple protocols and technical silos.
This is why we built our XCS appliance to provide data loss prevention for both email and web protocols in a single administrative access point for creating, managing and enforcing policies for protecting your organization from leakage. Our XCS data loss protection is not only transparent from end‐users as a gateway appliance, it provides effective and efficient security. Adding our XCS Web Security subscription to your XCS appliance allows you to extend your data loss protection to monitor beyond just SMTP traffic for comprehensive protection across email and web protocols. This comprehensive visibility and protection is now a necessity rather than an option. With the XCS Web Security subscription, you can scan content in all outbound web traffic, including attachments, for policy violations; it inspects context in sent communications including who is sending the data, where it is being sent, and to whom. To make this easy, it uses the same policies developed for your organization’s email communications to save time and ensure strong and consistent enforcement. Administrators can easily manage data loss prevention across protocols from one easy‐to‐use administrative console.
Overall, a data loss prevention solution must be able to effectively and comprehensively detect attempted policy violations. This includes:
For compliance with regulations such as HIPAA and PCI, protection of intellectual property, and enforcement of appropriate use policies, a data loss prevention solution for data‐in‐motion will help address one of the most significant vectors for data loss: electronic communications.
The easiest way to break into any computer system is to use a valid username and password and the easiest way to get that information is to ask someone for it. In the world of computer network security, the term “social engineering” refers to tricking someone into revealing information, such as a password, useful for an attack.
Like many hacking techniques, social engineering got its start in attacks against the telephone company. The hacker (or phone phreaks, as they used to be called) would dial-up an operator and by using the right jargon, convince him or her to make a connection or share some information that should not have been shared.
Social engineering can be used to collect any information an attacker might be interested in, such as the layout of your network, names and/or IP addresses of important servers, version numbers of operating systems and software, and network security products in use internally. Also, social engineering is not limited to phone calls. Some attackers will follow people as they leave on Friday afternoon, hoping that they will go to a bar where they can strike up a conversation.
In reality, social engineering is probably as old as speech, and goes back to the first lie. It is still successful today because people are generally helpful, especially to someone who is nice, knowledgeable, and / or insistent. No amount of computer network security technology can protect you against a social engineering attack.
Recognizing an attack
You can prepare your organization by teaching employees how to recognize a possible social engineering attack. The easiest attack to recognize involves the request for a password. This often comes in the form of a telephone call from someone claiming to be a technician or field engineer trying to solve a problem for your organization. And if the first person called won’t give up his or her password, the caller may try several more before either succeeding or giving up.
The social engineer may also try the help desk or the server administrator. In organizations too large for workers to be familiar with everyone, an attacker may pose as a new hire, or an existing employee who has forgotten his or her password. You should develop procedures to guard against these incidents.
Prevent a successful attack
You can prepare a defense against this form of social engineering by including instructions in your computer network security policy for handling it. Or, if you don’t have a formal network security policy, teach fellow employees what social engineering is and how to deal with it.
The first rule is that no one is ever allowed to share his or her password with anyone under any circumstances. When this rule is followed, it will be possible to track any system access to a specific user-account, because only that user should know that password.
Instruct the help desk to only change or assign passwords when positive identification is provided. Make sure that the authentication method you choose is secure. Caller ID, for example, is not. One attacker who was trying to talk a help desk into changing a password fooled the company equipment into displaying an internal phone number as the caller ID.
Create a response plan
Your response plan should include instructions on how to deal with inquiries relating to passwords or other classified information. For example, transfer the inquiry to the person in the organization that handles computer network security (for example, the person who installs and maintains the firewall). If the caller hangs up, a PBX system with a trace function, or caller ID will identify or give clues to the identity of the person calling. With this information collected, the security staff can uncover patterns, such as a persistent person trying to collect passwords. If the attempts continue, a return call to the social engineer is often enough to stop the attempts.
Unless you work for the NSA, or the armed forces, you may not be constantly reminded that “loose lips sink ships”. Nevertheless, vigilance is important. You and your organization need to be circumspect in the information you share with outsiders, as well as insiders, in order to protect critical information about your networks and servers.
Whether based on Symbian, Palm, or Windows CE, smartphones are ripe for compromise and data security issues. Yes, these operating systems incorporate some built-in security measures, and third-party products can fill many of the gaps. But our biggest smartphone security challenges are perception and user behavior. Simply put, most of us fail to treat smartphones as computing assets that require business-grade data security measures.
Smart phones, if you want to call them that, are here to stay, but let’s all be smart about data security and protection as we handle corporate information and data. There’s a lot at stake!
Even when you’ve got SMTP locked down tight, email can sneak into your system and cause network security troubles in three major ways:
Let’s consider each of these.
SMTP vs. POP and IMAP
Most email traffic passing over the Internet uses the Simple Mail Transfer Protocol (SMTP). That’s why checking the content of all SMTP traffic for malicious code catches most worms and viruses delivered through email. However, the SMTP protocol only transports email from the sender to the recipient’s mail server. It does not get the mail from that server to the actual recipient. Email recipients grab mail from servers by using numerous other protocols. Among the most commonly used are POP, IMAP, and Microsoft’s Exchange transport protocol. In fact, your users are probably using one of these protocols in your network right now to get email from your mail server to their computers.
Inside your network, hosts can use these transport protocols to get mail from a server that’s also within your network, without creating additional risk. Since the mail server is internal, the mail on it will have already been scrubbed with the SMTP proxy or even anti-virus software. However, these protocols are risky if you use them to grab mail from servers outside your firewall. If you give your users unrestricted access to the Internet with protocols like POP and IMAP, they could grab email from outside your network, from personal email accounts that probably don’t have the network security features you have placed on your protected SMTP server. This creates a new unprotected path for malicious email to make it into your network.
Web-based mail agents are essentially Web sites that provide a friendly user interface for mail servers. Rather than having your email client (e.g., Outlook or Eudora) contact a mail server and download your email, you can surf to a Web site where you can read your mail and download any attachments from that mail using a normal Web browser. Since HTTP resembles SMTP in its content delivery mechanism, anything you can get via email, you can also get through a Web-based mail agent.
This opens up yet another network security door for malicious content. Since Web traffic moves via the HTTP protocol to port 80, and mail traffic moves via SMTP to port 25, your users access Web sites with an entirely different port than they would a mail server. That means your SMTP proxy, which works on port 25, cannot filter the content your users attempt to download from these Web-based mail sites, which use port 80. Users in your network may be accessing external Web-based mail agents that are not configured to block worms, viruses and other email based hazards. Allowing access to these Web-based servers introduces another hole into your network security strategy.
The third “sneaky” email delivery method commonly allows malicious email to enter a secured network. Many organizations have laptop users who bring their machines home. If these roving laptops access the Internet from home, they’re probably using insecure connections. Any virus or worm the user may receive through a home account could easily spread throughout your internal network when users then take that same machine to work and plug into your office network. They bypass all the network security measures you spent so much time creating. It is very important to realize this risk if you have any mobile users in your company.
So what you can do about it?
The key to email security (and all network security) is to control all methods of entry and exit that traffic might take. Now that you know the alternate means of entry email can take into your network, your task as the network administrator is to enforce a single path of entry for email, consistent with your network security policy. If you want the Firebox and its proxies to protect you from email threats, all email must pass through the Firebox. You can achieve this ideal using a combination of policy and technology.
Policy is arguably the most powerful tool a network administrator has for enforcing network security. Whether or not the technology exists to secure your network in the way you like, you can still use policy to impose restrictions on your users as well as to enforce consequences when restrictions are broken. For example, your network security policy could state that users should not access outside mail accounts or Web-based mail agents from inside the office network. If you allow limited personal email use through your user’s office accounts, there is no need for employees to access personal email accounts from the office. This policy alone could shut the door to most malicious emails that bypass your office’s email gateway.
You could also create a policy for mobile users. If users will be taking laptops home and will require online access, you could require them to have a firewall as well as virus protection software. You could also stipulate that your users check only office mail on their company-issued laptops, and use their own machines to check personal mail.
A network security policy is only effective when it is enforced. For that reason, logging and reports are very important aspects to enforcing your policies.
Once you have written and distributed your email policy, you can also use technology to enforce it. If you have made it policy not to allow access to external mail servers from work, you can actually enforce this on your firewall. Some firewalls, like our Next Generation Firewall, and email security appliance like our XCS solution, allow control over outgoing as well as incoming traffic. If you add services for POP and IMAP and then deny those services from outgoing, your users will not be able to check external mail even if they decide to break policy.
An article recently published by CNNMoney, “How Google Keeps your Secrets Private” found that many people were concerned about online privacy, and in order to address the issue they spoke with Google’s recently appointed privacy director, Alma Whitten. During her time with Google she has implemented what she refers to as “a culture of privacy”. “Instead of 70 policies across each of its products — search, maps, Gmail, etc. — Google will consolidate most of them into a single, shorter, privacy agreement.” This privacy agreement will ensure your safety when using Google.
Whether you’re Googling an answer to a trivia question, researching a medical condition, or on a mission to prove the know-it-all best friend wrong for once, we all have a right to privacy and it is reassuring to see that companies such as Google are working so hard to make sure that right is maintained. With that said, there are websites that are not as secure with their information, so it is imperative that you are always cautious on the internet. Here are few data loss prevention tips to keep in mind when surfing the web:
WatchGuard, continues to move security forward with the latest additions to the XTM Series; the XTM 25 and the XTM 26. Network protection is stronger than ever, with HTTPs inspection, VoIP support and optional application control. Application-layer content inspection recognizes and blocks threats that stateful packet firewalls cannot detect; this help ensure that anything entering the network will not comprise the critical data, applications or resources. Along with exceptional security, one should expect their security solution to be efficient and flexible:
- Monitoring and reporting tools, included at no extra cost, support industry and regulatory compliance, with drill-down functions that make it easy to pinpoint specific activities.
- Drag-and-drop Branch Office VPN setup – three clicks and your remote office is connected.
- Intuitive management console centralizes configurations and streamlines remote management.
- Call setup security for VoIP means you don’t need to “wire around the firewall” to take advantage of the big cost savings that VoIP can generate.
- Multiple VPN choices deliver flexibility in remote access. Includes IPSec, SSL, and support for iOS devices such as iPhone, iPad, and iPod touch.
- Advanced networking features, like transparent bridge mode and dynamic routing support, allow you to add security without needing to change existing network infrastructure.
- Choice of wired or wireless models to suit your specific business requirements.
Enterprise-level security is something that every business should expect from their security vendor, regardless of size, this is a philosophy that WatchGuard has stood behind for over 15 years. The reality is, businesses that believe they are not are threat, are more likely for fall victim to breaches or data loss. Knowing this, it is vital that even the smallest of businesses take the necessary steps in securing their networks, applications and data.