paulmudgett.com

I love this conversation:

“Is your workstation protected?”

“Of course, I have anti-virus installed.”

While anti-virus products are one piece of protecting your workstation, it isn’t enough.  Most AV products do a poor job of detecting new malware.  It does better over time protecting against old malware that happens to still be floating around IF (and a big “if” at that) signatures are updated frequently.

So what else is needed?

Single technologies can fail.  Think in layers when it comes to comprehensive security.  Here are a few considerations:

1. The bad guys have figured out that the quickest way to get to your computer is through 3rd party applications that are vulnerable and out of date.  Adobe seems to have taken Microsoft’s place as the malware whipping boy.   So, consider extending your patch management program beyond the operating system and common productivity suites like Office to include all applications that reside on business workstations.
2. Remove, where possible, local Administrator rights for users.  Most don’t need it.  Malware loves it.
3. Managing your endpoints and the software that can be installed helps control the “rogue” software that tends to magically appear on workstations.  If it’s needed for business then there is no reason it can’t be managed appropriately.  Application white listing tools may help here.
4. Consider host IPS and other features that come with suites of anti-malware products.  Tie them in with a central logging environment or management console.
5. Consider virtualizing the browser application to confine drive-by infections.

It should come as no surprise that with the proliferation of mobile devices (Blackberry, Android, iPhone) that phishing attacks have also gone mobile.  From an article at Help Net Security, “Mobile users more vulnerable to phishing attacks“, log files from a compromised web server hosting phishing web sites revealed these interesting tidbits:

1.  Mobile users (Blackberry, Android, iPhone) are three times more likely to submit their login info than desktop users.

2.  Eight times more iPhone users accessed these phishing websites than Blackberry users.

This shouldn’t be a surprise to anybody.  Individuals have grown accustomed to getting information on the go.   It’s simple to click on a link within an e-mail on your mobile device and be taken to a website.  This site can be legitimate or it could be serving up malware or asking for sensitive information.

I’m equally not surprised by the fact that, by a large margin,  more iPhone users are going to phishing sites than Blackberry users.  Even though Blackberry users still beat iPhones in market share they tend to be more business driven while iPhones are widely consumer driven devices.  While certainly not validated, I agree with the reasonable assumption in the article that business users tend to be more “security aware” than the average consumer and are less likely to fall for “phishing” scams.

Since “awareness” is a good defense against phishing scams, who is positioned to provide it?  Should providers of consumer devices such as the iPhone and Android also be providing awareness information since their devices are now much more than phones?

The New Jersey Supreme Court recently ruled that a company shouldn’t have read an ex-staffer’s private e-mails even though they were sent from her employer’s computer.    NorthJersey.com article.

Interesting ruling which will certainly change some thoughts as to personal use of work computers.  While I’m a proponent of privacy rights, I’m torn on this particular ruling.   The company had a policy in place that warned e-mails “are not to be considered private or personal to any individual employee”.  That’s a fairly common policy statement but the usual intent is the use of company e-mail not a personal Yahoo account.  I tend to side with the court that the attorney-client privilege applied because there was an attempt to keep the personal e-mail secure.  Personal e-mail accounts, especially with an attorney seems to be reasonably outside the reach of an employer in my non-legal opinion.

That said, I think the issue here revolves around the personal use of company-owned computers rather than specific e-mail.  In this case the employee was absolutely out of her mind to be exchanging communications with her attorney in preparation for a lawsuit against her company using a company issued laptop.  Stupidity aside, the question is if the company had a right to “monitor, audit, intercept, access and disclose” any information that was sent using, or stored on company-owned equipment.  This is where things get a little fuzzy for me.

Since businesses are responsible for the protection of PII that is transmitted from or stored on their equipment, there is certainly an obligation to monitor and audit their equipment to assure compliance.    While I don’t think that extends into people’s personal e-mail accounts let’s create a scenario based on the patient privacy breach at University Medical Center I blogged about in November.

What if the employee was “hired” by a dubious attorney to provide them with face sheets as part of an unethical “referral gathering” scheme.  Now, instead of taking the hard copy face sheet as was done in this case that employee used a personal Yahoo account to send this information to their “attorney”.    I doubt this hits the same measure of attorney-client privilege identified in the New Jersey case but certainly this illustrates a point regarding potential misuse of employer-owned computer assets that can be quite damaging to both business reputation and finances.

As this New Jersey ruling resonates it will be interesting to see how organizations shift their policies, if they do at all.  With the proliferation of social media and smart phones, it may not be an unreasonable time to revisit policies anyway.

Many victims of identity theft have no idea how their information was stolen.  Unfortunately, business processes may be leading to the disclosure of customer or employee personal information.  It seems obvious that hard drives that are in desktop and laptop computers need to be sanitized before being surplussed but a recent article identifies copy machines as having similar issues with the storage of personal information.  Who’d have thought!?!?

56 percent of people victims of ID theft have no idea how perpetrators got their ID,” said Sean O’Leary of Digital Copier Security, “And we can assume a portion or large part is a result of data breeches from photocopiers.”

That’s right – photocopiers.

O’Leary says he believes most companies don’t realize their copy machines have hard drives.

“We just take it for granted this little photocopier sitting in the corner of an office is safe and innocuous,” said O’Leary, “But in reality, with that hard drive it’s storing personal information.”

Today’s copy machines do a whole lot more than copy. They print. They scan. They email. They fax.

The machine has to have a way to remember all that information.

Between 1998 and 2002, companies began equipping copy machines with hard drives.

“Press Copy to have your Identity Stolen.”  Melissa Yeager, WINK News, Nov 12, 2009

Considering the type of information that is “copied”, it seems that copier hard drives may be an ideal source for the malicious person looking to steal sensitive data.   While it may seem simple to use a program like DBAN to wipe the hard drive of a desktop or laptop, removing data from a leased copy machine may create a challenge for most organizations.  Leasing companies should be warning companies about the hard drives and providing either a manner in which to sanitize the hard drive by the customer OR certifying the destruction of personal information when the copier is exchanged as part of a lease.

Sometimes the information security challenges come from unusual places.  With technology advances, we need to be mindful of where information flows throughout ALL of the organization, even in what most would consider to be rather innocuous places.

“File Sharing Leaks Sensitive Federal Data, Lawmakers Are Told” – Washington Post

Another politician jumps into high gear with more useless legislation and finger pointing after sensitive information was leaked via P2P software on federal computers.   Policy already dictates that P2P software shouldn’t be used but these agencies lacked the technical controls to implement the policy.  Adding legislation that merely says “don’t do it” is not the answer.  Blaming the P2P software companies for federal agencies failure to implement good security is pathetic but certainly not unusual for the political blame game.

Good endpoint security with perhaps the prudent implementation of whitelisting technology can provide the technical controls necessary to enforce such policy.