VARIED STORAGE MEDIA, WINDOWS XP COMPLICATE DATA LOSS PREVENTION

Consumer smartphones and tablets, and the bring-your-own-device policies that have fueled their advent in enterprises, are the subjects of growing security and compliance scrutiny. At the same time, they may not paint the full picture of corporate data leakage and compliance vulnerabilities, since many organizations, especially in the healthcare industry, still store information on optical media, PCs and other appliances. Additionally, outmoded hardware running Microsoft Windows XP is becoming a lightning rod for zero-day threats that can compromise the entire network, revealing the wide range of challenges currently facing endpoint management.

Locking down a mix of old and new endpoints
Data breaches are not only costly, but also likely to land healthcare providers in hot water with regulators. A recent incident involving the U.S. Department of Health and Human Services and a third-party records management agency resulted in the latter having to pay $1.2 million after it failed to properly erase data from hard drives.

Reporting on the issue for Lexology, Alaap Shah of the law firm Epstein Becker Green pointed out that companies handling protected health information often do not account for the many different endpoints through which that data passes. Examples may include DVDs, email archives, and hard drives, or seemingly innocuous appliances like the photocopiers at the center of the HHS incident.

If administrators do not implement well-designed endpoint security software that tracks leaks and threats across numerous devices, then simply using a secure claims database as the original storage medium will not matter. Encryption and BYOD policies that wall-off legally protected data from personal effects are also vital measures for protecting it from the many individuals and third-party firms that now have access to that information.

Windows XP complicates endpoint security and control
Old storage media and mobile policies are not the only lingering vulnerabilities. Even as it approaches end-of-life on April 8, 2014, Windows XP remains popular 12 years after its original release, powering many mission-critical endpoints. A VMware survey revealed that 64 percent of large enterprises, and over half of midsize outfits, had not migrated off XP.

Microsoft executive Tim Rains advised anyone still on the operating system to immediately upgrade to at least Windows 7 to avoid falling victim to the near-certain proliferation of threats that the company will not patch.

“After April 8, Windows XP Service Pack 3 customers will no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates,” wrote Rains. “This means that any new vulnerabilities discovered in Windows XP after its end-of-life will not be addressed by new security updates from Microsoft.”

Currently, attackers reverse engineer Windows patches in order to discover exploits. While newer versions may receive more hacker attention due to their growing adoption rates, older platforms like XP are usually vulnerable to the same dangers, since they share the same kernel. Catastrophic zero-day exploits can emerge in this context, and in lieu of timely patching by next year, XP “will essentially have a zero-day vulnerability forever,” stated Rains.

BYOD, CONSUMER APPS LEADING CAUSES OF CORPORATE DATA LEAKAGE

What are the most likely catalysts for data leakage? IT departments may now have entered a perfect storm of risks, emanating from rising use of cloud services, increasingly fragmented device fleets and ongoing consumerization trends in both software and hardware usage. As a result, many leaks occur accidentally, and total incidents have been ballooning in both frequency and scale over the past decade. An endpoint security and control strategy that combines technically precise monitoring tools with adequate employee awareness is the only way for organizations to protect themselves in the current threat-ridden environment.

Corporate applications like email services are often much slower, albeit more secure, than their consumer counterparts and perform less ideally outside the confines of the company network. Accordingly, employees often resort to popular commercial webmail services that run well in nearly any environment, and this universality pairs well with the self-supplied hardware, especially smartphones and tablets, which they use for both business and leisure activities.

IT departments must improve file tracking visibility
By doing so, workers create many endpoint security risks tied to the unsecured movement of files, although some fault lies with IT departments that have not adopted comprehensive monitoring tools. According to a IPSwitch survey summarized by CIO.com’s Rich Hein, departments often fail to keep tabs on activity from personal email accounts used on their networks. An older study found that more than 70 percent of IT executives had no visibility into file movements within their organizations.

Aside from better performance speed, employees may use personal accounts to share large files that would otherwise be blocked by corporate email restrictions. Consumer cloud services like Dropbox have complicated data loss prevention efforts because of their similar facility with large file transfers, which users may tap into using an inter-app “Open In” button that is not properly secured.

“Opening documents in third-party applications presents some unique challenges related to putting corporate data at risk,” Fiberlink security officer David Lingenfelter, whose organization also conducted a survey on data leakage risks, told Hein. “The first risk is sharing data with third parties, including applications like Facebook and Dropbox. While employees may naturally use caution when forwarding emails, the ‘Open In’ functionality is much less obvious, and they may be leaking data using ‘Open In’ unintentionally.”

BYOD and lost devices
Endpoint management must also address a dizzying range of at-risk hardware. Hein cited a security study that found that 62 percent of IT employees believed it was okay to put corporate files on their personal devices, and that most of them never deleted these items.

USB thumb drives are a common way to improperly move files, with 33 percent of Fiberlink survey respondents stating that they had lost a drive containing confidential information. However, security executives have to be aware of smartphones and tablets with increasingly large storage capacities supplemented by consumer clouds. Over half of respondents admitted to using such devices for work. Without remote wipe capability, a lost mobile device can translate into major financial and IP-related damage.

ENDPOINTS BECOMING CONDUITS FOR WIDELY DISTRIBUTED ATTACKS

The advent of cloud computing and bring-your-own-device strategies has made it more difficult to secure specific endpoints, since administrators may be prioritizing ease of data access at the expense of safety. Threats remain, however, as much of the current generation of endpoint security software has not yet adjusted to aggressive hacking and cyberwarfare tactics that use individual endpoints as launching pads for widely distributed attacks.

In one of the most famous endpoint-initiated attacks in recent time, a family of malware known as Comfoo was employed to compromise the networks of many multinational corporations in 2010. According to CRN contributor Robert Westervelt, the Comfoo umbrella included a number of custom-designed backdoor exploits and trojans that could distribute malware on an ongoing basis. Perhaps more seriously, they could cause damaging data leakage by scraping network and account details and monitoring all user input. The Comfoo malware may have been part of a sophisticated cyberespionage campaign, as evinced by both its methodology and the lengths to which it went to avoid and misdirect endpoint monitoring.

The attacks used social engineering and email phishing to compromise targeted devices, highlighting how endpoints have become, in the words of security executive Jason O’Reilly, “surfaces” ripe for malware infiltration. Speaking to ITWeb, O’Reilly stated that endpoint software often does not sufficiently account for access from locations beyond the IT department, and that it does not have access controls that limit data exposure to authorized parties.

“Endpoint security solutions must offer layered protection that goes beyond signature-based detection only to include heuristic-based detection and polymorphic-based detection,” advised O’Reilly. “Today’s networks are exposed to threats from many different sources.”

Generating reports and catching threats in real-time
Business consulting firm Frost & Sullivan identified the high stakes for endpoint security and control strategies, which are under pressure from both outside attackers and seemingly insatiable employee demand for device choice flexibility.

“Enterprise IT organizations now face tremendous pressure to enable employees to access the corporate network and files from their own personal devices,” said Frost & Sullivan analyst Chris Rodriguez. “Considering their seemingly omnipresent nature, fast data connections, and powerful hardware and operating systems, these devices represent prime targets for hackers.”

What can organization do to clamp down on the unique weaknesses of mobile hardware? O’Reilly suggested that solutions should provide clear, comprehensive visibility into what is occurring on each endpoint so that threats can be swiftly addressed.

Building a Fearless Company

I took the time today to re-watch a video posted by the Commonwealth Club with Steve Blank today – “How to Build a Great Company, Step by Step.”

Steve is a smart guy, with a nice sense of humor, and I’ve always valued his insights.  Several of his key points ring true to me.

• I like the quote from the video, “there are no facts inside your building, so get the hell out of it!” – Steve called it a lesson hard learned in Silicon Valley.  At Ziften most of our key execs are out with customers and prospects on a weekly basis.  We are a young company and understand it is critically important that our business model have a realistic view of our market, and how we can add value.
• Listening to our customers is the most important thing we do.  In the video Steve points out how hard it is for entrepreneurs to listen rather than dumping their IP on anyone willing to listen.  I regularly counsel my staff on the value of listening over talking – after all, customers and prospects are far more interested in hearing how we solve their problems than how smart we are!
• Steve speaks about how innovation is treated in America, versus the rest of the world.  This is one of my core beliefs.  We are blessed in America with an attitude that previous failures, from which learning occurs; make an executive “experienced” and more valuable in startups.  Fear of failure is the death knell to innovation.

I encourage my people to take risks without fear of reprisal.  It is making the team much faster at getting to our goal of bridging the gap between security technologies and really effective enterprise client security management.   There’s a big difference – we are on the verge of sharing additional information on our unique value proposition in endpoint security management, so watch this space!

WITH BREACHES INEVITABLE, COMPANIES MUST PURSUE DATA LOSS PREVENTION

Occurrence of a major data leakage incident may now be a matter of “when” rather than “if” for U.S. companies, due to the convergence of new risks inherent in data-intensive applications, fragmented endpoint strategies and cloud computing. Too frequently, companies ignore or inadequately address known vulnerabilities, and the persistence of aging, unsecured IT assets eventually attracts the attention of cybercriminals.

Data breaches occur at an alarming rate. In 2011 alone, 855 breaches resulted in the loss of 174 million records, according to a report from the Verizon RISK Team. For companies that handle personally identifiable information (PII), the stakes are particularly high, since insufficient endpoint data protection measures and lack of employee compliance education can result in costly legal action.

Writing for Mondaq, legal expert Jeffrey Vagle stated that “[t]he likelihood of a data breach or privacy issue occurring in any business has become a virtual certainty,” and he advised record keepers to rethink their approaches to device and network security, administration of PII information and employee data access controls. However, data leak prevention may be more difficult due to rising usage of cloud services, which permit the storage and exchange of massive amounts of information at a time. Even one incident could result in the loss of thousands or millions of files.

Focusing on known vulnerabilities
IT departments frequently worry about zero-day attacks that can catch them off-guard and result in data leakage. For example, Network World’s Dirk Smith chronicled the recent emergence of a Adobe Acrobat exploit that could let hackers conduct advanced surveillance. However, IT vulnerabilities may more often stem from unpatched old software, and even many zero-day threats arise from weaknesses in legacy code, including a Windows bug which Smith said targeted features first implemented 20 years ago.

“[O]ne thing that I have found is that many of the breaches and intrusions which succeeded did so by attacking known vulnerabilities that had been identified and had been around for years: not from some sophisticated ‘zero-day’ attack which was unidentified and unknown until only yesterday by the security community at large,” wrote security expert Jim Kennedy in a recent Continuity Central article. “And, even more disturbing, social engineering continues to be a most successful way to begin and/precipitate an attack.”

Additionally, hackers now have access to a wide range of prepackaged malware. These tools can often perform complex analytics of a computer or network and then suggest an optimal line of attack. Aside from literal tools, attackers also take advantage of employees who are not trained to screen out calls or messages from individuals who falsely claim to be a security provider’s technical support team.

While it is imperative to proactively guard against zero-day attacks with robust endpoint protection software, companies also need to pair effective processes and training with their software and hardware solutions. Organizations often have multiple security policies in place, but the issue is enforcement. As a result, risky fluctuations in traffic or data movement, though nominally identified for security review, are not quickly and efficiently addressed.

-Charles H. Leaver

ACCESS CONTROL AND ENDPOINT MANAGEMENT: TWO KEYS TO SECURE BYOD

Occurrence of a major data leakage incident may now be a matter of “when” rather than “if” for U.S. companies, due to the convergence of new risks inherent in data-intensive applications, fragmented endpoint strategies and cloud computing. Too frequently, companies ignore or inadequately address known vulnerabilities, and the persistence of aging, unsecured IT assets eventually attracts the attention of cybercriminals.

Data breaches occur at an alarming rate. In 2011 alone, 855 breaches resulted in the loss of 174 million records, according to a report from the Verizon RISK Team. For companies that handle personally identifiable information (PII), the stakes are particularly high, since insufficient endpoint data protection measures and lack of employee compliance education can result in costly legal action.

Writing for Mondaq, legal expert Jeffrey Vagle stated that “[t]he likelihood of a data breach or privacy issue occurring in any business has become a virtual certainty,” and he advised record keepers to rethink their approaches to device and network security, administration of PII information and employee data access controls. However, data leak prevention may be more difficult due to rising usage of cloud services, which permit the storage and exchange of massive amounts of information at a time. Even one incident could result in the loss of thousands or millions of files.

Focusing on known vulnerabilities
IT departments frequently worry about zero-day attacks that can catch them off-guard and result in data leakage. For example, Network World’s Dirk Smith chronicled the recent emergence of a Adobe Acrobat exploit that could let hackers conduct advanced surveillance. However, IT vulnerabilities may more often stem from unpatched old software, and even many zero-day threats arise from weaknesses in legacy code, including a Windows bug which Smith said targeted features first implemented 20 years ago.

“[O]ne thing that I have found is that many of the breaches and intrusions which succeeded did so by attacking known vulnerabilities that had been identified and had been around for years: not from some sophisticated ‘zero-day’ attack which was unidentified and unknown until only yesterday by the security community at large,” wrote security expert Jim Kennedy in a recent Continuity Central article. “And, even more disturbing, social engineering continues to be a most successful way to begin and/precipitate an attack.”

Additionally, hackers now have access to a wide range of prepackaged malware. These tools can often perform complex analytics of a computer or network and then suggest an optimal line of attack. Aside from literal tools, attackers also take advantage of employees who are not trained to screen out calls or messages from individuals who falsely claim to be a security provider’s technical support team.

While it is imperative to proactively guard against zero-day attacks with robust endpoint protection software, companies also need to pair effective processes and training with their software and hardware solutions. Organizations often have multiple security policies in place, but the issue is enforcement. As a result, risky fluctuations in traffic or data movement, though nominally identified for security review, are not quickly and efficiently addressed.

-Chuck Leaver

PASSWORDS, EMPLOYEE SHARING ARE DATA LOSS RISKS FOR BYOD

Enterprises that have implemented bring-your-own-device policies are at increased risk of cybercrime and data loss, most often because of their insufficient endpoint security and control measures. On mobile devices, employees typically access less secure consumer cloud services and engage in unsafe password practices, which accounts for a large portion of all BYOD-related risk. Endpoint software that provides visibility into exactly what is running on a device can help IT departments to understand and eventually address their vulnerabilities.

BYOD is a popular way for executives and workers to access sensitive corporate data on their personal smartphones, tablets and laptops. A recent ZDNet survey discovered that nearly nine in 10 Australian businesses have granted some of their senior IT staff members access to critical company information via their own BYOD devices, while 57 percent stated that they had provided it to at least four-fifths of their leadership. Even in the case of newer and less privileged staff, 64 percent had provided BYOD access, although company financial information was typically blocked from all but the most senior workers.

While BYOD devices and usage are proliferating, many of these organizations have not implemented proper endpoint management strategies to secure their increasingly mobile workflows. Nearly half of respondents stated that their companies did not have BYOD policies, and only 17 percent confirmed that their practices were ISO 27001 certified.

Passwords may be the greatest risk to safe BYOD
For companies that had taken steps to secure BYOD usage, acceptable use policies and passwords were the most popular measures. However, passwords may represent a unique and critical vulnerability in BYOD implementations, since users often reuse passwords that are not sufficiently complex. In an interview with CIO Magazine’s Tom Kaneshige, former Federal Trade Commission executive Paul Luehr asserted that while enterprises with BYOD initiatives certainly face heightened external risk from hackers, the greatest risk may be internal.

“The most common way BYOD policies affect data security and breaches is in the cross-pollination of passwords,” Luehr told Kaneshige. “A person is probably using the same or very similar password as the one they use on their home devices.”

Disgruntled employees, who often leak critical data after being let go, are prime risks for companies that have permitted BYOD, noted Luehr. As a result of BYOD, the distinction between home and the workplace is disappearing, and employees may now feel empowered to engage in relatively risky behavior like using social media on corporate networks, as a prelude to eventually sharing information either carelessly or willfully via cloud services. Comprehensive endpoint security is a necessity for preserving BYOD-induced productivity gains in the face of these threats.