Why You Can’t Ignore iPhone/iPad Security

It wasn’t too long ago that Apple was a mere blip in a Windows-dominated world. At least its modest market share meant Apple products flew under most cybercriminals’ radars.

But now that Macs are hot again, we’re hearing more about malware attacks like the MacDefender scareware. And with Apple’s monstrously successful iPhone and iPad product lines, there’s a growing concern that these iOS devices could also be an obvious target for tech-savvy thieves -- and pose a threat to an entire corporate network.

Should You Ban Consumer Devices?
Before allowing iOS devices into the organization, IT must educate employees about the risks, use tools to safeguard company data and develop policies that can reduce the odds of a security breach. Or should you just ban consumer devices altogether?

“Your company should not develop policies that exclude iOS devices,” says Kevin Sterneckert, research vice president at the Gartner research and consulting group, based in Stamford, Conn. “Your employees are going to use these devices with or without permission. And with the latter, it could expose your network to major security breaches.”

In fact, allowing users to choose the device they want has its benefits. “It could be less expensive for the company if they’re not paying for a device,” adds Sterneckert, “so we’re seeing more of a ‘You bring the device, and we’ll provide the service’ kind of scenario in the workplace today.”

What You Can Do
Sterneckert says there are three behaviors every company should adopt:

  • Require passcode usage. Your end users should use the four-digit PIN on the iPhone and iPad, plus an auto-wipe option that deletes data after a few incorrect login attempts.
  • Encrypted backup. Make sure you’re using this added layer of security on the local workstations to which the iOS devices are connected. “This will protect and secure all data on the device,” says Sterneckert.
  • Use Find My iPhone. Ensure the Find My iPhone service (free) is enabled, so a lost or stolen device can be located remotely and/or wiped clean.

Microsoft Exchange ActiveSync is also recommended for email. “The challenge is to make sure you put the right guardrails around environments, like email and Web use, that include the right permissions, certificates and keys,” says Sterneckert. “Apple has done a great job at that.”

The Importance of Usage Policies
IT departments should also create policies based on the company’s needs and/or industry’s regulations. Make sure people understand their importance and why they’re in place. For example, it’s possible to limit the downloading of applications from iTunes, disable the iPhone or iPad’s cameras or curb corporate Wi-Fi use for personal reasons.

It is incumbent upon businesses to develop these policies, but it’s not yet highly prevalent among small and midsized businesses, says Tim Bajarin, president of Creative Strategies, a firm based in Campbell, Calif., that provides industry analysis for the tech sector.

Bajarin estimates that less than half of small businesses have formal IT policies in place. “Even when they do, they struggle to enforce them, given the mix of corporate and employee-owned devices across multiple platforms and device categories -- although there’s policy management features available through mobile email servers,” he adds.

But not only should you establish a usage policy, you need to offer periodic reminders and education about the security risk too. “These policies should also encompass use of employee-owned devices to access company data -- things like mandatory password use, reporting lost/stolen devices or data and avoidance of removable storage are the bare-bones minimum,” says Bajarin.

Like this article? Connect with us @ITInsiderOnline

Photo Credit: @iStockphoto.com/ymgerman

Why You Should Inventory Business Cloud Use

For a few hours on June 20, anyone who wanted to log on to cloud-based storage provider Dropbox could do so without a password.

Dropbox blamed the incident on a bug. And chances are some businesses didn’t even know about the potential exposure of their data.

Too bad so many IT managers don’t appear to be on top of the issue. In fact, many IT managers apparently have no idea what cloud-computing services their employees are using. A survey from the Ponemon Institute released in May showed the extent of the problem. According to the research, 50 percent of IT professionals say their organizations are unaware of all the cloud services used in their enterprises.

That figure could be misleading. Anton Chuvakin, principal at Security Warrior Consulting, says it’s difficult to measure because the definition of “cloud computing” is so slippery. Do the IT pros consider Gmail to be cloud computing, for instance?

But in general, cloud use is exploding. Employees in your organization are increasingly going to turn to cloud tools that allow them to do their jobs expediently and economically, whether you’re on board or not.

Tim Bajarin, president of Creative Strategies, a consultancy in Campbell, Calif., says he’s not surprised at the Ponemon findings. “There are so many apps that let employees access them anytime, anywhere,” he says. “It’s hard for the IT people to keep up.” And it doesn’t help that new cloud services seem to come out every week.

Taking steps to monitor and direct corporate cloud computing use by employees isn’t really that difficult. The key is to take a proactive approach. Among the recommendations by experts:

Understand your mission. Consider whether you’re looking to prevent data leaks or stay on top of information governance. As Chuvakin points out, when you use cloud computing for sensitive information, security is paramount. “If I’m writing a white paper for a client that includes intellectual property and it’s in Google Docs, then it’s not a question of ‘Has anyone else seen it?’ as ‘Am I 100-percent certain no one else has?’” Many cloud providers do provide that assurance, says Chuvakin, so it pays to ask and shop around.

Know why your employees use the cloud. You can learn from how your end users use cloud services, say the experts. For instance, employees might be using Gmail because the search is so much better than the work email’s search. “You should really look into why people aren’t using your work software. There might be a good reason,” says Chuvakin.

Inventory corporate cloud use and providers. Take full inventory of which cloud-computing services your organization and your employees are using. Assess your cloud-computing providers and the risks involved in using them. Do this on an ongoing basis, as cloud computing evolves rapidly.

Set standards. Create guidelines for cloud-computing use by employees. Do you want to prohibit employees from putting company files in the cloud? How do you foresee employees using the cloud?

Be the provider. Create your own version of Dropbox or other cloud-based applications.

Keep sensitive data off-limits. Consider some data off-limits to the cloud and communicate this policy to employees. The Ponemon survey showed that 68 percent of IT pros thought cloud computing was too risky for storing financial information or intellectual property. Fifty-five percent said they wouldn’t store health records in the cloud.

Photo Credit: @iStockphoto.com/track5

Is Social Media Malware Infecting Your Business?

A chain, as the saying goes, is only as strong as its weakest link. Apply that logic to a business, and when it comes to social malware, you’re only as secure as your most gullible employee.

By now, even the most gullible employees will probably not fall for email-based phishing schemes. But social media, thanks to its newness, is another story.

What can you do? Educate your employees about the risks of social media and establish policies for social media use, especially in regard to malware, which can infect PCs and compromise sensitive information.

Common Social Media Malware Scams

There are a few common scams that should be known to all employees. These include links and apps purporting to let you “See who viewed your profile” or “View your top profile stalker.” Other come-ons are offers for free stuff for social games, fake Facebook features (like “See who poked me the most”) and games not offered on Facebook.

And the most common trick is when these things come from someone you know. It can be hard not to accept that interesting Facebook or Twitter message at face value, but your friend’s account may have been hacked. “An employee might get an update from a friend saying ‘Check out this cool cat video,’” says Anton Chuvakin, principal of Security Warrior Consulting. But you should always “be cognizant of what links you click that look sensational,” says national security expert Robert Siciliano.

The good news is that Facebook and Twitter are aware of such schemes and are working to shut them down. The bad news: Malware makers are working just as hard.

Smart Social Media Malware Tips

It doesn’t make much business sense to ignore the value of social media, so aside from training employees, be proactive in employing a strong defense against social malware. Experts suggest these precautions:

  1. Use strong antivirus software. If your antivirus software is doing its job, it will stop malware from infecting computers in your network.
  2. Use a good browser. The latest versions of Google’s Chrome browser and Firefox have features that “help a browser-based infection stay there,” says Chuvakin. Most current browsers offer much better security than they did years ago. In particular, Internet Explorer 6 is known for offering poor security. If you have an older machine in the office using IE6, consider upgrading.
  3. Use a service that scans links to make sure they’re legitimate.
  4. Update security patches.
  5. Employ a strong firewall. And make sure it’s turned on.
  6. Decode links before clicking. One technique spammers use to camouflage a bad link is to shorten it, so use a short URL decoder before clicking on anything. You can find good free ones on TrueURL.net and Extractor.Links-Share.com.

Photo Credit: @iStockphoto.com/mbbirdy

Like this blog? Connect with us @ITinsiderOnline

More on Internet security from our sponsor

Are Free Public Wi-Fi Networks Safe?

You already have plenty on your plate, whether you are implementing and maintaining technology, helping to resolve technical issues or ensuring your company’s data is safe and secure. Now, you can add the proliferation of rogue free public Wi-Fi networks to that list.

Free Wi-Fi connections can be tempting for traveling employees. And hey, you can’t blame them, as one less item on an expense report can make them look better -- especially if your company is tightening its belt. But talking to them about the risks can help protect them -- and you.

How Rogue Free Public Wi-Fi Works
Tech-savvy thieves are taking advantage of users’ thirst for constant connectivity. “The basic idea is someone in vicinity has created a ‘free Wi-Fi network’ that you connect to, but in doing so, you’re allowing them to tap into your info, access your files and possibly steal your personal identity too,” says Tim Bajarin, president of Creative Strategies, a tech consultancy in Campbell, Calif.

“These ‘rogue’ networks are really individuals who have software to hack into your systems -- and because the majority of people’s laptops are not protected, they’re a lot more susceptible than they think.”

In fact, New York-based independent security consultant Dino A. Dai Zovi says he and a colleague, Shane Macaulay, authored a tool called KARMA to demonstrate the risk of unprotected wireless networks. “KARMA acts as a promiscuous access point that masquerades itself as a wireless network,” explains Dai Zovi. “It makes the victim connect to our rogue wireless network automatically.”

Rogue operators will often craft network names similar to the name of the hotel or the coffee shop where your end user is attempting to connect. One careless click and your data is exposed.

Scary stuff. So, what to do?

Tips for Safer Surfing on Free Public Wi-Fi
You’ve got your work cut out for you, and it starts with employee awareness, say the experts. Consider these steps:

  • Avoid free public Wi-Fi. Caution employees to steer clear of freebies. “When I go to hotel, I make sure they have a wired [Ethernet] connection,” says Bajarin. “And if I want to go wireless on my laptop or other devices in my hotel room, I bring an Airport Express with me,” he adds, referring to Apple’s compact wireless router.
  • Be efficient. If you or your end users can’t avoid a free public Wi-Fi network, “get on, get what you need and get off -- and don’t do any financial things until you’re back at home," cautions Bajarin.
  • Use VPN. Only use free public Wi-Fi if you have VPN (Virtual Private Network) access, says Dai Zovi. “Otherwise, everything you do can be easily monitored by anyone nearby.” Citing recent Firesheep attacks, Zovi says that even password-based networks can be attacked by malicious types. Firesheep is an extension for the Firefox browser that can grab your login credentials for sites such as Facebook and Twitter.
  • Give employees your own connection. Another option for mobile workers is to use WAN-enabled laptops, USB sticks with cellular connectivity or to create a mobile hotspot through a smartphone or tablet.
  • Use security software. Make sure all security software is updated regularly, enable firewalls and give employees a means to encrypt sensitive data.

Only through education, secured connections and some common sense can your employees keep personal and professional data safe from cyber-snoopers, waiting to attack through a free public Wi-Fi.

Like this article? Connect with us @ITinsiderOnline

Photo Credit: @iStockphoto.com/gulfix

Protect Your Company’s Bank Account

Here's a sobering thought for anyone who has a small business account: If your account gets hacked and thieves break in, you're not going to get your money back.

Unlike consumers, small businesses are on their own. The FDIC does not insure small business bank accounts for cybertheft (although it does insure them for other types of theft up to $100,000).

That's particularly bad news because cybertheft is on the rise. Tom Kellerman, vice president of security awareness for ethical hacking firm Core Security, says falsified wire transfers -- the primary type of small business account hacking -- is up 500 percent in the last two years.

The good news is there are some things you the IT decision-maker can do to lower the odds of a break-in. In particular: 

  • Limit the use of wireless. Kellerman says that wireless is a "very easy access point" for hackers. Best not to use wireless at all, but if you need to, use equipment adhering to the 802.11.i IEEE standard.
  • Move away from passwords. Even the best passwords aren't as secure as alternatives like tokens or biometrics. Tokens, which are physical objects like smart cards, are best paired with passwords to prevent fraud. Biometrics, using a fingerprint or voice, are unique to a particular user. (But of course, if you have a Trojan already lodged in your PC, such protection won't offer any help.)
  • Segregate your company’s banking data. Severely limit Web browsing on the PC that connects to your company’s bank account. Anton Chuvakin, principal of Security Warrior Consulting, takes this a step further and suggests that you have one PC on hand that just connects to your bank account and does nothing else. It’s worth it: The price of one PC (under $500) can completely protect your company from having its account hacked.

If Nothing Else, Be Smart
Security analysts say the best thing you can do is educate yourself and any other employees who might access the account on the dangers of phishing scams and Trojans. Since a Trojan causes mischief by lodging itself on your computer, the goal is to not allow that in the first place. So remind users to be extremely cautious about opening any suspicious email, particularly if it's sent over a social network.

Kellerman says that even fairly sophisticated users can be taken in by so-called “spear phishing” attacks, which mimic websites or email addresses of people with whom you do business. So a good way to minimize the risks of such attacks is to limit the amount of people and PCs allowed to access banking information. IT’s rep is on the line if data is stolen, so take control of access points. Says Kellerman: “There’s no point in administration privileges if you’re going to have it for a bunch of devices.”

Like this article? Connect with us @ITinsiderOnline