Thursday, April 30, 2009

DO YOU FEAR DEPLOYING ENCRYPTION IN YOUR ORGANIZATION?

The last time we discussed encryption we examined its role in enhancing and protecting personal privacy. This piece continues by discussing why organizations should employ encryption as a priority tool in their security framework.

The current depressed global economy has resulted in a burgeoning market for stolen data.

Companies have, in the recent past, been slow to employ encryption due to various reasons. It used to be hard to set up and would slow network performance. The primary fear was that if a company used encryption on critical data and something went wrong, then that data would be irretrievable.

These concerns were justified then but are no longer relevant today. The first fear we should dispel about encryption is that implementing it is insanely difficult. Enterprise encryption software is now easy to deploy and maintain. You need to first establish how critical data flows through and out of the company. You also need to locate where this data resides. You will then be able to identify who has or can gain access to the data. Deploying encryption in these areas therefore becomes easier.

The second concern has been that encrypted data compromises network performance. This was true when encryption technology was in its infancy. Today’s solutions have been developed to make the best use of available computing cycles. They extensively use background processing to minimize their impact on the network.

It is also widely believed that managing an enterprise encryption solution is excessively complicated. Today’s encryption solutions are centralized and fundamentally simplify the oversight and administration functions.

It is also feared that encryption negatively affects data availability. Encryption does not limit access to data. It will only do so if you encrypt your database without carefully examining your enterprise use patterns. You should determine which critical applications are accessing the database most often. This will help you optimize your encryption solution to remove any bottlenecks or access delays.

Encryption finally invokes one doomsday dread. This is where a technical or staffing problem makes it impossible to decrypt your data. Imagine if the IT manager suddenly leaves the organization in a huff. Enterprise encryption will not leave you in such a lurch. There are double-authentications which require more than one person to access the key. If the key somehow becomes unavailable you can use the built-in restoration tool to decrypt your data. And with the numerous checks and balances that are in the software, any encrypted data can be decrypted and restored without resorting to expensive external consultation.

Encryption is necessary for any company that handles customer details and other critical data. There is now no sensible fear that justifies delaying usage of this crucial defense tool.

Tuesday, April 21, 2009

ARE WE PROTECTING OUR WIRELESS NETWORKS?

Not too long ago applying for a fixed-line phone used to fill one with dread. After being on a waiting list for eons, you would finally get the treasured land line connection. That, however, would not be the end of your troubles. The connection would constantly break down, bills were often wrong and maintenance service was pathetic.

It is against this backdrop that we have readily embraced wireless communication technologies. Cellular networks have experienced phenomenal growth in the recent past. Wireless computer solutions have also experienced substantial demand as we seek to become more flexible and productive.

Dependence on wireless computer networks is therefore increasing. Wireless Local area networks (WLANs) and Wireless Metropolitan area networks (WMANs) that connect several WLANs have become common in Nairobi. People and businesses use wireless networks to send or share data quickly whether it be in an office building or across the world.

Wireless networks are, however, inherently more vulnerable than wired ones. Denial of service (DoS) attacks against this type of network does not require a very sophisticated modus operandi.

These attacks can be launched from within or from outside using widely available standard wireless equipment. They can be carried out by a hacker using a standard laptop equipped with a high output wireless client card and a high gain antenna. There are many other methods of attack and protecting these wireless networks requires the implementation of defensive measures.

Deploying WLAN intrusion detection systems will assist in identifying Dos attacks. Strategically mounting the access points at sufficient height will deter hackers from easily reaching and destroying the access points.

It is also important to aim directional access point antennas towards the inside of the building. This will help to contain the RF (radio frequency) signal.

Making a building as resistive as possible to incoming radio signals is another crucial defensive measure. Installing metallic window tint instead of curtains or blinds can help prevent RF leakage and keep incoming radio signals out. Wi-Fi proof wallpaper and Wi-Fi paint also serve the same purpose.

Implementing the IEEE 802.11w standards that outlines the Protected Management Frames is advisable. WLANs send system management information in unprotected frames. This standard aims to increase security by providing data confidentiality of these frames.

Finally, it is good security practice to carry out wireless audits with the aim of determining how far the RF signal actually extends outside the building.

Saturday, April 18, 2009

COMPUTER GAMES HAVE BECOME SECURITY THREATS

If you encountered computers at an early age then you most likely indulged in computer gaming. Can you ever forget the excitement when you first played Prince of Persia, Wolfenstein 3-D and Doom? Other memorable ones include Counter-Strike and Grand Theft Auto.

Gaming has evolved from solo playing in one computer to interacting with multiple online players from far flung locations. This has spawned a lucrative business with revenues from online games being estimated to be in the billions of dollars. This has obviously attracted cyber criminals.

The rise in massively multi-player online role playing games (MMOGs) has made computer games attractive targets. Crooks are able to exploit the vulnerabilities in MMOGs to commit identity theft and intrusions.

MMOGs require permanent internet connections and this access is used to steal user data from both real and virtual environments.

In these games, players often change or purchase virtual commodities. These may be weapons, clothes, medicine, money or property. The items are bought using real money which is converted into virtual currencies. These virtual funds are attracting crooks. Profits derived from illicit activities are hidden in the game economies of virtual worlds in a new form of money laundering.

Due to the competitive cut-throat business of computer gaming, vendors have overlooked security in their mission to be first to market the next big game hit. The result has been increased vulnerability to data stealing Trojans. These Trojans have the aim of recording user IDs and passwords together with the IP addresses of the servers these MMOGs are hosted. Keyloggers are also introduced which record all keystrokes.

After compromising a player's online account, the online crooks are able to convert the virtual objects and currencies they steal into real money.

Other vulnerabilities that are easily exploited are scripting holes. These are typically found in web applications which allow code injection by malicious users into the web pages viewed by other users. An example would be where you play an online game from a website that has a link to another site that exploits a scripting vulnerability. Upon clicking the line malicious scripts execute in your browser and steal sensitive information like passwords and billing information.

Games that require permanent internet connections and use some form of virtual economies need to be used with caution.

Wednesday, April 01, 2009

ARE YOU PROTECTING YOUR MOBILE DATA?

The power of mobile computing has resulted in tremendous work flexibility and productivity. Tools such as laptop computers and sophisticated mobile phones have allowed us to perform functions that were previously unachievable. You are now able to conduct professional corporate presentations while visiting clients or updating budgets while on vacation among many other work related activities.

Mobility unfortunately has brought new and serious challenges in the areas of corporate security and information privacy. It is now common practice for companies to issue laptops to employees as replacements for their desktop computers. Powerful mobile phones are also provided so as to maintain constant e-mail communication. This has resulted in vast volumes of corporate information being delivered and stored electronically.

A dramatic upsurge of laptop theft has been witnessed in Nairobi. These device losses pose a serious risk to both the owner and company. Personal and trade secrets can easily fall into the wrong hands. Beyond the loss of hardware, the greatest concerns are often the value of data and the unsecured enterprise access available through a company laptop. Corporate data obtained from a stolen laptop can be sold to competitors. Unauthorized access to a company’s customer database can be achieved by use of a stolen laptop. Your personal data can also be used to commit identity theft.

These scenarios demand a layered approach to mobile computing security where data protection is also included. This approach encompasses Compliance, Protection and Recovery.

Compliance is the ability to comply with applicable mobile data protection regulations and to provide an easily accessible audit trail. To ensure compliance, companies must protect data, track the mobile hardware (and their users), provide auditing capacities and maintain historical records. The Kenya Communications Act and the Communication Commission of Kenya’s regulatory framework are good starting points. Non compliance will expose the organization to law suits in the event of data loss.

Protection is the ability to prevent mobile data losses from occurring. Data loss from a stolen laptop can be prevented by encrypting mobile data. Encryption, however, fails to protect sensitive information in cases of internal theft. In instances of external theft, encryption only delays access to sensitive information. To ensure total protection a multi-faceted approach of combining encryption, strong authentication and deployment of asset-tracking software will ensure aggressive protection.

Asset-tracking software tools are able to track and recover laptops that are lost or stolen. They also monitor any changes or disappearances in computer memory, hard drives or peripherals.

Recovery is the ability to recover lost or stolen mobile data, to retrieve lost or stolen devices and return them to the control of the organization, and to facilitate prosecution. Companies should have in place procedures that include law enforcement officials in the recovery of these devices. A fully functioning Cyber-Crime unit of the Kenya Police would be able to increase the asset recovery and prosecution capacity. Subsequent prosecution would act as a powerful deterrent against future theft.

This multi-layered approach will go a long way in ensuring that mobile asset and data protection controls are in place and reduce the exposure of legal action due to device loss.

HIGH TIME WE INTRODUCED A POLICY TO PROTECT OUR SURFING CHILDREN

Computer usage by our children in our primary and secondary schools has become commonplace. Computers have also become familiar in private and public libraries. Nurseries have not been left behind either, albeit only a few upscale ones provide computer instruction to toddlers.

Introducing this technology to our children at an early age is recommended because their adult lives will be synonymous with technology.

In the near future access to the internet will become cheaper in Kenya. This will enable most schools to provide full time broadband access to their students at a subsidized rate. This access will mean our children will have access to all shades of digital material.

Time is nigh for us, as a society, to develop an internet safety policy that will ensure educational institutions and libraries have technology protection measures. These measures must be tied to government funding or licensing.

Waiting for legislators to introduce this initiative would be akin to waiting for Godot. Educational institutions should also not be left with the sole responsibility of implementing safety measures. Parents should be ready to develop and enforce this policy as an additional component of sound parenting.

An internet safety policy, that specifically targets schools and libraries, should include measures that block or filter internet access to pictures that are obscene or harmful to minors and teenagers.

These institutions must prove compliance by educating minors about appropriate online behavior, including cyber bullying awareness and response and interaction with online individuals on social networking sites such as Facebook or MySpace.

Educational institutions should also be required to restrict minors’ access to materials harmful to them. They should limit unauthorized access, including hacking and other unlawful activities by minors online.

There are software tools out there that can enforce these measures. These tools offer complete protection from internal and external threats for instant illegal P2P file sharing, data leakage, data loss and more.

Schools can be able to implement software that offers content monitoring and complete visibility into individual users, allowing them to protect minors and students while securing the institution from issues of legal liability.

The computer and the internet have become rapidly growing tools that enable children and adults to instantly access information and resources. It is also a powerful communication medium. It is our duty, as parents, to ask whether the schools our children attend have implemented basic computer and internet safeguards.

Not to be forgotten is the role of parents at home. It is common for parents to assume that rules are being adhered to when in actual fact they are not. There is also an assumption that rules are not needed when they are.

Rules and regulations in educational institutions should be in tandem with the ones at home. We cannot afford to be lax on this issue of protecting our children from the dangers of the computer and the internet.

Parents must learn to protect their children from the array of undesirable digital content both at school and home.

SHOULD YOU PUBLICIZE YOUR SECURITY VULNERABILITIES & BREACHES?

Many local companies experience IT security breaches and keep mum about it. A breach is a rupture, break or gap whose cause has not been determined. It can be more vividly defined as an opening or gap in the wall. Digital walls protect valuable data systems and when they are breached the repercussions are extremely costly to both individuals and companies.

When a tree falls in Mau forest it certainly makes a sound. If a section of a perimeter wall collapses it makes a sound. If there is no on around to hear the tree crashing down or the wall falling apart then the event is not immediately registered or discovered.

What if a computer network is vulnerable or breached and no one knows about, is it insecure? A collapsed section of a wall makes it insecure to those who know about the vulnerability. This also applies to a computer network with a security hole. If no one knows about it, that is the vulnerability has not been discovered, then the computer network or digital wall is secure.

However if someone knows about it, then the IT system is insecure to the discoverer but secure to everyone else. If part of that perimeter wall round your residence is vulnerable and you have no knowledge about it, then that wall is secure to you. But to a robber who knows its vulnerability, it is insecure.

What if you knew that your network was vulnerable? What if you knew if part of that wall round your home was vulnerable? Would you publicize this fact?

The vulnerability exists, whether or not anyone knows about it. Keeping computer breaches and vulnerabilities secret does not guarantee your security.

An attacker can’t exploit a vulnerability he does not know about. A defender, also, cannot protect a vulnerability he does not know about.

In Information Technology, security that is based on publishing breaches and vulnerabilities is more robust. Those companies that suffer hacking attacks and keep them secret undermine the natural flow of information. Instead of fighting this flow, companies should embrace full disclosure which ensures they end up with more security than less.

The internet is still an insecure cyber-world, but it would have been much worse if its software vulnerabilities had been kept secret. Disclosure about its vulnerabilities has resulted in many of them being fixed.

Companies should stop sweeping their vulnerabilities and problems under the rug. They should instead embrace the full disclosure security movement. This will not only enhance their system security but also prevent those holes in their walls being announced in blogs and newspapers.

DO YOU HAVE THE ESSENTIAL INFORMATION SECURITY CERTIFICATIONS?

Information security is only growing in importance. Whatever an organization’s mission, product, or service, its information security is paramount.

Many readers of this column have asked me about IT security courses and certifications. Which one is the most suitable and whether these courses are available locally. I want to oblige today and list three essential IT security certifications.

These security certifications can significantly bolster your curriculum vitae and assist in job retention. Generally, choosing which certification you do is dependent on the career road map you have outlined for yourself.

So once you have decided that your career road map is IT security, it is important to appreciate that the best certification for you depends on your education, skills, and goals. For this reason, when pursuing any professional accreditation you should give much care and thought to your experience, skills, goals, education and desired career path.

One of the pre-eminent IT security accreditations is the Certified Information Systems Security Professional (CISSP). This certification is administered by the International Information Systems Security Certification Consortium, commonly known as (ISC)². (ISC)² is a global vendor neutral not-for-profit organization that provides various information security certification programs.

CISSP is a globally respected certification that is designed for security industry professionals with at least five years of full-time experience. It is internationally recognized for validating a candidate’s expertise with operations, network and physical security, as well as the ability to manage risk and understand legal compliance responsibilities and other security related elements.

The exam is particularly daunting. It consists of 250 questions with four options each and is six hours long. You can obtain more information from www.isc2.org.

Another accreditation worth pursuing is Security+ offered by the Computing Technology Industry Association (CompTIA). This certification is vendor neutral and recommends at least two years of on-the-job technical networking experience. It validates knowledge on organizational security, cryptography, assessments and audits, access control security systems, access control and network infrastructure. You can find out more about Security+ from www.comptia.org.

There are, of course, other security certifications out there. The Certified Information Security Manager (CISM) certification is for security professionals who manage, design, oversee and/or assess an organization’s information security. CISM is offered by ISACA. The website is www.isaca.org.

Certification in itself is not the end. These certifications should instead be pursued with the aim of enhancing your IT security skills and providing an additional competitive advantage that sets you apart from the crowded IT field.

ARE YOU A RECKLESS SHOPPER

Despite the global recession, experts predict online retail shopping to grow. Online retail demand, in Kenya, will be boosted by the imminent arrival of several submarine cable systems this year.

Online shopping is un-disputably more cost effective and faster than the traditional commute from one duka to the other. Comparing prices and bargains is merely a click away.

The current global recession will prompt more Kenyans to consider shopping online in search of better bargains. Following closely behind are the scammers who, also due to the recession, will increase their presence in the internet.

Kenyans need to be more vigilant and aware of the pitfalls that exist in this electronic supermarket. We can never be too careful and this message needs to be constantly repeated.

I have outlined some golden rules one should adhere to if you are to shop online and come out unscathed.

Never go shopping without ensuring that your personal firewall is enabled and updated. Standard firewalls included with operating systems are insufficient. They do not adequately control outbound connections. By installing a reputable firewall you will be able to monitor and prevent sending out of your shopping data on the internet by malware.

Online shopping is synonymous with credit cards. This is the Achilles heel of e-commerce. To be able to protect yourself you should ensure that your cards are registered with online providers such as MasterCard SecureCode that verify your transactions via a private code.

It is also prudent to use only one card for online shopping. Never use multiple cards or mix normal purchases with your online credit card. Maintain the limit for this card to be as low as possible. Better still, use a top-up card for your online purchases.

Remember that your bank provides you more security guarantees with a credit card than a debit card. So avoid debit cards for online shopping otherwise you might be exposing yourself to exploiters.

Checking your card statements regularly for any irregular activity is a good habit. Scammers use small transactions over a long period of time so as to avoid detection. That 400 bob that cannot be explained in the statement is warning enough.

On the site you should always check for the little padlock at the bottom right hand corner of the Internet Explorer browser. This confirms that an encryption key has been activated for your data transmission.

Also make an effort of checking the site’s privacy policy. Check for details of how your personal information will be used and try to provide only the required minimum information.

Adhering to these few rules will help you keep the scammers at bay. Embrace online shopping but keep it safe.