Embracing Enterprise File Sharing Services

It is the ongoing IT balancing act – enable the business users or secure the infrastructure?  As mobile device usage and collaboration work environments increase, the need for file sharing and synchronization tools is even greater.  Your users need to be able to access their work information regardless of the device used, and people need to share information with a wider range of partners and colleagues.  In recent past, users have simply taken advantage of online storage communities, such as Box, DropBox, or YouSendIt, in order to share data for easy retrieval.  However, concerns with security, management and compliance involving company data have risen, and now the balancing act is even more prominent than ever before. 

Luckily for your organization, a number of enterprise-class solutions are emerging allowing secure ways to share files and access data from anywhere in the world.  IT can have complete control over management, logging, and security requirements. 

Before implementing an enterprise file sharing solution, you need to ask yourself 4 important questions.

Where are enterprise files being stored and shared?  Significant risks develop when company information is shared with others.  You need to ensure data is stored in such a manner that compliancy and security regulations are being met.  Take into consideration the availability of the EFS solution. 

Who has access to your files?  It can be almost impossible to control with whom your employees are sharing files when they use consumer-based file share services.  With EFS solutions, sharing levels can be created to iterate where and when files can be shared.  Another complication with EFS solutions is that the service provider will have access to your data.  Be sure to review how their access controls are set up and what other mechanisms are in place to prevent security breaches or data loss.

How are your files protected?  Choose an option that enables encryption of your data both in transit and at rest.  Ensure a significant encryption level is used and that key lengths are adequate. 

Why will employees use this service?  That’s easy – they are already collaborating online and sharing data, so giving them an option that is meant to work with their existing technology both at work and at home, while promoting its use, will help employees embrace this new service. 

Remember, when evaluating EFS service providers, you must always consider how they secure their components, and keep in mind the controls surrounding data confidentiality, integrity and availability. 

 

Maintaining Firewall Compliancy

We all want to save time and energy spent on menial tasks, so why do we scramble and stress ourselves out when the annual corporate audit is mentioned?  Why is that dreaded firewall compliancy audit so anxiety-inducing each year?  Maintain your firewall compliancy year-round by taking the time to monitor and audit the rules yourself throughout the cycle to reduce your overall workload and stress at audit time.

Firewall rules are set to ensure the security of your company's data while maintaining business functionality.  Sometimes this is a tricky line to balance but compliancy requirements are stated for a reason - in order for your business to function, you must follow some basic rules, whether they are outlined by PCI, SOX, or some other regulatory organization.  Your first firewall audit is going to be painful, but follow some basic guidelines to make this an easier task next time.

Place comments alongside every rule, and state the date when the comment was added.  Complex rules may need to be broken up into a larger number to accommodate the reasons, but there are many common rules used to allow such traffic as DHCP, DNS, and Netbios.  If possible, include a tracking number or administrator's name in non-standard rules in case questions arise.

Develop an audit tracking mechanism.  This way you can return to a previous audit to determine what has changed in the past three to six months.  (Three to six months is a good time frame to audit so that your rules do not change too much and your overall assessment can be performed more efficiently.)  You can create a master firewall rule spreadsheet as well as additional review results forms to append to the master.

Date each audit form completed, and assign administrators tasks to establish accountability.  This ensures that questions are followed up on, and people are aware of the audit practice.  

The firewall review process involves examining every firewall rule and its contents for accuracy and need.  The initial review may result in a number of changes to your rule list, but clean up of any firewall can be a great time saver later on.  If you're unsure what rules could be flagged by an auditor, hire someone to help review the rules with you.  This way you have an auditor's perspective without the headache of failing a large assessment, and you will be well prepared for the audits that count.  

Application Security is More Critical Than Ever

            Software security is not my strong point but, as a security professional, I understand the utmost importance that is required for ensuring applications are secure.  These are the entry points for users and hackers alike – the most common attacks occur at the Application level these days. 

 

            There are five major trends in thinking about software security. 

 

1.      Software is used to run everything today.  Every modern system uses software on some level, and companies are the largest consumers of these applications.  From your television to the critical system controller that takes care of power distribution, computers exist in everything and in everything there is software to be run.  One of my biggest problems with how technologically advanced things have become is the use of computers within cars.  Every night I see someone driving around this city in their late model SUV without their lights.  You drive by and see that the dashboard is lit up – great! – but flashing these people results in oblivious, blank stares.  Technology has gone too far when it compromises the safety of those around you.

2.      Software results in too much information being produced.  Data needs to be accumulated and used for risk management purposes.  For software developers, it is important to examine security functionality throughout the entire SDLC, to ensure a strong, secure portfolio of applications.

3.      BYOD is becoming the normal way to conduct business.  Your enterprise needs to be aware of this and prepare the protective controls necessary to ensure functionality is maintained while data is secured.  Requirements for sandboxing special applications as well as integration between corporate and device-proprietary apps will be demanded.  This will be a security headache moving forward.

4.      Software development requirements have blasted off.  Software needs to be developed faster than ever, and security code reviews are being neglected.  Languages for such software continue to predominately be Ruby, JavaScript, JavaScript Object Notation, and Python.  This means more demand for cloud services, touchpoints that can be undergone quickly, and lighter built in security analysis for developers. 

5.      Surveillance has hit big data.  The NSA cannot be the only large government entity watching everything we do – don’t fool yourself.  This means privacy protection services will be in high demand.

 

Your organization needs to recognize these and other trends in information technology in order to stay on top of security requirements.  What you do to protect yourself and your data will make all the difference.  Software development is exploding and the requirement for application security is more important than ever before.

SSL Certificates for Beginners

SSL stands for “Secure Socket Layer” and it is used to establish a secure session between a web browser and a website to ensure all traffic is transmitted in an encrypted format.  Using online security at your business or at your home helps your customers or visitors feel safer transmitting their data across the Internet.  There are a number of potential risks using online services and it is important to understand how to protect yourself against them. 

Use an SSL certificate signed by a trusted certificate authority to protect your data.  There are two functions to any SSL certificate, which is a digital file.  The SSL certificate authenticates and verifies that the person who is accessing your site is who they say they are.  An SSL certificate also provides encryption to protect data transmitted between two sites via the Internet.  Encrypted data cannot be intercepted or read by anyone else, aside from the intended recipient, if the encryption level is sufficient. 

Keys are used to perform the above functions during an SSL session.  The public key encrypts the data while the private key decrypts the data.  If you connect to a site that is using an SSL certificate, you will be provided with that site or company’s public key to encrypt your data transmission.  This means that the only way to read this data is for the company, who owns and stores the private key, to decrypt it. 

When you are performing any transaction over the Internet that involves sensitive or personal information (such as your credit card, SIN, or birthdate), always check that the site you are connecting to is using an SSL certificate.  This can be verified by a few methods.  The website itself should include ‘https://’ (not ‘http://’); you should see a small padlock somewhere on your browser (where depends on which browser you are using); and if you are running any security software, you may even see a verification symbol, such as a check mark or the URL highlighted in green. 

You should use an SSL certificate as often as possible, but some specific situations would be:

·         To secure communication between your browser and a company website

·         To secure any internal network communications

·         To secure email communications

·         To secure information between servers

·         To secure data sent or received via mobile devices

This is a very simple overview of SSL certificates but the message is simple – you need to use these on your company’s website if you want your customers to trust that their data is secure.  Invest in the technology now to maintain your customer base and your reputation.  Should you require any assistance with setting up SSL certificates on your organization’s network, Blue Hole Security can help. 

Cloud Computing to Promote Consolidation: What To Consider?

Cloud computing is all the rage these days and it seems like everyone is trying to becoming involved.  With organizations wanting to consolidate their resources and optimize their existing infrastructure, it is no surprise that cloud vendors are busier than ever.  Building out a network to provide optimal bandwidth and security for various new storage and server technologies can be costly, so it financially makes sense to look to cloud providers.  From a security perspective, most companies neglect to realize that their data no longer belongs to them once it is placed within a cloud service, and organizations forget to examine the safe transfer and storage of their data as it is associated with online storage vendors. 

Aside from consolidation and optimization, there are some other strong driving factors that organizations need to be aware of.  It’s important to keep your staff happy and productive, and with globalization and extensive Internet coverage, people are expecting more.  More now seems to mean cloud-based services. 

Growing organizations are looking for new revenue and have realized that they need to place themselves more in front of their customers.  Banks have bank machines in grocery stores and other entertainment venues.  Customers are now wanting more personalized service from businesses and the ‘have it my way’ generation expect moment in time attractive services.

So, what does this mean for infrastructure and support?

Workforces need to become decentralized and ready to react to any issue or request as it arises.  Dispersing people across the globe is one way to ensure customers are happy.  More people dispersed means more people are going to need to access data remotely, and what better way than to use an already established cloud provider. 

Infrastructures will need to become even more heterogeneous to support and maintain a wide array of differing technologies.  Again, most cloud providers are capable of handling this, or clients can expect to connect to a number of different online presences to get their jobs done. 

Employees under a great deal of stress to get the job done increasingly find they have better resources at home, where security controls are lessened and desktops are not locked down to specific applications.  Process to gain access is reduced.  Tablets and smartphones are on the rise, and self-service infrastructure is being requested. 

What data should you consider keeping in-house?

Mission critical data needs to be secured as best possible, which means this should be kept on your company’s internal network.  Core data, specialized proprietary data, is also best left in-house.  And many organizations are opting to keep collaboration tools under their own infrastructure as well – things like VDI, collaboration tools, and VoIP. 

Source: http://docs.media.bitpipe.com/io_10x/io_106865/item_589299/WhitePaper-Forrester_Successfully_Consolidating_BranchOffice.pdf?fulfilled=true

Mobile Devices Are Affected by Malware Too

Our mobile devices have become a part of us. We rely on them to look up loved ones’ phone numbers, locate a restaurant, keep track of lists of tasks, and any other personal needs that a person may have.  We worry about viruses and malware on our desktops but few people think of the implications of a virus on a mobile device.  Some malware is coded to review the data on your device and transmit passwords, updates, and other personal information to unauthorized parties.  Some can even be used as remote control applications, allowing hackers to manipulate your device without your knowledge.  Antivirus software has advanced so much that most malware can be cleaned off of a desktop so you don’t need to reimage it.  The same cannot be true of a mobile device.  A virus found on your phone doesn’t have the same antivirus quarantine capabilities and thus your best option is to perform a factory reset.  Every phone allows for this, but the problems occur if you haven’t backed up your data beforehand. 

Some phones and tablets do offer the ability to retain your data even with a factory reset.  Many of these types of devices sync your data with a cloud-based service, which you do have to remember to enable.  Security risks come with saving and syncing your personal information with a cloud-service, though, so beware of the implications to yourself and family members if you data is compromised.  Other mobile devices may include a sync feather with a desktop application, so when you do perform a factory reset, your data can easily be reinstalled on your device upon connection to that desktop.   

How can you protect your mobile devices from data loss and malware?  Never install an application you do not trust.  This is especially important for Android applications, where no true coding governance exists.  Even Apple apps, however, can come with viruses built in that are missed during Apple’s thorough code review.  Just like on your PC, do not open or launch suspicious emails, attachments or applications.  If available, install an anti-virus application that is meant specifically for your mobile device.  Use a trusted vendor, like Symantec, Norton, McAfee, or AVG.  Be smart with your mobile devices – they are miniature computers that are ALWAYS connected to the Internet, and therefore they are especially susceptible to data loss and malware.