Monday, August 5, 2013

The Pros and Cons of BYOD (Bring Your Own Device)!!!!

PC World — The concept of bring your own device BYOD is a growing trend for business IT. There are a variety of benefits to allowing users to supply their own PC and mobile devices, but there are also some concerns. Make sure you understand both in order to embrace BYOD with confidence.
It used to be that IT departments drove technology, but that has changed dramatically in recent years. The consumerization of IT revolution -- sparked by the iPhone -- has shifted the IT culture so that the users are the ones getting the latest, cutting edge technologies first, and they want to bring those devices to work.
Businesses that embrace BYOD have some advantages over competitors. For starters, BYOD programs generally shift costs to the user. With the worker paying for most, or all of the costs for the hardware, voice and/or data services, and other associated expenses, companies save a lot of money -- as much as $80 per month per user. You might expect users to revolt against paying for the devices and technology they use at work. Not so. The Good Technology State of BYOD Report states, 50 percent of companies with BYOD models are requiring employees to cover all costs -- and they are happy to do so.
That brings us to the second significant benefit: worker satisfaction. Users have the laptops and smartphones they have for a reason those are the devices they prefer, and they like them so much they invested their hard-earned money in them. Of course theyd rather use the devices they love rather than being stuck with laptops and mobile devices that are selected and issued by the IT department.
There are two corollary advantages that come with BYOD as well. BYOD devices tend to be more cutting edge, so the organization gets the benefit of the latest features and capabilities. Users also upgrade to the latest hardware more frequently than the painfully slow refresh cycles at most organizations.
BYOD isnt all wine and roses, though. There are some issues to consider as well. By embracing BYOD, organizations lose much of the control over the IT hardware and how it is used.
Company-issued IT typically comes with an acceptable use policy, and it is protected by company-issued security that is managed and updated by the IT department. It is a little bit trickier telling an employee what is, or is not, an acceptable use of their own laptop or smartphone.
Make sure you have a clearly defined policy for BYOD that outlines the rules of engagement and states up front what the expectations are. You should also lay out minimum security requirements, or even mandate company-sanctioned security tools as a condition for allowing personal devices to connect to company data and network resources.
There is also an issue of compliance and ownership when it comes to data. Businesses that fall under compliance mandates such as PCI DSS, HIPAA, or GLBA have certain requirements related to information security and safeguarding specific data. Those rules still must be followed even if the data is on a laptop owned by an employee.
In the event that a worker is let go, or leaves the company of their own accord, segregating and retrieving company data can be a problem. Obviously, the company will want its data, and there should be a policy in place that governs how that data will be retrieved from the personal laptop and/or smartphone.
If you're not already taking advantage of the BYOD trend, you should definitely consider it. Just make sure you're aware of both the pros, and the cons, and address any potential issues up front.

By Tony Bradley

Wednesday, June 12, 2013

Survey Reveals Why Small Businesses Turn to Cloud Storage

What drives businesses to the cloud? Cloud storage vendor SugarSync attempted to answer this question by polling 173 small businesses on what makes them want to adopt cloud file management. The survey involved business owners, as well as IT and other business leaders for smaller organizations. You can read the detailed findings in this entry on the company’s official blog.
Many trends that start off in the nimbler and more flexible small businesses are often a precursor of things to come in mid-sized or even large businesses. With this in mind, I surmised a few of the most pertinent findings as well as give my thoughts on how SMBs can best leverage cloud storage below.

Proliferation of multiple devices

Small business users are not abandoning laptops and desktops for new smartphones and tablets, according to Lance Kass, Internet marketing operations manager at SugarSync. Rather, tablets and smartphones have taken a complementary role where they are often used simultaneously with traditional computing devices. Indeed, SugarSync discovered that small business owners and leaders are actively using an average of five devices. (Some respondents reported as many as 12 devices apparently, according to SugarSync).
Clearly, the cloud has a role in the proliferation of multiple device usage by making it easy for users to access the same files from any Internet-connected device. With sales of smartphones and tablets skyrocketing, SMBs need to come up with a long-term strategy on how to support workers who may need to access corporate services and files from mobile devices.

Users derive real value from the cloud

Though once seen as a fad, it is evident that users are deriving real value from the use of cloud storage. Specifically, the survey saw 90 percent of respondents listing file and folder synchronization as “Very Important.” About 85 percent also put data backup under this category, while 90 percent of respondents consider the ability to share files and folders with colleagues as important.
The implications to SMBs are clear: An outright ban on cloud services will probably not succeed and is likely to impede productivity. Instead, security-conscious businesses will need to look into offering private-cloud alternatives to support workers and meet their file sharing and collaboration needs.

Mobility and new work style

Given that the survey was conducted by a cloud storage vendor, it should probably be unsurprising that the company’s “set it and forget it” approach was touted by a majority (75 percent) of respondents as a lifesaver. Still, it is undeniable that the increased mobility and changing working style of workers can only serve to accelerate the adoption of cloud services.
On this front, SMBs need to acknowledge that legacy backup utilities or making manual backup copies is no longer cutting it for modern workers. Instead, they should consider automated backup software at a minimum, or explore software that works by synchronizing data over the Internet, preferably those that save multiple revisions of files.
On a broader front, does your SMB have a strategy to support tablets and smartphones on top of traditional laptops and desktops? I’ll be outlining some simple tips later this week. In the meantime, do feel free to drop a comment if this is a topic that you are currently grappling with.

Written by- Paul Mah SMB TECH

Tuesday, June 4, 2013

The BYOD Mobile Security Threat Is Real

CIO - Paul Luehr knows a thing or two about security, the law and "Bring Your Own Device," or BYOD.
Formerly a federal prosecutor and supervisor of the Internet fraud program at the Federal Trade Commission, Luehr is a managing director at Stroz Friedberg, a global data risk management company with a cyber-crime lab. He focuses on computer forensics, investigations and discovery.
BYOD has led to an increase of mobile devices, cloud storage repositories, different kinds of data types, and, of course, data theft by disgruntled employees. "The number of cases we have involving mobile devices has probably doubled in the last three years," Luehr says.
While there's a lot of hand-wringing over BYOD and mobile security-some would say it's "over-hyped"-Stroz Friedberg deals with real cases concerning data breaches. Luehr sat down with to talk about what kinds of threats he's seeing, how companies are reacting, and where they're falling short.
There's been lots of talk about the mobile BYOD security threat. But is it real or hype?
There's a two-pronged answer to your question. Broadly speaking, we usually break down threats against the network into two vectors.
The external vector, which would be the hacker coming in from overseas trying to penetrate the network, continues to come through the traditional avenues and not necessarily BYOD. The people who say that the threat is overhyped may be accurate if they're talking about external threats.
But this leaves out another large dimension of security. BYOD policies certainly have raised the risk to companies with regard to the internal threat. Probably the most dangerous person to an organization is the disgruntled employee who is about to walk out the door. That person has access to the network. With BYOD, they have more ways to connect to that network and move information around.
I think that the security risk, in terms of the internal vector, is already here and quite large.
Have you seen a rise in BYOD data breaches in your business?
Absolutely, especially in the forensics area around employment matters. There are lots of cases we've nicknamed "Bad Leaver" cases, as in, somebody left and it was bad. When an employee leaves to a competitor, there's often concern that the employee may have taken intellectual property.
In those types of cases, we're seeing BYOD come front and center into the investigation. Rather than just looking at the server, email or desktop computer, now we're often looking at the smartphone, iCloud or Dropbox account, or Gmail.
Most of the breaches we're seeing are still directed at the servers where the most valuable and sensitive data resides. However, more and more mobile devices are an avenue to breach an organization. From a pure security point of view, BYOD is presenting many challenges.
You also have a change in attitude and practices, such as many people are involved in social media. We're seeing the bright line between home and work disappearing. Employees are becoming a little bit lax about the type of sensitive information they bring home to work on, maybe a list of credit card numbers of customers or source code that a company relies upon to really distinguish itself in the market.
Once they bring it home, the [information] could be subject to sharing across different devices and repositories. Have they showed it to a friend or family member?
Companies respond by toughening up BYOD polices. Is this a good countermeasure?
Sound and comprehensive policies and procedures are certainly needed in the modern BYOD environment, but they're often not good enough by themselves. Most policies need to be updated to take into account the various places that employees will be using their devices, such as home use, the avenues through which data can travel, and the different types of communication that are occurring, such as Facebook, Twitter and text messages. They also need to come with good training and practices behind them.
Recently, the head of my lab and I put together a top ten list of security assessments based on the breaches we've seen. One of them is the lack of any consequences for poor security at the individual level. We think it's a good policy to make sure that security is not just part of an overall HR policy but, especially for some people, it's part of their annual performance evaluation.
A bad leaver is going to wreak havoc anyway. Isn't this more of an HR issue than an IT one?
Good policies come from the top down and through the HR department. There should be consequences for both good and bad behavior. That is the human side of it.
But it's not just about the humans. You also have to have a lot of network controls in place. I don't think HR can pass it off on IT, or IT can pass it off on HR. In fact, the number one issue we see in our security assessments is the lack of appreciation for security at the top levels of a corporation.
Does a BYOD policy open the door to hidden legal costs?
Yes. In bad leaver cases, the hidden legal costs come from the additional collection and review that must occur whenever you have a number of mobile devices involved in a case.
You're going to have more data, more types of data, more devices, more repositories. Instead of grabbing a forensic image of a laptop or desktop, now you need to have four or five different forensic images to grab. In the messiest situation, you'll have a lot of co-mingled data typically occurring on a home computer and in a home email or cloud-based account.
Not only do you have the collection costs to deal with, you also have an additional gatekeeping step that must be completed before attorneys can even put eyes on the information. More and more employees are demanding that their personal information be kept separate from the business information subject to litigation. Companies may have to hire a forensics shop like ours to separate the wheat from the chaff.
Have you seen BYOD lead to a security breach?
The most common way BYOD policies affect data security and breaches is in the cross-pollination of passwords. A person is probably using the same or very similar password as the one they use on their home devices.
We actually had a call with a client with the FBI on the line. In one of the large public data breaches that's been highly publicized, the FBI saw the list of published consumer names, addresses and passwords and recognized one of the names - a high profile IT manager or engineer for a significant technology firm. The FBI called up the company to tell them that this person's personal email account had been hacked and that they might want to check up and see if it affects them.
Sure enough, the person had been logging in from home into the corporate network using the exact same personal user name and password. Fortunately, no breach had occurred, and they were able to close that loop. It was just coincidence, luck and a good FBI agent to recognize that person's name.
This shows the cross-pollination that often occurs when people start treating work devices as home devices and vice-versa.
Is there a mobile security blind spot?
Text messaging underlies a lot of interest in what's new and different.
In the old days, you really had two sources of documents that you were concerned about. One was email, the other e-docs, such as a PowerPoint presentation, a Word document, Excel spreadsheets, sometimes engineering drawings. You'd search the file server and email server implicated in the investigation, as well as the employee's workstation.
With mobile devices, you have not just the devices and repositories but the type of information coming off those devices that's different. In particular, text messaging appears only on the phones and nowhere else on the corporate network. Service providers can only provide you with information such as connection times and numbers connected, maybe volume of information, but they're actually not saving the content of individual messages.
So while a bad leaver may have communicated with their new employer through maybe even a personal email account, now it's increasingly common to see them text messaging their buddies across town and conveying private or valuable information that way. In the most nefarious cases, some messages on systems such as Snapchat are designed to disappear even from the phone itself.
Could mobile security be the downfall of BYOD?
If companies turn a blind eye towards mobile devices, they're going to infiltrate the workplace anyway. A sounder course of action is to accept reality and realize that BYOD and mobile devices are part of our future, and then construct sound policies and practices.
You can't control all actions, but what you should do is foresee those actions and control the consequences to the extent possible.
By Tom Kaneshige
Tom Kaneshige covers Apple, BYOD and Consumerization of IT for Follow Tom on Twitter @kaneshige. Follow everything from on Twitter @CIOonlineFacebookGoogle + and LinkedIn. Email Tom at
Read more about byod in CIO's BYOD Drilldown.

Wednesday, May 29, 2013

China's military to train on digital warfare

China, often linked to alleged cyberattacks, is apparently training military forces on digital combat and "informationalized" war.
According to state-sponsored news agency Xinhua, the People's Liberation Army plans to launch digital war games next month focused on developing new combat forces that specialize in cyberwarfare.
The news agency says this will be the first time the army "has focused on combat forces including digitalized units, special operations forces, army aviation and electronic counter forces." Drills will be carried out late next month at the Zhurihe training base in northern China.
The army's general staff department said eight military academies and forces from the Beijing Military Area Command will participate in the exercises.
In March, the Pentagon warned China to cease a cyberespionage campaign against the U.S., which allegedly involves Chinese hackers stealing intellectual property "on an unprecedented scale." The demand came after security firm Mandiant released a report that claimed an "overwhelming percentage" of cyberattacks on U.S. corporations, government agencies, and organizations originate from China.
A confidential U.S. Defense Science Boardreport for the Pentagon recently alleged that Chinese hackers have managed to expose and potentially steal data relating to U.S. advanced military weapons and systems. The report said that over two dozen weapon system designs were compromised and may have been stolen in order to jump-start the development of Chinese military technology.
In Australia, ABC television reported that hackers originating from China have stolen floor plans relating to a new headquarters for the Australian Security Intelligence Organization.

Thursday, May 9, 2013

Senators want sanctions against countries that support cyberattacks

Possible sanctions could include immigration and trade limits with countries accused of harboring cyberattackers, lawmakers say

By Grant Gross
May 8, 2013 01:49 PM ET

IDG News Service - Two U.S. senators will push Congress or President Barack Obama's administration to pursue trade and immigration sanctions against China and other countries that allegedly support cyberattacks on U.S. government agencies and businesses, the lawmakers said Wednesday.
Senators Sheldon Whitehouse, a Rhode Island Democrat, and Lindsey Graham, a South Carolina Republican, called on the administration, including the U.S. Department of Justice and Federal Bureau of Investigation, to step up efforts to battle cyberattacks.
Congress or the administration should block immigration from countries supporting cyberattacks on the U.S. and it should limit trading with those countries, Graham said during a hearing before the Senate Judiciary Committee's crime subcommittee.
"Our Chinese friends seem to be hell bent on stealing anything they can get their hands on here in America," Graham said. "We're going to do something about this. We're going to put nation states on notice that, if you continue to do this, you'll pay a price."
Witnesses pointed at China as the major source of cyberattacks on the U.S.
Graham asked witnesses to identify the top countries where attacks originate. Both Kevin Mandia, CEO of security vendor Mandiant, and Stewart Baker, a partner at law firm Steptoe & Johnson and former assistant secretary at the U.S. Department of Homeland Security, said China was by far the top attacker.
Russian attackers seem to abide by some rules of engagement and tend to withdraw after U.S. security professionals catch them attacking networks, Mandia said. "The Chinese are like a tank through a corn field, they just keep mowing through it," he said.
Graham asked Mandia and Baker for two-page memos detailing Chinese attacks that he would take to officials with the Chinese embassy in Washington, D.C. "I'll give you 100 pages, sir," Mandia said.
Representatives of the Chinese Embassy in Washington, D.C., didn't immediately respond to a request for comments on the hearing.
Whitehouse also called on the DOJ and FBI to be more aggressive in their pursuit of cybercriminals. "It is all well and good to complain about [intellectual property] thefts through diplomatic channels, but at some point, you need to stop complaining and start indicting," he said.
Representatives of the DOJ and FBI said they've worked hard on cybercrime and brought several cases in recent years. Law enforcement's ability to investigate and prosecute cybercrime has improved dramatically in recent years, they said.
Graham questioned if Congress was giving the agencies enough resources to fight cybercrime. Federal law enforcement agencies have significant resources to fight bank robberies and other physical crimes, but the resources to fight cybercrime haven't caught up with the problem, he said.
Cheri McGuire, vice president of global government affairs and cybersecurity policy at security vendor Symantec, agreed. "We are not putting enough resources against this today," she said. "We've got a long way to go to catch up."
Grant Gross covers technology and telecom policy in the U.S. government forThe IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is

Wednesday, May 8, 2013

Gauging BYOD acceptance

The debate about the bring-your-own-device movement (BYOD) has quieted down, mostly because, it seems, while IT has been over in the corner arguing the pros and cons, employees have been streaming into office with their shiny new toys and using them to get work done.
That suspicion, in fact, is verified by a new study of subscribers to Network World and sister publications (including Computerworld, InfoWorld, CIO and about the consumerization of IT.
While more than 80% of 1,600 shops surveyed said they have initiatives in place to enable use of consumer technologies at work, nearly half say these efforts are still reactive in nature. Only 33% say they have proactively stepped out in front to address the issue. That last roughly 20%? They are stubbornly trying to hold back the tide, reporting they have no initiatives underway.
The bulk of the shops (two-thirds) that allow BYOD let employees bring in and use what they want, while roughly one-fifth say they give employees an allowance to buy the tools they like.
Not surprisingly, smartphones top the list (at 60%) of the BYOD devices that IT has agreed to service and support, but laptops and tablets were right up there at 57% and 51%, respectively. Even employee-owned desktops made the list at 47%.
Perhaps the most interesting findings, however, concerned the perceived benefits that BYOD is delivering.
A whopping 35% of the shops surveyed say consumerization of IT will have a dramatic positive impact on user satisfaction over the next 12-18 months. Another 47% say it will have a moderately positive impact, which, taken together, means more than 80% of the IT folks surveyed see BYOD as a big win.
User productivity also scores high, with 76% saying consumerization will have a moderate or dramatic positive impact, while 70% expect the same benefit for business agility, and 69% say consumerization will dramatically or moderately improve process efficiency/collaboration.
What about revenue growth? Oddly enough, given the positive outlook about the business benefits cited above, some 56% of the shops say consumerization will have little or no impact on sales. Go figure.
When it comes to lingering doubts, security tops the list of challenges organizations are most concerned about when it comes to consumerization, followed by privacy/compliance issues, loss of control, problems tying BYOD tools to existing systems/services, and protection of intellectual property.
Read more about anti-malware in Network World's Anti-malware section : By John Dix

Twitter Breach Leaks 250,000 User E-mails & Passwords

The big news for the past few days was a rather sizable Twitter hack, although it’s only a small percentage of the 140 million strong Twitter user-base – 250,000 is still a large number.
If you were affected you will have received a password reset e-mail and will be prompted to change your password if you try and login via the Web.
There seems to have been a spate recently of fairly high profile attacks originating from China, I saw someone say “If you haven’t been hacked by China this month, you aren’t working hard enough”.
If you find that your Twitter password doesn’t work the next time you try to login, you won’t be alone. The service was busy resetting passwords and revoking cookies on Friday, following an online attack that may have leaked the account data of approximately 250,000 users.
“This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data,” Bob Lord, Twitter’s director of information security, writes in a blog post.
According to Lord, Twitter was able to shut down the attack within moments of discovering it, but not before the attackers were able to make off with what he calls “limited user information,” including usernames, email addresses, session tokens, and the encrypted and salted versions of passwords.
The encryption on such passwords is generally difficult to crack – but it’s not impossible, particularly if the attacker is familiar with the algorithm used to encrypt them.
As a precaution, Lord says Twitter has reset the passwords of all 250,000 affected accounts – which, he observes, is just “a small percentage” of the more than 140 million Twitter users worldwide.
There haven’t been many details disclosed about this attack, but it seems Twitter managed to discover it whilst it was actually taking place – and managed to shut it down fairly fast. It seems, by the data leaked, that the attacker managed to compromise a fairly core part of the Twitter infrastructure.
They have reacted quickly though and reset the affected accounts, which indicates they know exactly what data the attackers managed to access.
If yours is one of the accounts involved, you’ll need to enter a new password the next time you login. Lord reminds all Twitter users to choose strong passwords – he recommends 10 or more characters, with a mix of letters, numbers, and symbols – because simpler passwords are easier to guess using brute-force methods. In addition, he recommends against using the same password on multiple sites.
Lord says Twitter’s investigation is ongoing, and that it’s taking the matter extremely seriously, particularly in light of recent attacks experienced by The New York Times and The Wall Street Journal:
This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.
Although the attack took place this week, it seems to have no relationship to the outage that took Twitter offline for several hours on Thursday. On the other hand, however, Lord’s post does make rather cryptic mention of the US Department of Homeland Security’s recent recommendation that users disable the Java plug-in in their browsers. He mentions Java twice, in fact.
You can read the Twitter response here:
Both the WSJ and NYT have recently been raided by China based hacking crews, no one knows if this is the work of government backed cyberterrorism squads, or just private hackers doing it for profit or even fun. You can read more about that here:
Source: The Register