Mobile Device Management (MDM) is a great method to ensure that your employees remain productive and do not violate any corporate policies. In the ever-expanding Bring Your Own Device (BYOD) world, more organizations are allowing employees the freedom to work from their own mobile devices. Tablets, smart phones, and personal laptops are taking a larger and larger space on corporate networks.
While there are numerous advantages to a BYOD environment, allowing personal devices onto a corporate network introduces a variety of security threats. A Mobile Device Management solution helps in securing that environment.
Here are 5 Tips you should implement when securing your devices with a MDM approach:
Require standards for password strength – Make sure that your MDM is configured to require device passcodes that meet or exceed guidelines concerning length, complexity, retry and timeout settings for the appropriate device.
Device Update Compliance – Set a minimum required version for employee mobile devices. This will require that employee devices are kept updated and restrict devices that do not comply with this setting.
Prevent Jail-breaking – Prevent jail-broken or ‘rooted’ mobile devices. Allowing these devices could add an additional attack vector as many ‘rooted’ or jail-broken devices install third-party app stores that may contain malicious apps. Preventing these devices helps secure access to company data.
Require usage of signed apps and certificates – Use your MDM to screen any mobile devices for suspicious applications before allowing access to company resources. These could be email programs, mobile apps, and networks (Wi-Fi or company VPN access). As with jail-broken devices, unsigned apps and certificates may allow malware to infect the device.
Seek Employee Buy–In – Prior to allowing a user device onto your network, require the user acknowledge and accept basic corporate policies. Make sure that the user understands that company administrators will be able to revoke and/or restrict access to devices that don’t comply with company policy.
The best idea is to decide your corporate strategy and then choose a MDM solution that fits your project. For more information on mobile device security, download our iPhone and Android Security Guides. If you would like to begin a conversation about Mobile Device Management, please CONTACT US.
Cyber Security for Executives (including deans and small business owners).
This year’s conference at the Johns Hopkins University covered ground of interest to business leaders, especially with respect to the implications cyber risk has for their legal and contracting activities. The executives for whom the conference was organized were expansively and quite properly defined to include not just the denizens of a Fortune 500 C-suite, but small business owners, partners in medical and accounting practices, college deans, and so on.
In his opening remarks, Anton Dahbura, Director of the Information Security Institute at the Johns Hopkins University’s Whiting School of Engineering, reviewed his “Unlucky Top 13” list, an inventory of recent security horror-shows. He thinks these incidents (the Equifax breach being the one that’s arrived with most éclat) may have induced the public to pay attention, and may finally be moving people away from what Dahbura called “the gazelle mentality,” that is, the comforting thought that if you stay close to the herd, you’ll be OK. (You won’t.)
And Bob Olsen, CEO of event sponsor COMPASS Cyber Security, closed with some effective analogies security professionals can use to communicate with the business leaders they support.
Strategic perspective from US Cyber Command.
Guy Walsh, Brigadier General (retired), US Air Force, and currently responsible for strategic initiatives at US Cyber Command, delivered the conference’s opening keynote. He began with a quick observation about Equifax, saying that the incident should serve as a reminder that it can take time to patch and address known vulnerabilities.
He described the emergence of cyberspace as a fifth operational domain, joining land, sea, air, and space, and he described US Cyber Command as a warfighting organization recently elevated in status and sharply distinguished in its mission from the National Security Agency.
Walsh reviewed some Air Force history, and claimed that the first insider hack of the USAF was done in 1963, by John Boyd, the leading thinker of the Fighter Mafia. Boyd is more familiar as the officer who formulated the concept of the OODA loop, the cycle of Observe, Orient, Decide, and Act that he outlined in his Discourse on Winning and Losing. Boyd argued that if one could execute that cycle faster than one’s adversary, “get inside their OODA loop,” one would have a decisive advantage in combat. Getting inside the OODA loop, Walsh argued, was as important in cyberspace as it was in air-to-air combat.
After describing Buckshot Yankee, a Russian attack against US Central Command with Agent BZT, Walsh outlined the strategic adversaries the US faces. They are, as many others have said, Russia, China, North Korea, Iran, and terrorists. In this threat environment Cyber Command operates National Mission Forces, Combat Mission Forces, Cyber Protection Forces, and, against ISIS, Joint Task Force Ares.
One trend and two observations Walsh made have implications for most enterprises, not just Cyber Command. The trend he sees is that big data and artificial intelligence will change the dynamic in cyberspace. His two observations with broader implications were, first, the point that retaliation against cyber attack need not be exclusively or primarily cyber retaliation. It may not need to be cyber retaliation at all. And second, when he described the three major Cyber Command exercises (Cyber Flag, Cyber Guard, and Cyber Knight) he said they took their inspiration from Red Flag, the Air Force’s realistic training against a dissimilar adversary opposing force. Like Red Flag, these exercises have been vital in increasing readiness and capability.
The risk landscape as seen from the perspective of the healthcare sector.
Stephanie Reel (CIO, the Johns Hopkins University Health Systems) brought the perspective of a healthcare organization (and a “hybrid organziation”) to the discussion. She claimed that healthcare has surpassed financial services as the most-targeted sector. In some ways the sector’s modernization has increased its vulnerabilities. Unification and aggregation of data have exposed the sector to “unintentional negligence among the players.” That unification is striking: about 60% of patient data in the United States is currently held by a single vendor.
With greater risk has come more spending on security, and Reel pointed out that this is not only a direct expense, but it imposes opportunity costs as well. “Money spent on security is not being spent to cure disease,” she said, nor is it being used to improve public health. But the reality of the threat requires that security be addressed. Ransomware has been a particular problem for healthcare, Reel said as she reviewed their own experience with the Medstar incident of 2016. Medical care and patient safety require that digitized records and networked devices have high availability, and it’s that availability that ransomware attacks. Direct manipulation of medical devices themselves (“still sort of science fiction; we haven’t seen it at Johns Hopkins”) also remains a very real threat, although not yet a common one.
Reel seconded Dahbura’s call for a national conversation about an identification system, and, although she feared that people were too ready to concede defeat on identity management, still closed on a hopeful note. She thought the tensions a hybrid organization like hers faces among the competing claims of security, operations, healthcare, research, and education could ultimately be resolved.
As schools open their doors for a new academic year, it is evident that education is becoming increasingly dependent on technology. As a result, cyber security is a critically important component to the risk management strategies in schools.
Having worked with dozens of schools internationally, COMPASS understands the unique threats they face. Fall is the best time to set the tone for your school’s cyber security posture, here is how:
Perform a risk assessment of your school’s IT infrastructure to identify critical vulnerabilities and remediate them.
Segment your network so if one part of your network is compromised, it does not affect the integrity of the rest of your network. For example, put students on a network separate from the faculty and staff.
Limit the number of privileged users to only administrators with a legitimate need as defined by management protocol.
Implement quarterly cyber security awareness training. It is important that the faculty as well as the students are cognizant of cyber best practices so they have a strong digital safety background.
Review all policies to make sure they are current with the technologies and procedures within your organization.
Conduct a security configuration review of the central image from which all of the faculty devices are copied to provide maximum security.
With a variety of diverse user profiles traversing the network and a treasure trove of sensitive personal and financial information, it is often difficult to balance cyber security in an open learning environment. However, by implementing these cyber security strategies in your school you will greatly reduce your risk of an incident.
Imagine being a user on a Friday afternoon, when suddenly, a pop-up indicates that your files are now encrypted and require 20 bitcoins payoff to regain access! Clearly, all signs point to a ransomware attack. Ransomware being a type of malware that hold files hostage until a payment is made, a lucrative attack in today’s environment. Besides contacting IT, what is the next move? Well for too many organization today, contacting IT is the only move, which is why developing an incident response program is so important.
IT scenarios that require an incident response come in many forms and effect each organization differently. Having an incident response program in place to address the results of a security breach or a cyber-attack is crucial to limiting the cost and increasing recovery time. Whether your company has a single office or locations worldwide, developing an incident response program will provide the required guidelines on responding to a security breach.
The ransomware example above is a popular attack affecting large corporations, hospitals, and institutions that have the resources to develop such a program. If your organization is late to this game do not sweat it, the following is a short list of items to include when developing your own Incident Response Program.
Select team members – During the process of developing this program you should reflect team members either by name or by job title. When selecting these members, choosing employees who are familiar with company processes and procedures is key and, it certainly does not hurt to have someone from IT!
Define what an incident might mean – Each organization is setup differently so what might be a critical event in one office might be very low on the totem pole for another. This might mean taking a good look at where your data is located and figuring out what an attempted attack might look like. Spending a lot of time here is usually worth it.
Conduct employee training – Not only for the members of the team but the entire company. Team members need to be familiar with their area of expertise and equipped to make quick, accurate decisions. Additionally, they need to know what to look for and how to report it in an effort to stop the spread. Coordinating a training event is just like going to baseball practice, it will identify weaknesses in your approach and provide immediate feedback.
It may seem like all the technology has only made things harder and that developing an incident response plan 17 years ago was only what militaries did. But the reality is, anyone connected to the internet can get close to your digital “front door” and some even knock. It is not enough to rely on software and hardware for protection and a serious conversation about how to handle possible situations needs to take place. If you would like more information on developing an Incident Response Program, please contact us.
With large data breaches occurring frequently, it is important for companies to consider encryption to protect sensitive information. Encryption, in a general sense, is the encoding of data so that only people who have a shared key can access the information. Information stored in an encrypted document is generally unintelligible otherwise.
Computers encrypt data to certain standards, some of the most common being AES, SHA, and RSA; These protocols support certain levels of security whether they use 64-bit, 128-bit, or 256-bit keys. In 1997, a project was launched to crack a 64-bit RC5 key, and it took 30,000 computers 5 years to accomplish. While computing technology has improved, encryption has also improved. It is 725 billion times harder to crack a 128-bit key than cracking a 64-bit key, therefore, cracking higher levels of encryption is thought to be effectively impossible.
Common products used for data encryption are Microsoft’s Bitlocker and TrueCrypt. McAfee.Symantec also offer enterprise level solutions.
One of the key elements to maintaining encryption at an enterprise level is key management. It is important to keep keys as separate as feasible from the data that they are encrypting. Best practices dictate that they should be on a different segment of the network from the machine holding the encrypted information. It is also important to limit access to keys to prevent unauthorized access to sensitive information on the network. Many 3rd party services are available to streamline key management including Amazon Web Services’ relatively new offering.
It is also important to ensure that sensitive data is secure while in transit. This can be accomplished by ensuring that web pages have valid SSL licenses and are using https. Individuals can use virtual private networks (VPNs) to obfuscate their traffic from prying eyes and keep sensitive data within the corporate network even when working remotely. It is a best practice to have outbound data be encrypted when it reaches the network firewall.
If your organization would like to discuss its unique cyber security threats and risk exposure, please contact COMPASS at 667-401-5108.