In the report released by Check Point Software Technologies, 71% of companies say that mobile devices have “contributed to increased security incidents” and many of the security problems are traced to employee carelessness or ignorance.

The report, The Impact of Mobile Devices on Information Security, surveyed 768 IT professionals of various ranks in the UK, US, Canada, Germany and Japan, from a range of company sizes and industries.

The full report is available in a PDF file

Among the findings it was found that:

• About 94% of respondents report a rise in personal mobile devices connecting to the corporate network; 78% of respondents say the number has more than doubled in the last two years; 65% allow personal devices to connect to corporate networks.

• 30% say Apple iOS is the most used platform on their network, with BlackBerry OS just behind at 29%; Android ranks third, at 21%; but 43% of respondents say Android devices pose the greatest security risk; 36% say Apple iOS; 22% fingered BlackBerry OS.

• Employee behaviours are a key part of the security problem: 47% say customer data is stored on mobile devices; 72% say careless employees are a greater security threat than hackers; and “lack of employee awareness” of corporate security policies ranked as having the greatest impact on mobile data security.

About two-thirds of respondents say they’ve seen an increase in security incidents in the past two years, and 71% of these say mobile devices are a “contributing factor” to the rise. But the increase varies: 35% say the number of security threats increased 1%-25%; 19% say the increase was 25%-50%; 10% say it surged by more than 50%. One-third of respondents say they’ve seen no increase in threats.

The respondents were also asked to “rank the impact” of a list of factors on mobile data security. The following shows what percentage of respondents chose each factor:

1. lack of employee awareness 62%

2. insecure Web browsing 61%

3. insecure Wi-Fi connectivity 59%

4. lost or stolen mobile devices with corporate data 58%

5. corrupt applications downloaded to mobile devices 57%

6. lack of security patches from service providers 53%

7. high rate of users changing or upgrading their mobile devices 48%

These numbers are troubling, in part because the survey found a wide range of corporate data is stored on these devices.

Almost 80% of respondents say corporate email is stored on them; 65% say business contacts. But 47% say customer data, 38% say network login credentials, and 32% say corporate data via business applications also turn up.

Source: computerworlduk.com

Securing your mobile devices

With enterprises using hundreds of millions of smart mobile devices, the risks and security concerns are far greater than from those computing devices located inside of a physically controlled environment.

Mobile Active Defense locks down, secures and puts your iPhones, iPads, Androids, other smartphones and tablets into regulatory compliance.

Mobile Active Defense M.A.D. has over 100 years combined experience in security hardware and software product design and development, marketing, sales and support. M.A.D. Partners’ mission is to create innovative, high quality and easy to use security solutions for smartphones, pads and tablets

By employing the most stringent security standards and enforcement mechanisms, the Mobile Enterprise Compliance and Security (MECS) Server enforces policy across your entire mobile enterprise.

MECS gives you device management, security controls, remediation, compliance and centralized administration over your mobile workforce. The MECS Server extends your existing enterprise and network security policies the same level ofcontrol you already enjoy in your existing fixed infrastructure.

Join in on one of our M.A.D eSeminars or click here to read more

In a report to the US securities and exchange commission, the company admitted that it had several successful attacks against its corporate network in which access was gained to information on their computers and servers’ in 2010, and that information stored on the compromised corporate systems was exfiltrated.

It admitted that the occurrences of the attacks were not sufficiently reported to the company’s management at the time that they occurred, for the purpose of assessing any disclosure requirements. Management was informed of the incident in September 2011.

VeriSign’s DNS processes as many as 50 billion queries daily and any information stolen from it could let hackers direct people to faked sites and intercept email from federal employees or corporate executives, though classified government data moves through more secure channels.

A spokesperson for VeriSign said that there was no comment other than what was included in the 10-Q document filed on October 28^th, 2011.

SC Magazine  

 Click here for more information

According to The Journal, a Twitter account used by the Swedish arm of Anonymous posted the passwords and email addresses of government users; it said the attack had been motivated by the government’s plans to introduce new legislation reinforcing the rights of copyright holders in the sharing of online materials, similar to the Stop Online Piracy Act (SOPA) in the US.

The data posted included passwords for 17 user accounts belonging to the Department of Foreign Affairs and used for administration of the website for Irish Aid, its overseas development programme. The other hacked accounts appeared to belong to staff at Arekibo, a digital media company credited as having designed the site.

Ireland was previously targeted by the movement over the same legislation, with distributed denial-of-service (DDOS) attacks launched on the Irish Department of Justice and Department of Finance that took the sites offline for a short time. An online petition against the legislation has attracted just under 80,000 signatures since it was launched at the end of January.

SC Magazine

Click here for more information on Prolexic

Prolexic are the leading provider of DDoS mitigation technology, they have stopped 55,000 attacks and coped with attacks that have reached 69m packets per second. We know from our experience downtime costs money, estimated at $1000 per minute – this company is so confident it has a SLA for to mitigate;NO other vendor provides this, so much so the closest competitor Verisign does not even think it’s possible to mitigate.

Prolexic Technologies, the global leader in Distributed Denial of Service (DDoS) protection services, today announced it has launched an enhanced Prolexic Portal, an online resource that provides customers with greater visibility and insight into Prolexic’s monitoring and cloud-based mitigation services.

“The ProlexicPortal opens the door to a robust view of reports, graphs, alerts, and statistics that give our customers more insight into DDoS threats on their network and how we mitigate them,” said Paul Sop, chief technology officer at Prolexic. “Most importantly, the Portal helps us work with our clients in a closer and more coordinated manner.”

Key Features

Password protected and only accessible to Prolexic customers, the Portal features a full complement of monitoring statistics, reports, and alerts, including:

• Flow Based Attack Monitor – Available to customers who subscribe to Prolexic’s Flow Based Monitoring service.

• Reports – Quick access to traffic profiles, alerts and DDoS attack statistics.

• Bandwidth graphs – Illustrates the volume of clean bandwidth that traverses the customer’s network.

• Network Flow Based Alerts – Tied to action items and customer contact within a time-­‐to-­‐notify service level agreement.

• Proxy statistics – Provides easy access to statistics related to proxy traffic that traverses through the customer’s network, including unique visitors, cache properties and URL and host requests.

• HTTP statistics – Proxy customers can access statistical information related to inbound requests for all traffic passing through the customers network.

• Attack statistics – All Prolexic customers have access to post-­‐mortem attack event statistics, which are summarized by attack size, duration, and type.

• Ticket Listing – All Prolexic customers can easily create and view service tickets.

For more information : click here

Of the reasons cited, the most common reason was in fact, that 33% believed that they were not actually doing anything wrong, whereas one in five (22%) said they needed to access unauthorized applications and programs to enable them to get their job done..

The survey was conducted by InsightExpress on behalf of Cisco.

18% actually said that they didn’t have time to think about policies while they were working and 16% said that it just wasn’t convenient, 15% said they forgot to do so, or that their bosses are not watching what they are doing (14%).

As iPad and Tablet usage and popularity increases, 10% of employees said that their company policies restrict the use of iPads and tablets at work.

Whilst total restrictions on devices are put into place by some corporations and businesses, others turn to solutions such as Mobile Active Defense ( see more on M.A.D here ) who’s award winning mobile, tablet and Pad enterprise hardware and software locks down, secures and puts the iPhones, iPads, Androids, other smartphones and tablets into regulatory compliance, allowing  users to keep their beloved devices and the company to control security polices enforced maintaining full compliance.

Forward thinking solutions such as M.A.D allow users to retain their devices, yet allow companies to enforce their IT security policies.

According to a story on the Dutch news site Webwereld, Gemnet was compromised, although this does not appear to have affected certificate issuance. A provider of security consultancy and authentication technologies to nearly all parts of the Dutch government, including the Ministry of Security and Justice, Bank of Dutch Municipalities and the police, the company reportedly detected and closed the leak on Wednesday.

The report claimed that the database was managed by PHP MyAdmin and access was gained without a password. The attacker was able to extract information from the database and partially control the network; among the documents was information about the technical design of the trusted network between Dutch telecommunications and ICT service provider KPN and governments or companies. KPN is also the parent company of Gemnet.

KPN shut down the service, but denied that there was a connection between a possible hacking of the Gemnet website and the safety of its certificates, saying “the hack of the site has no connection with the issuance and management of government PKI certificates”.

A KPN statement said the Gemnet website was taken offline and it has launched an investigation. It also said that while “security of [their] systems is of paramount importance” for KPN and Gemnet, this “shows that parts of the process should be improved” and “in addition, KPN [would] like to use the knowledge and expertise that this offered”.

KPN also insisted that the documents on the server were all publicly available.

Chester Wisniewski, senior security adviser at Sophos Canada, said: “The attacker reportedly was able to obtain the password (braTica4) used for administrative tasks on the server as well. This could be the reason KPN has suspended Gemnet’s certificate signing operations while it investigates.

“If the information shared with Webwereld by this attacker are true, even the most basic of penetration tests would have discovered major problems with their implementation.

“It is critical that organisations that have public-facing internet services regularly audit what services are available, rotate passwords for critical systems and regularly test their web applications for SQL and other vulnerabilities.”

SC Magazine

The challenges include new and very different operating environments, as well as the pervasive nature of mobile applications. Many of these are not vetted for malware, backdoors and just plain bad programming. There are limited protection tools for many of these environments and, probably worse, sometimes there is no way to know who is on the network. Moving between Wi-Fi and the wireless telecom network provides opportunities to exfiltrate data from one network onto another without authorization.

Demand for mobile devices within the organization is reaching epic proportions, often precluding proper policy development, testing and configuration of gateways. With all of that in mind, solutions to these challenges become a major challenge in itself. Managing everything from policy to enforcement poses huge challenges by itself. These are the types of challenges that require creative solutions, and they require those solutions quickly. It takes both experience and innovation to step up to the emergence of a new and very disruptive technology.

Returning for the moment to the subject of disruptive technology, this year our interviews have uncovered the interesting premise that addressing a disruptive technology, such as the explosion of mobile device use in all quarters, requires an equally disruptive technological solution, along with the creative business and go-to-market approaches to monetize it.

This year’s Innovator is all of those things: experience, creativity, vision and a solid business approach. Taking the framework for security in the mobile environment, adding the dimension of compliance and considering the technological issues all play important roles in successfully addressing smartphones and tablets.

Mobile Active Defense (M.A.D.)

Here’s a radical concept: Treat all of the mobile devices on the network as if they were computers. If one does, and secures them the way one secures computers, there will be no mobile device problems. Unfortunately, that is not quite as easy as it sounds. If it were true, there would be a lot of M.A.D. companies around. There aren’t because it isn’t.

The principals at Mobile Active Defense (M.A.D.) met while working at a consulting company. In 2008/09, they started looking at how to hack smartphones and, thus, how to protect them. Subsequently, the important issue is the app store and that increases the threat significantly. In early 2010, M.A.D. started developing its MECS (Mobile Enterprise Compliance and Security) Server Solution and launched the offering later that year.

Taking a certificate-based authentication approach, filtering everything through the MECS server and developing a strongly defined philosophy, MECS prevents a user from turning off protection. That means that the product is targeted at compliance, as well as security, rather than being focused exclusively on mobile device management.

The MECS solution is offered as either a fully hosted service or on a dedicated appliance that can be installed in the enterprise environment. If the fully hosted service is chosen, a site-to-site VPN typically is configured to extend access to private corporate resources and intranets. Customers choosing to host their own appliance simply install the MECS server appliance in a DMZ outside of their existing corporate firewall. This is the most secure installation, and traffic can undergo multiple points of inspection before entering the corporate network.

Treating mobile devices like computers on the network, with the firewall and IPS specifically built for the server management component is either in the cloud or data center. By partnering with security value-added resellers (VARs) around the world, M.A.D.’s line-up of products are localized, and channel partners can help them grow quickly.

“What is MECS,” we asked?

“Easy,” came the reply. “It’s a next-generation IPS for the mobile world.”

SC Magazine

According to Prolexic CTO Paul Sop, attackers know that businesses have some level of DDoS protection, so DDoS mitigation equipment is now being targeted. He also claimed that most technologies “do not have the capacity to process the ‘high packet per second’ attacks that are being used”.

He said: “The simple truth is that automated mitigation tools and providers that offer only basic mitigation capabilities are likely to struggle against these kinds of attacks because they do not have an infrastructure in place with sufficient packet-per-second processing capacity.”

In its Q3 2011 attack report, Prolexic detected a steady rise in certain attack types, particularly high-packet-per-second SYN and ICMP floods. “High PPS SYN floods, in particular, target DDoS mitigation appliances by exhausting their processing capabilities with millions of small packets per second,” said Sop.

“For example, popular 10Gbps appliances often exhibit peak handling rates of less than five million packets per second. The prevalence of high PPS SYN floods indicates a change in strategy where attacks are less sophisticated, but more deadly.”

Of all of the attacks mitigated by Prolexic, approximately 24 per cent were SYN floods, 22 per cent ICMP floods and 19 per cent UDP floods. Network layer (Layer 3) attacks were the most common, making up 83 per cent of total attacks, with application layer (Layer 7) attacks accounting for the remaining 17 per cent.

The average attack duration was 1.4 days and the average speed of traffic mitigated was 1.5Gbps. The highest volume of attacks occurred during the period of 19-25 August, and the top three countries from which attacks originated were China, India, and Turkey, with China-based IP addresses accounting for 55 per cent of attacks.

SC Magazine

Ruth Crawford QC had the unencrypted laptop stolen in 2009 when she was on holiday, according to the Information Commissioner’s Office (ICO). It claimed that the laptop contained personal data relating to a number of individuals involved in eight court cases that Crawford had been working on, including some details relating to the physical and mental health of individuals involved in two of the cases.

The breach was reported to the ICO on 30 August 2011 when the last case relating to information held on the laptop was concluded. The ICO’s enquiries found that while Crawford had some physical security measures in place at the time of the theft, she failed to ensure that either the device or the sensitive information stored on it was appropriately encrypted.

Ken Macdonald, assistant commissioner for Scotland, said: “The legal profession holds some of the most sensitive information available. It is therefore vital that adequate security measures are in place to keep information secure.

“As this incident took place before the 6 April 2010, the ICO is unable to serve a financial penalty in this instance. But this case should act as a warning to other legal professionals that their failure to protect personal information is not just about potentially being served with a penalty of up to £500,000, it could affect their careers too. If confidential information is made public, it could also jeopardise the important work they do in court.

“The ICO would also like to assure the legal profession that any information reported to this office will not be disclosed unless there is specific legal authority for us to do so. Therefore all breaches should be reported to our office as soon as practically possible.”

Edy Almer, V-P of marketing and business development at Safend, a Wave Systems company, said: “While most, if not all organisations should have had encryption in place by now, individuals who are independent or not covered by their organisation can still take the initiative and use self-encrypted drives that require no knowledge to install. The cost of the drive is negligible compared with the hassle, cost and embarrassment after such an easily prevented loss.”

SC Magazine