CA Community






This Blog
Syndication

September 2011 - Posts

Mitigate the Insider Employee Threat – Control Sensitive Information at the Source

Published: September 28 2011, 02:18 PM | no comments
by Tyson Whitten

Wall Street Journal's Geoffrey Fowler recently wrote an article, "What's the Company's Biggest Security Risk? You."  He raises the very relevant topic of how employees are significant insider threats to the business.

As he accurately points out the more skilled employees become in using personal technology the more companies are at risk of exposing sensitive corporate information.  The usage of personal webmail, the proliferation of social media and the adoption of mobility are examples of what has increasingly contributed to the external exposure of sensitive corporate assets. 

But while there is little question that these technologies increase the potential exposure of sensitive information it's important to illustrate that once sensitive information reaches the eyes of unintended recipients the horse has essentially left the barn.  The ability to completely control information once it reaches unwarranted recipients is limited.  That's why controlling information at the "source" is extremely important to reducing the risk of accidental, negligent or malicious exposure through electronic or non-electronic means.

In order to effectively control information at its source businesses should take 3 things into account:

1)    What content is considered sensitive to the business?

Organizations must define data classification types that are critical to the business, are covered by external regulatory requirements and included within corporate policies.  Preferably this should be accomplished through automated technology or as a last resort manually on a recurring basis.  But the ability to identify IP, PII, PHI or NPI is critical to the business controlling the usage of information by employees at its source.

2)    How is sensitive content distributed or communicated through the business?

Although social media and mobile devices are prominent threat vectors for sensitive corporate data the business must control information closer to when it's created and shared.  By not controlling data at the source of creation or when it is initially shared it has a high probability of unknowingly being replicated throughout the organization to unwarranted recipients.  Collaboration software such as SharePoint has quickly become the software of choice to store, share and revise content while email remains the most common mode of communication to distribute content within the workplace.  If organizations truly wish to control information at its source (before it reaches a critical mass of distribution) they must maintain visibility into these common modes of collaboration and communication.

3)    Who is involved in the communication?

Organizations need to understand the individuals, roles or groups involved in communicating content.  By understanding the identity of who's communicating, organizations are able to take a precise approach to controlling information handling as opposed to broad brush strokes that typically results in critical business flow being interrupted.

By taking the proper steps to protect information at its source businesses are able to reduce the risk of sensitive information getting into the wrong hands and eventually leaking outside the organization - whether it's through social media, mobile devices or even word of mouth.

Lock image used under Creative Commons License from the Open Clip Art Library http://www.openclipart.org/detail/17931

Share this post:  
Tags: , , , , ,
Leave a comment

 

By: Tyson Whitten
Tyson Whitten is a CISSP with 10+ years of information security experience managing application, network and risk based products and services. In his current role he has product responsibility for CA DLP within CA Technologies Security Customer Solutions Unit. Prior to CA Technologies, Tyson held...
Read More..

Password Amnesia: Not the Only Identity Management Problem

Published: September 19 2011, 08:37 AM | no comments
by Merritt Maxim

I have been away from the blog for longer than I like - call it summer vacation, but am back now and plan more blog entries in the coming months, so please keep reading the blog.

Today's topic concerns an issue near and dear to everyone that deals with IAM -- the forgotten/lost password.  This is a legitimate business problem, not just from maintaining end-user satisfaction, but it also costs organizations money because they have to staff service desks to help users reset forgotten or lost stolen passwords.  Reducing these service desk costs continues to be a major driver behind organizations deploying identity management solutions to provide user self-service and password reset functionality and automate the password reset process.  The result is lower operational costs as well as an improved user experience (and customer satisfaction).

And while many quote various figures on the internal cost to reset a password manually, the issue is less about the exact cost, but more an understanding that manual password resets are not only costly, but also inefficient.  So today's blog is written in defense of the end-user.

Everyone who invokes the forgotten password problem is subtly implying that users are simpletons who cannot remember passwords and unnecessarily burden the service desk with calls.  While there is no doubt that forgetting passwords does happen (especially for systems that are infrequently accessed), there are other scenarios that lead to incorrect passwords.

Case in point.  I recently received a new work laptop and retired my 4+ year-old laptop.  Our IT staff successfully migrated all my documents and other important files to the new machine without incident.  The problem occurred when I tried to access a few B2C websites.  I had cached the usernames and passwords for these sites on my old machine, but that information was not available on my new machine (lest you chastise an IAM professional for doing such an irresponsible thing -- the cached passwords were only for non-transactional based sites like those that provide content).  And since the password had been cached for years, I had little to no idea of the original password. While there are utilities that can migrate browser bookmarks and cached passwords from machine to machine, a better security policy for password hygiene is to prevent this and force users to reset passwords which is exactly what happened with my new machine.

Enter user self-service.  Thankfully, most if not all of these sites possessed password reset capabilities and I was able to reset my password and access the site's content.  But this experience reminded me that the "forgotten" password is not necessarily a function of amnesia, but could be the result of an external event like a new or replacement PC.  So while this exercise was a bit painful for me in the short-term, it further demonstrated to me the value of identity management and self-service solutions and that forgetful users are not the only reasons for password resets.

*Image used under Creative Commons License courtesy of Horia Varlan.

 

Share this post:  
Tags: , , , ,
Leave a comment

 

By: Merritt Maxim
Merritt Maxim has 15 years of product management and product marketing experience in the information security industry, including stints at RSA Security, Netegrity and CA Technologies. In his current role at CA Technologies, Merritt handles product marketing for CA's identity management and cloud...
Read More..

Another potential threat of Doppelganger domains

Published: September 09 2011, 04:02 PM | no comments
by Sumner Blount

You may not know what a doppelganger domain is, but you have almost certainly visited one.  Have you ever gone to read your email at gmail.com and mistyped it "gmial.com"? I've done that many times and always noticed it only when I turned up at some rewards center that attempts to sell you something.  And, of course, it could be much worse.  By mistyping the correct domain name, you could easily end up at a virus-infected site, or at a phishing site designed to look like the correct one that tries to get your account number and password.

The challenge of doppelganger domains is that the number of potential mistypings of a given domain name is almost endless.  It's very hard to acquire all of them so that a company won't be vulnerable to this type of activity.

Some researchers have discovered another important vulnerability with this type of domain.  They created a number of fake domain sites and sat back and waited for email to that domain to come in.  For full details, see this article.  

These researchers set up 30 doppelganger accounts for various firms and found that the accounts attracted 120,000 e-mails in the six-month testing period.  The emails that came into these sites include such potentially valuable information as:

  • Full configuration details for the external Cisco routers of a large IT consulting firm, along with passwords for accessing the devices
  • Passwords for obtaining full VPN access into the system that supports the major road tollways in a European country.
  • Lots of miscellaneous invoices, contracts and reports

They collected a total of 20GB of data in six months, all while essentially doing nothing.

This appears to be a particularly pernicious risk, not primarily because the risk is so high, but because it's reasonably easy for someone to capture the email coming in to a misspelled domain name.  But, attacks like this will pop up now and then, and just serves to re-validate that security managers need to be constantly vigil for new and creative ways that their information is at risk.

Share this post:  
Tags: ,
Leave a comment

 

By: Sumner Blount
Sumner Blount has spent his 25-year career focused on the development and marketing of software products for a range of top-tier enterprise IT firms. Currently, he’s a Director in the Security business unit at CA. Previously he managed the large computer operating system development group at Digital...
Read More..

The Consumerization of IT – What and Why?

Published: September 06 2011, 04:51 PM | 6 Comment(s)
by Sumner Blount

"I'm sorry, but you can't use that device because we don't support it in IT"

Sound familiar? If so, you may want to share this blog post with the person who said that to you.

Some users have chafed under the restrictions that IT has placed on them, in terms of how they access IT resources.  Sometimes it has felt to them as if IT had all the control, and the users must conform, like it or not.

But, IT has been undergoing a significant shift recently called the "consumerization of IT." This trend will probably continue as the flood of new and more intelligent devices continues, and as the typical worker becomes more mobile. 

Some people believe that consumerization of IT means only supporting new, smarter consumer devices.  But, although that was the first symptom, this trend is actually far more important and impactful than that. It also includes the massive popularity of social media vehicles for communicating with others - Facebook, Twitter, LinkedIn, Google+ and many, many more. It also is often viewed to include the strong growth of cloud-based services.

But, it's not just about devices - it's about the shift of control. The role of IT is changing, and this change is highly likely to be long-lasting.  IT can no longer be rigid about how the users will interact with IT resources and what devices and access methods are acceptable.  Users will be using these devices, so IT must accommodate them while both ensuring security and supporting the convenience that they provide. It used to be that IT could say to users - "you play by our rules." Now, IT must play by the rules of their users as a group. 

Users also are changing in terms of their expectations of IT. Today's social-media savvy user has grown accustomed to near-instant gratification on their new sites and applications, and these expectations are carried over to IT. No longer will they tolerate long approval cycles, support for only antiquated devices, and the lack of control that they typically have had in the past.

The impact of these trends will result in a new model of information technology, accurately termed "Consumer-driven IT".  Users will be driving the requirements for IT, in part due to their adoption of consumer devices that are not controlled by a central IT group. This will result in new relationships not only between IT and their users, but also between IT and the business.  IT can become more of a business enabler rather than a mere gatekeeper of technology. In this regard, this trend has the potential to serve as a transformational driver for a new model for IT. 

Why is this trend occurring now? Several factors are relevant here:

  • Continued innovation in personal devices - consumer information technology devices have become powerful, ubiquitous, and cheap.
  • High growth in use of social media and related applications - as of this writing, Facebook has over 750 million active users, 250 million of them access it via a mobile device, and users spend over 700 billion minutes a month using it.
  • Externalization of the business - including use of cloud-based services and outsourcing of other functions.
  • The blurring of the line between personal and work life - the workforce is becoming more distributed, more mobile, and more home-based every day.

The consumerization of IT is likely to have important organizational impacts.  Paradoxically, this trend is likely to both expand the scope and reduce the control of IT. The scope of responsibility for IT will be expanded because its role now doesn't stop at the firewall - the corporate network now extends out to the user and their unique access devices. For example, users might download confidential information to their iPhone, and then mistakenly (or worse, intentionally) email it to someone outside the organization. Security for these varied devices needs to be a critical element of IT planning, and there needs to be comprehensive identity and access management capabilities to guard against attacks or improper actions by authorized users. 

But, at the same time, the control that IT can exert has diminished. Decision-making will become more democratic (some IT folks might interpret it as being more "chaotic" than democratic) as users begin to wield more power purely on the basis of their need for flexible use of IT resources. 

There will also be technology impacts. Security will become even more important because access to corporate IT resources from consumer devices introduces new risks that must be mitigated.  In addition, enforcement of access policy should become more flexible and dynamic, as contextual parameters become important in the evaluation of policy enforcement.  For example, contextual parameters of an attempted user authentication (such as location, time of day, recent user activity, etc.) will become important for deciding whether the authentication will be accepted, or whether additional, stronger authentication methods will be required. Finally, transparency of access will increase. The boundaries of IT services are gradually becoming more and more transparent to the outside user, as the assets that are accessed become virtualized, or available through on-premise, cloud, or a hybrid of the two. The user will not care where these assets reside, as long as access is quick, convenient, and secure.

Let's summarize - consumerization of IT is an important trend that has been going on for several years.   It will cause important changes in the way that users access IT resources, and the way that IT relates to its users and the business. 

Stay tuned for some more thoughts on this topic in a future blog ... meanwhile, you can read additional content here and more on security challenges here. But let us know in comments what security impacts you think exist?  How do the security risks of these devices differ from a simple laptop?  What do you think an IT leader should consider when dealing with multiple consumer devices and their security risks? 

Share this post:  
Tags: , , ,
Leave a comment

 

By: Sumner Blount
Sumner Blount has spent his 25-year career focused on the development and marketing of software products for a range of top-tier enterprise IT firms. Currently, he’s a Director in the Security business unit at CA. Previously he managed the large computer operating system development group at Digital...
Read More..

Morto Worm Reminds us of the Importance of Passwords

Published: September 06 2011, 03:55 PM | no comments
by Russell Miller

 Password security should be a simple thing: establish a policy that removes default passwords, set minimums for length and complexity, and always follow the policy. Unfortunately, it often takes something like the Morto worm to show us how difficult this actually is:

According to Microsoft, this worm has successfully gained access to systems in 87 countries by attempting to log in using passwords such as "12345" and "test".

The best way to ensure that passwords meet standards and are continually updated is to take that task away from individual administrators. Tools such as CA Privileged User Password Management (PUPM) fully automate the process by changing passwords, according to a set policy, every time an account is used. PUPM takes password security even further by providing automatic login functionality (if administrators never know the password, they can't share it).                                                                                                                                              

Unfortunately it takes an incident like this to remind us to revisit password security.

Share this post:  
Tags: , , ,
Leave a comment

 

By: Russell Miller
Russell Miller has spent over five years in network security in various roles from ethical hacking to solutions marketing. He currently manages marketing activities for the CA ControlMinder products. Russell has a B.A. in Computer Science from Middlebury College and an M.B.A. from the MIT Sloan School...
Read More..

More Posts