Wednesday, January 8

Our Blog has moved!

To our loyal blog followers I would like to both apologize and thank you.  I apologize that I did not put this notification up earlier but our Website and associated Blog have moved to a new location.

You will be directed to our new Website by clicking here.

Our new Blog can be found by clicking here. We will continue to have the same great articles, tips and advice here. If you'd like to update your links, please bookmark this page.

Thank you for following both our corporate Website and our Blog: we appreciate your time.

Brad C. Johnson
Vice President, SystemExperts Corporation

Monday, July 15

The first simple steps for Mobile Device Security
By Paul Hill
Posted by Brad C. Johnson

Most companies have policies that restrict what applications employees can install on desktops and laptops. Also, most companies have implemented technology controls to help enforce such policies.

Fewer companies have implemented similar controls on company owned mobile devices. Within companies that have adopted a Bring Your Own Device (BYOD) strategy for mobile devices, only a small percentage have created documented lists of approved or prohibited applications that may be installed.  And, still fewer use MDM tools to enforce such decisions on employee owned devices.

A number of companies document some general guidelines regarding prohibited applications in their policies. Such guidelines are usually addressing specific risks including data leakage or loss, reputation damage, and liability due to copyright infringement although they are rarely explained to employees in this manner.

Many guidelines prohibit peer-to-peer file sharing apps including BitTorrent, uTorrent, and Limewire. Typically, guidelines will also dissuade employees from using consumer grade cloud storage services such as iCloud, Dropbox, SkyDrive, and Google Drive.

Unfortunately, few companies discuss additional applications that leverage cloud storage, or adequately educate employees about the risks of using cloud storage aimed at the consumer market.  This creates a situation where employees, seeking to optimize their productivity, will adopt an attitude of begging forgiveness later instead of seeking permission before proceeding.

Applications that provide synchronization services across devices typically use some form of cloud storage. The trend is that more and more applications are doing this.  In some cases it may be obvious, in other cases users may not be aware how and where data is being stored.

Here are examples of some applications that either use cloud storage, or leverage cloud storage to provide additional integration capabilities with other applications:  SketchBook Pro, WeatherPro, PDFpen, Keynote, iBooks, Camera+, Contacts, Onenote, JotForm, Evernote, Zapier, UberConference, KustomNote, Azendoo, LiveMinutes, FileThisFetch, QuickOfficePro, GimmeBar, IFTTT, InSync, AutoCad WS, Nivio, Balsamiq Mockups, SmartSheet, SugarSync, Hoccer, Dictadroid, and CloudOn.

Companies should also be aware that dictation services, transcription services, and systems that perform voice recognition typically store data on the vendor's servers.  The software developers creating these services value a large data set from a variety of speakers in order to tune, enhance, and improve their ability to perform speech recognition.  It has been widely reported that Apple retains voice queries submitted to Siri for up to two years, although Apple says that after six months it disassociates the voice clips from the data that can be used to associate the clips with the original device from which the query was submitted.

Examples of voice transcription, recording,  and voice recognition applications: Siri, Dragon for Salesforce, Dragon Dictation, PowerScribe 360, SpeakWrite Recorder, Evernote, Voice Assistant, ShoutOUT, UberConference, and Winscribe.

Many of the example applications in each category also provide facilities for easily forwarding information to social media systems including Facebook, Twitter, and LinkedIn.

Companies do need to know what applications their employees desire to use, how the applications will store or synchronize data, and evaluate the risk.

Monday, June 17

The first simple steps for Mobile Device Security
By Paul Hill

Many of our customers have mature security programs that address mobile devices with a wide range of controls.  However, many small businesses don't have fully developed security policies and are trying to determine what first steps are the most practical that they can take to secure their mobile devices.
The two most basic and most repeated steps to secure data on mobile devices are still the most important first steps to take:

1. Require the use of a PIN or passphrase to access any application or data on each mobile device
2. Configure mobile devices so that they can be remotely wiped

Employees really should be taught to assume that sooner or later the device they are using will be lost or stolen.  A PIN won't defeat someone with the device in hand from gaining access to the data on the device, if they are determined to do so.  However, a PIN should delay someone from accessing the data on the device long enough for employees to perform a remote deletion of the data, if reporting of the loss or theft is done in a timely manner.

Over time, mobile devices tend to be used on a number of wireless networks and cellular networks that may be insecure.  It is important to protect communications from eavesdroppers.

3. Use a VPN to ensure all communications are encrypted, protecting the traffic from eavesdroppers or tampering

Requiring the use of a corporate VPN for all mobile device traffic will also enable a company to perform traffic analysis and enforce Data Loss/Leak Prevention (DLP) controls, and block access to forbidden sites, if the company has such controls in place.

Most enterprises will prohibit employees from using consumer grade cloud storage services such as iCloud, Skydrive, Dropbox, or Google Cloud Storage.  If the use of these or similar services is allowed:

4. Use a password that will withstand brute force attacks for any cloud storage services and do not reuse the password for any other services or accounts

Companies that do prohibit employees from using consumer grade cloud storage services should educate employees about the risks and what applications are prohibited.  There are many applications that utilize cloud storage without necessarily explaining to the users how features leveraging cloud storage is utilized.

5. Do install anti-malware defenses where appropriate
6. Do not allow jailbreaking of devices

The large number of mobile devices in use are attracting malware authors.  If the mobile device platform has an applicable anti-virus or anti-malware package available it should be installed.  Apple believes their walled-garden approach to software installation negates the need for anti-virus software and they do not permit any such packages to be sold via the App Store.  Of course, that approach only works as long as all software available to consumers will be examined, vetted, and approved by the vendor.

Companies desiring to address a wider range of risks will likely need to impose many more controls.  Mobile Device Management (MDM) platforms provide a variety of additional controls and finer granularity of the controls listed above.  The Blackberry platform still provides the greatest variety of controls, offering enterprise administrators over 450 policy settings.  Microsoft's ActiveSync mailbox policies defines 41 settings, although not all of the settings can be applied to all device platforms.  Other MDM products typically provide fewer settings than those available from a Blackberry Enterprise Server (BES) but more options than available via ActiveSync mailbox policies.

MDM tools are limited by the features available on the device platform, and at times by the capabilities enabled by the carrier.  Companies that desire to support multiple device platforms may need to operate multiple MDM systems.

Monday, April 8

BYOD & Training
By Paul Hill


In my experience employee training has been one of the business drivers that introduces tablets into some organizations.  Employees have indicated an interest in using tablets to review training materials and many training managers have responded well to the feedback.  Typically an initial pilot program will use company owned and managed devices, temporarily loaned to employees for the purposes of training.  It is not unusual for the training managers to find that the response is overwhelmingly positive and user demand quickly outstrips the capacity provided by the initially purchased company owned devices.  That often leads to a discussion about BYOD.  One could say for many organizations, training is the application that gets the camel’s nose into the tent when it comes to BYOD.

For many industries, the material contained in training material may be extremely sensitive.  Consider the training material addressing security and IT risk management for a company in the financial services sector.  The material may reveal the current threats that are of the most interest at the present time.  It may reveal how the company responds, specific email addresses, roles, responsibilities, and phone numbers.  All of this might be useful information for an attacker launching a spear phising attack.  For other industry segments, training materials may reveal valuable intellectual property.

In such situations, the organization should determine what level of protections are necessary what will be the implementation strategy.

Some organization may decide to avoid BYOD device management, and instead concentrate on managing access to corporate content.  This may work by avoiding storage of the training material on the device.  However, with this approach employees might need WiFi access during the review of training materials.

The other strategy gaining the most attention in the circles of regulated industries is the use of granular device management, and containerization.  By using containerization, data can be stored on the device, but the employees will be prevented from transferring the content to other parties or services.  This scenario is highly desirable if there is need for the employees to be able to review the training material while offline.

In order to make an informed decision about BYOD decision makers need to understand the nature of the information and how it relates to corporate data classification and data handling policies. They also need to make decisions about usage patterns.  Then they can work through the issues of specific device management strategies and review the options available.

This article was originally posted on: http://trainingstation.walkme.com/paul-hill-of-systemexperts-on-byods-impact-on-workplace-training/#.UWLRl5OyDzy

Tuesday, March 5

Three classic areas to improve security
By Richard Zuleg


I wanted to do a quick review of three classic areas you can improve your security and try to dislodge some of the bad practices many organizations are involved in.

Monitoring – Learn your environment.  Spend time writing rules specific to your environment.  Monitoring is a running joke in the security community it is often done so poorly.  I remember one instance where a colleague of mine laughed with delight recalling a time when a monitoring system detected his 0-day during a test run.  “It actually detected it,” he commented “so then I got around it.”  That is all the explanation that was needed, it is that easy.  Do not just look for “bad things.”  You need to know your network and your systems if you ever hope to discover attacks.

Testing – If you are not modeling real world threats then you don’t have a good read on your security.  I once had a company jokingly say to me “I am not going to pay you to tell me I need awareness training.”  Another one said “I don’t need testing on that network because it is air gapped.”  I have even had a financial institution tell me “We don’t have security problems.”  Well long story short the first did in fact need awareness training, browser patches and a few other things and the second was not in fact air gapped, and the third did have security problems.  They all learned the hard way.  Testing is the easy way, so let’s start raising the scope, rules, and time constraints.  Let’s raise the bar a little.  It is a lot less painful to have a pen tester deliver the news, then to be on the evening news.

Patch Management – I cannot remember the last time I was on a network where all of the software was provided by a single vendor.  Yet I often see networks where only systems supported by one vendor ever see patches in a timely manner.  The other systems are often ignored sometimes for years.  Patch management applies to all systems.

Well that is it for now, monitor, test, patch, and do it well.