FEBRUARY 2013 • VOLUME 15 • NO. 1

®

I N F O R M A T I O N

SECURITY

PLUS:SURVEYING TODAY’S SECURITY RISKSBRING YOUR OWN DANGER

The China Syndrome Security factors

to consider before buying Chinese IT

2INFORMATION SECURITY n FEBRUARY 2013

EDITOR’S DESK

AS GARY MCGRAW MENTIONED in his [In]-Security column this month, every enterprise depends on software. On the one hand, this is merely stating the obvious. Software carries out the processes, enforcing the rules that reflect the business purpose. Each company tries its best to select or develop

software that best enables it to carry out its organizational mission. On the other hand, the primary role of software begs to question why so

little attention is paid to software security. Historically, security has tried to protect software from itself; building a firewall perimeter around it, watching for telltale symptoms in the network packet stream that might indicate an ap-plication attack, and by locking down privileges so only authorized people can direct requests to the software in the first place.

McGraw argued that we should take the time to consider whether our soft-ware is unacceptably buggy from a security point of view. We should take a crack at it using the “badness-ometer.”

That seems reasonable, but only a portion of the security community seems to be considering this approach. We recently fielded a large-scale survey of our Information Security magazine readers to gauge their security priorities for this year. Among other things, we learned: Forty-eight percent of respondents said their organizations have no plans to evaluate the source code of the software they use.

There does, however, seem to be some traction behind the use of firewalls that are specifically aware of which traffic is headed to which application.

The Security Fun-ometerYou heard it here first: Application security may finally be catching on. BY ROBERT RICHARDSON

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

3INFORMATION SECURITY n FEBRUARY 2013

EDITOR’S DESK

Roughly half of the respondents reported at least some use of these next-gen firewalls. There’s plenty more to be learned about what your security peers are up to in our coverage of the survey.

We asked more questions than we could fit into our feature coverage of the survey. A couple facts that I found interesting—even though they didn’t make the feature: Network vulnerability scanning and patch management are used twice as often as pen testing. Among our North American respondents, 61% said they use network scanning, 63% use patch management tools, and only 29% said they use pen testing.

We didn’t ask about it in the survey (there’s always next year!), but it doesn’t appear that most organizations are paying much attention to security risks in hardware either—have a look at Joel Snyder’s China Syndrome story for a thought-provoking consideration of the role China plays in the global IT sup-ply chain.

And the hardware isn’t always selected by the IT department anymore. As Lisa Phifer’s feature noted, the adoption of bring your own device has reached upward of 40%. Clearly our world is increasingly filled with devices assembled in other, possibly hostile, countries, selected by our users based on features and favorite colors, added by way of insecure wireless networks to our infrastruc-tures, running software that has—in most instances—not been properly vetted to ensure it’s even minimally hardened. One could look at the situation and feel a little overwhelmed, but I prefer to draw the obvious conclusion: Security remains fun. n

ROBERT RICHARDSON is director of TechTarget’s Security Media Group and Information Security magazine. Send comments on this column to feedback@infosecuritymag.com.

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

4INFORMATION SECURITY n FEBRUARY 2013

EDUCATION

RECOGNIZING THAT INDIVIDUALS proficient in computer security are in high demand, colleges and universities have begun produc-ing students with degrees in information assurance. When compared with other disciplines that have been in existence for 150 or more years at the institution, information assurance

training programs are seen as the “new kids” on the academic block. The first schools to teach security courses began doing so in the 1990s, and they started offering degree programs in 2000. At approximately the same time, 1999, the government, specifically the National Security Agency, created the Centers of Academic Excellence (CAE) program as a way to entice a larger number of universities to produce security professionals. In 2000, seven schools met the government’s criteria and were designated as charter CAE schools; Iowa State University was one of the original seven. Since that time the number of CAE schools has grown to more than 150 schools that range from two-year colleges to research-focused institutions.

Due to the diversity of topics and specialties in security, as well as the now large number of institutions producing graduates, students in information as-surance (IA) come from a wide and varied background. They may earn their IA degrees at two-year or four-year institutions and may have backgrounds in departments of computer science, computer engineering, business, math and/or political science, depending upon the program. Because of the wide variety of disciplines that claim IA as their own and produce graduates, businesses and industries that are in the market to hire security professionals need to have

University Information Assurance Programs Lack ConsistencyInformation assurance programs are varied, but they are beginning to provide technology disciplines a level of security knowledge. BY DOUG JACOBSON AND JULIE A. RURSCH

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

5INFORMATION SECURITY n FEBRUARY 2013

EDUCATION

clear understanding of what they want that employee’s role to be and what type of graduate holds those skills.

There is not a common curriculum that all IA students take. Further, be-cause we are not consistent in what we teach, an IA graduate is not equal across all levels of four-year schools, nor between two-year and four-year schools. IA graduates who come from business backgrounds may be well-versed in IA poli-cies and procedures, while those with backgrounds in engineering may approach IA from a technical design perspective. Likewise, those who have completed an MS or Ph.D. could approach IA in a very theoretical and/or algorithmic manner, while those with an A.S. or A.A.S. pro-vide a very applied and architectural per-spective. As an attempt to help business and industry clarify their thinking about hiring security professionals, we offer the following classification of levels of IA professionals.

1. IT security technicians: These IA grad-uates are produced by community colleges and four-year institutions that focus on the application of technology to provide security needs at the ev-eryday level. They are the folks that work in the trenches of IT support and implement policies and procedures that others have created.

2. IT security professionals: These IA graduates are produced by four-year and research schools. They have foundational skills in areas such as computer science or computer engineering coupled with IA training. These graduates are able to technically work on computer and network systems, as well as understand and develop the theoretical and/or policy level of security.

3. Security professionals: While IT security professionals can be included in this group, it is a much larger grouping that includes IA graduates produced by four-year and research schools with broader, and less technical, back-grounds. IA students with a political science or business background are equipped to write or enforce security policies, such as auditors who are

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

Be cause we are not consistent in what we teach, an IA graduate is not equal across all levels of four-year schools, nor be tween two-year and four- year schools.

6INFORMATION SECURITY n FEBRUARY 2013

EDUCATION

responsible for overseeing that security practices are undertaken in corpo-rations. These individuals would be hard pressed to develop the technical plans or implement them, but are able to see how security needs to be ad-dressed at a corporate level.

4. Security researchers/engineers: These students are produced by research schools and have often earned an advanced degree (i.e. M.S. or Ph.D.). These IA graduates are developing the newest technologies for future prod-uct development. For example, they are the design engineers integrating the security technologies into products, or the mathematicians developing the newest cryptographic algorithm. These students also are hired to perform basic security research, or to enter an academic career.

Businesses and industries need to be aware of the capabilities of the stu-dents at the colleges and universities they recruit from. By knowing the focus of the IA program at a specific institution, companies can ensure they will be getting the type of security professional they need. In addition to knowing the focus of the information assurance training program and the type of students being produced, companies would be well-served to know the department’s ap-proach to information assurance training.

Colleges and universities are in the busi-ness of preparing students for lifelong learn-ing and not just providing technical train-ing, therefore, there is some debate about what the discipline of IA is and how it fits into academia. Because the discipline of IA is a mere two decades old and focuses on tangible problems, some classical comput-ing departments consider IA to be applied and not a real science. It becomes a second-class degree and the faculty specializing in AI are considered second-class citi-zens. Departments are reluctant to hire faculty to specifically teach in IA, es-pecially at the research institutions. They only hire researchers who conduct more theoretical security research. This makes it difficult for many research-focused universities to handle the demands from students or employers and leads to the production of security researchers/engineers. This leaves a gap in

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS By knowing the focus of the IA program at a specific institution, com- panies can ensure they will be getting the type of security professional they need.

7

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

EDUCATION

the production of security professionals (groups 2 and 3). It is clear that colleges and universities are working hard to meet the needs

of companies. However, we as educators need to better articulate what we are producing and universities need to recognize the importance for providing graduates that meet the needs of all industries, including those individuals that research institutions view as “too applied.” n

DOUG JACOBSON is a professor in the department of electrical and computer engineering at Iowa State University and director of the Information Assurance Center, which was one of the original seven NSA-certified centers of academic excellence in information assurance education.

JULIE A. RURSCH is a lecturer in the department of electrical and computer engineering at Iowa State University and director of the Iowa State University Information Systems Security Laboratory, which provides security training, testing and outreach to support business and industry. Send comments on this column to feedback@infosecuritymag.com.

8INFORMATION SECURITY n FEBRUARY 2013

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

SCAN: SECURITY COMMENTARY, ANALYSIS AND NEWS

Going on the OffenseBeing proactive doesn’t mean you have to pull the trigger. BY ROBERT WESTERVELT

THE DISCUSSION ABOUT the viability of enterprises to go on the of-fense against cybercriminal gangs is reaching a fevered pitch, with most experts questioning the legality of striking back at attackers. But security experts point out that there are some “offensive-like” tactics that have the ability to drive up the cost

of hacking into a corporate network, and if deployed properly, the techniques could have a major impact on the threat landscape.

“There are interesting questions about how far one can go and what types of attackers striking back will actually be effective against,” said Hugh Thompson, chief security strategist at Sunnyvale, Calif.-based Blue Coat Systems Inc. “It doesn’t necessarily have to go from zero to launching a full out assault against cybercrime infrastructure. It could be much more subtle things like feeding people misinformation.”

The issue of going on the offensive has been raised by a number of firms, including Seattle-based security firm Crowdstrike, whose co-founder and CTO Dmitri Alperovitch insisted that it is not out of the question to take some action to disrupt, degrade or take down an adversary’s infrastructure. “We want to get the adversary to think that if they launch an attack against a victim, there will be costs to pay,” Alperovitch said during a conference call with reporters late last year. Those opposed to going on the offense raise the issue of attribution as a major factor why offensive security won’t work. They say it’s too difficult to pinpoint the location and source of many cyberattacks.

Software security expert Gary McGraw explained that the U.S. should build

9INFORMATION SECURITY n FEBRUARY 2013

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

SCAN: SECURITY COMMENTARY, ANALYSIS AND NEWS

proactive defense capabilities rather than pour billions into cyberweapons. Mc-Graw likens the use of offensive cyberweapons to “unleashing the cyber-rocks from inside of our glass houses since everyone can or will have cyber-rocks.”

“Even in the case of verifiable attribution and controlled proliferation, it is not clear how a purely cyber preemptive or retaliatory strike would incapacitate the target’s offensive cybercapabilities,” McGraw said in a column on the issue.

There are other offensive security tactics that sidestep the issue of attribu-tion altogether. Deceptive tactics can be deployed by the most targeted com-panies, such as those in the financial or defense sectors, experts said. Creating multiple environments, phony documents and other fake systems could help trip up an attacker, said Paul Kurtz, managing director at Baltimore-based, Cy-berPoint International. Kurtz said it helps drive up the cost of hacking and could help eliminate some cybercriminal operations.

“There are lots of interesting people out there with interesting experience, who can think like the bad guys,” Kurtz said. “So it’s about thinking of what is going to throw the bad guys off.”

Offensive security tactics have one major drawback: Building and maintain-ing phony environments is costly, Kurtz said. Private sector firms also want to refrain from specifically targeting hacking groups since it raises ethical ques-tions and the legality of the practice, he said.

“I’m not advocating punching back, but there are a lot of large enterprises that are tired of taking it on the chin,” Kurtz said.

The interest in conducting offensive cybertactics is coming from enterprises in the financial sector, government contractors and government agencies, said Tom Kellermann, vice president of cybersecurity at Cupertino, Calif.-based Trend Micro Inc. Kellermann is an advocate of custom sandboxing, because he says it can help organizations study how a threat manifested in the environ-ment, how it moved laterally and what it did for command and control. You can attribute an attack to a specific actor with 95% accuracy, Kellerman said.

“The thing to understand is that this doesn’t solve your problem,” Keller-mann said. “It tells you how you were hunted, who is hunting you, and where they might live.” n

ROBERT WESTERVELT is news director of SearchSecurity.com. Send comments on this article to feed-back@infosecuritymag.com

10

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

SOFTWARE IS NOT created equal, especially when it comes to se-curity. I’ve done my fair share of talking in this column about how to create and measure a software security initiative to make sure the software you build yourself is secure and I’ve even talked about how to get started with a brand new soft-

ware security initiative. How can you tell whether the software you buy or out-source to others to build is secure enough? Do you trust your vendors? Do all vendors do the same thing when it comes to software security? (Hint: the an-swers are “good question,” “why?” and “no.”)

EVERY ENTERPRISE DEPENDS ON SOFTWAREEvery modern enterprise uses lots of software. Some enterprise software is homegrown, but a vast majority of enterprise software is third-party software built and maintained by outside vendors. Third-party software itself comes in several flavors: it can be custom built to specification, it can be commercial off-the-shelf software (COTS), and it can live in the cloud as part of a Software as a Service (SaaS) model.

Many large firms are working hard on vendor control and supply chain secu-rity issues. This is especially apparent when it comes to software vendors pro-viding goods to financial services organizations. A typical multi-national bank has thousands of vendors, several hundred of which directly impact software security posture.

Can a Badness-ometer Address Third-Party Software? No ultimate test can ensure security, but vendor measurement is possible. BY GARY MCGRAW

SOFTWARE [IN]SECURITY

11

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

SOFTWARE [IN]SECURITY

Big firms are busy exploring two basic options for software security and vendor control. The first involves directly assessing the security of a particular piece of software. The second involves measuring the software security capa-bilities of a vendor. Both approaches are valuable.

THIRD-PARTY SOFTWARE SECURITY ASSURANCE: MEASURING SOFTWARE DIRECTLYA badness-ometer approach to software measurement works on the same the-ory as penetration testing—try breaking something and see how far you get. The idea is to carry out a series of straightforward black box tests against a given application. If the canned tests break the software, you know it’s truly bad and should not be trusted. (On the flipside of the coin, if the canned tests don’t break the software, well, you have a very small amount of evidence that the soft-ware is secure.)

The good news about badness-ometers is they are straightforward and cheap to apply, especially when it comes to measuring third-party code. Just aim the tests at the application in question and away you go. If the application fails the tests, then let the vendor know the application they built is not good enough to use. Firms like Veracode and my firm Cigital will even carry out these kinds of tests for you. Largely the direct measurement approach is cheap enough that you can apply it to your entire portfolio.

There are two main drawbacks to direct measurement. The first is that soft-ware is always changing, and direct measurement is limited to a somewhat cursory point-in-time look. Think about how often the software you rely on au-tomatically updates itself, and multiply that number times distinct platforms, geographic locations, software environments, and so on. Should you really have to constantly test all of your vendor’s code?

The second main drawback to direct measurement is that badness-ometers are not security meters, no matter how much we would like them to be. There is no ultimate set of tests that can ensure security, so don’t let anybody tell you there is (especially a software vendor). Direct measurement is useful and eco-nomically feasible, but it’s no panacea.

Badness-ometer

12

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

SOFTWARE [IN]SECURITY

MEASURING CAPABILITY WITH BSIMM AND VBSIMMMicrosoft has spent a ton of time and treasure both creating and marketing software security and the secure development lifecycle (SDL). If you are a big firm, you most likely rely on Microsoft software in some capacity. In a way, the existence of the SDL provides some peace of mind that Microsoft is paying at-tention to security and attempting to build software you can rely on. But what about your other vendors?

Enter the BSIMM (building security in maturity model), an ever-expand-ing study of 51 firms’ software security initiatives. All 51 firms participating in BSIMM4 have a software security initiative underway and an SDL equivalent (though they are not all at the same level of maturity). The BSIMM measurement is a way of describing, comparing and contrasting these SDLs. And the BSIMM Community as a collective is very serious about software security.

At the most basic level, participation in the BSIMM may be enough to winnow the grain from the chaff among your soft-ware vendors. Sadly, some vendors may not even be able to spell the word secu-rity, or may wonder exactly what in the heck you are talking about when you query them about it. Those would be the vendors to worry about. The vendors with an active software security initiative? They’re probably not going to be your biggest risk.

Of course, BSIMM participation is intense. It involves direct in-person mea-surement of 111 software security activities, deep dives into particulars, and an objective scoring system. As such, participation in the BSIMM may be too high a bar for vendor control.

That’s why we created the vBSIMM with the help of JP Morgan Chase. If you think of the BSIMM as a measuring stick, you can think of the vBSIMM as a ruler. When it comes to setting the right height on the vendor software se-curity bar, the vBSIMM—which measures only 15 software security activities (instead of 111) and relies on attestation—provides a much lighter weight alter-native to the BSIMM.

The vBSIMM scheme is far from perfect and it does nothing to guarantee

At the most basic level, participation in the BSIMM may be enough to win now the grain from the chaff among your software vendors.

13

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

SOFTWARE [IN]SECURITY

that any particular vendor product is actually secure enough for all uses. But the vBSIMM scheme is far superior to no vendor control at all. It’s particularly useful when a vendor produces multiple applications for you.

There are drawbacks to an approach like the BSIMM/vBSIMM, since the metrics involve an indirect, process-oriented measurement of software secu-rity capability. The real questions are, “How well does the software security ini-tiative in question actually work? Are the activities carried out by your vendor effective? Does the vendor really create secure code consistently?”

In the end, an approach that combines both indirect measurement of capa-bility with direct measurement of applications is probably the way to go. At any rate, software security is just as important when it comes to your software ven-dors as it is when it comes to your own developers.

GARY MCGRAW, Ph.D., is CTO of software security consulting firm Cigital. He is a globally recognized authority on software security and the author of eight best-selling books on this topic. Send comments on his column to feedback@infosecuritymag.com.

14

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

By Joel Synder

SECURITY FACTORS TO CONSIDER BEFORE BUYING CHINESE IT A government report denounces Chinese IT Telecom giants Huawei and ZTE but should the security risks prompt action?

CHINA SYNDROME

GLOBALIZATION HAS REDUCED competitive barriers between both multinational cor-porations and nation states. For an IT professional struggling to decipher a routing protocol error code or configure a firewall, the international nature of technology is a boon: Be it in Boston, Brussels, Bogota, Brazzaville or Baku, someone somewhere has the product, service or information that an IT organi-zation may need to run more smoothly or securely. However, the increasingly flat world isn’t to everyone’s taste.

Globalization has also created a collision of diverse interests in the world of technology, emphasizing Layers 8, 9 and 10 of the ISO network model: the

15INFORMATION SECURITY n FEBRUARY 2013

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

CHINA SYNDROME

political, religious and economic layers. In the information security realm, those interests collided dramatically in 2006, when Israeli security vendor Check Point Software Technologies Ltd. attempted to buy U.S.-based vendor Sourcefire Inc. for $225 million, but the deal was scuttled by the Committee on Foreign Investment in the United States (CFIUS), a little-known U.S. gov-ernment committee. CFIUS, in turn, was reacting to political backlash from its earlier approval of a sale of 22 U.S. port operations from a British company to a UAE company, a decision congressmen from both sides of the aisle denounced.

Just last year, an even more dramatic confrontation led to the two largest Chinese telecommunications equipment manufacturers, Huawei Technologies Co. Ltd. and ZTE Corp., being demonized by the U.S. House of Representa-tives Permanent Select Committee on Intelligence for providing “incomplete, contradictory and evasive responses to the Committee’s core concerns” during its year-long investigation into the threat they pose to U.S. interests. Although the Committee found no concrete evidence of wrongdoing, it called the two companies a threat to U.S. national security and suggested they be effectively kicked out of the U.S. telecommunications market and investigated for unfair trade practices.

While network managers in government agencies may have no choice but to cross Huawei and ZTE off their purchasing lists in response to the House’s concerns, both vendors are highly motivated to make inroads in the U.S. IT market and have shown a willingness to price their products aggressively. For that reason alone, private sector IT staff have an opportunity, if not an obliga-tion, to take a reasoned approach, weighing the risks and mitigations involved, when deciding whether to buy Chinese IT.

WHAT ARE THE RISKS OF BUYING CHINESE IT?There are four commonly mentioned threats associated with buying goods from Chinese companies such as Huawei, ranging from the imagined and un-likely to clear and serious business risks.

1. The Magic Kill Packet: Straight out of a Hollywood summer blockbuster, the Magic Kill Packet threat is that someone, somewhere, can cause network equipment to shut down by sending some special combination of ones and zeros. This magic kill packet would be sent during a real-world cyberwar

16INFORMATION SECURITY n FEBRUARY 2013

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

CHINA SYNDROME

involving China and, one supposes, everyone who bought Huawei equip-ment. (Huawei’s domestic sales represent about one-third of its total reve-nues.) While the idea of a Magic Kill Packet (and similar ticking time bomb threats) doesn’t hold up to any serious analysis, it makes for good chatter in the blogosphere. Security and network managers who have to calm anxious se-nior managers can point out that the control plane for enterprise routers is always separate and firewalled from the data plane, so to inflict the Magic Kill Packet, an attacker would already have to have cracked into the network. And such a packet at the data plane would also be nearly impossible to inject, given the heavy use of access control lists, firewalls and NAT in enterprises. Even then, there’s no way a Magic Kill Packet could shut down an entire network because each individual device would have to be carefully targeted with a specifically engineered strategy to deliver the payload.

2. Intentionally bad software: This threat suggests that Chinese-manufactured devices have hidden back doors that would allow an attacker to gain special access. One example is a master password that allows an attacker to log into the device as an administrator at any time. For example, in 2003, Dave Tar-batt discovered that most manageable UPS backup devices made by Ameri-can Power Conversion Corp. (APC) could be accessed with a secret factory default password, intentionally placed there by the APC. Of course, the “A” in “APC” stands for “American,” so this isn’t just a Chinese issue.

A more complicated version of the Intentionally Bad Software threat ap-plicable to a Chinese vendor might include a hidden intentional bug that would allow an attacker access through some other path. For example, the SSH server in the device might be susceptible to a particular buffer-over-flow attack. An intrusion exploiting this would seem like a typical zero-day attack. Of course, intentional bugs and master passwords would, like the Magic Kill Packet, only work for a short period of time and for a few devices once the intrusion was detected.

Intentionally bad software in telecommunications hardware could also

While the idea of a Magic Kill Packet doesn’t hold up to any serious analysis, it makes for good chatter in the blogosphere.

17

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

CHINA SYNDROME

expose encrypted data in virtual private networks (VPNs). If the random number generator used in an IPSec or SSL VPN device is not truly random, then an outsider who knows about the lack of randomness may be able to decipher data secured with even the most advanced encryption protocols, and no evidence of any tampering left behind. If an attacker can passively tap encrypted traffic, information disclosure could go on for years without anyone finding out.

Intentionally bad software—factory default passwords, known bugs that would allow access and defective random number generators—seem like plausible outcomes if one assumes Chinese manufacturers are operating under direct instructions of the Chinese government or military.

Like the Magic Kill Packet, these threats don’t make a lot of sense. Since Chinese manufacturers also dominate the Chinese marketplace, any dan-gling backdoor intentionally left in network equipment would also be ac-cessible to someone wanting to monitor Chinese communications. Chinese manufacturers, or their shadowy military puppet masters, couldn’t risk in-stalling a secret backdoor unless they were sure only they could take ad-vantage of it. And as groups like Anonymous and Wikileaks have shown us, even the best-kept secrets can quickly be revealed.

3. Unintentionally bad software: If intentional backdoors are unlikely, then what about plain old bugs? What about the possibility that critical infra-structure devices and servers have software or hardware errors in them that could possibly compromise the security of a network? Would that be a rea-son to knock a vendor off one’s preferred suppliers list?

Of course, this question can only be asked in jest, because every single software, hardware and chip vendor has released products with bugs. Ev-eryone knows it, and these bugs have created an entire industry. Most of the IT security world, including anti-malware, vulnerability analysis, patch management and intrusion prevention software, sprung up to compensate for the effects of lousy software, buggy hardware and poor configurations. If we all stopped buying from every vendor that has had security flaws in its products, we’d have a hard time moving beyond pencil and paper.

In the “intentionally bad software” category, we put “poor random num-ber generators for VPNs.” But poor random number generators happen acci-dentally all the time, sometimes with spectacular results. For example, early

18

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

CHINA SYNDROME

versions of the Netscape browser used only a 16-bit random number genera-tor for SSL communications, making a brute-force attack on encrypted data simple even using the slowest computers. MIT’s Kerberos key management system, now at the core of the Windows security architecture, had a random number generator with a key space limited to about 20 bits (about 1 million keys, easy to brute force), for nearly 10 years.

But it isn’t fair to put, for example, Huawei in the same category as Cisco and Juniper when it comes to security awareness. Huawei claims to be a willing participant in the world of information security. On its website, Huawei said that it “… is willing to work with all governments, customers and partners through various channels to jointly cope with cyber-security threats and challenges from cyber-security.”

However, while Huawei is talking the talk, it isn’t exactly walking the walk. A combination of factors, including significant cultural and language issues, has kept Huawei from following the path of other vendors. We have

Who’s Really Chinese? IT’S WORTHWHILE TO CONSIDER what it means to “buy Chinese.” Obviously, companies like Huawei, which have tight ties to the Chinese government and operate by Chinese business and intellectual property rules, represent a point at one end of the spectrum.

But the Chinese are major players in the supply chain of virtually every telecommunications product produced today, providing manufacturing and assembly facilities to vendors around the world. No piece of network equip-ment is manufactured without Chinese-sourced components, and a great deal of final assembly from major vendors, such as Cisco Systems Inc., Ju-niper Networks Inc., Hewlett-Packard Co., Apple and Dell depend heavily on facilities in China.

In other words, every piece of networking and server equipment you buy is at least partially Chinese already. n

—JOEL SNYDER

19

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

CHINA SYNDROME

come to expect responsible disclosure of security problems, prompt product updates for known issues, active participation in industry security forums, and easy access to security-patched software images from our network and se-curity product vendors. Huawei security isn’t up to snuff in any of these areas.

But this is an issue with a single vendor and completely transcends na-tional boundaries. Yes, Huawei may be a poor bet for buggy software, but that’s not because it’s Chinese; it’s because Huawei behaves more like a bar-gain-basement, release-and-forget, release hardware vendor in the routing and switching space than a high-end security-focused networking company like Cisco, Juniper or HP.

In other words, the standard for choosing a network product vendor isn’t necessarily the pattern on the flag above the company headquarters, but the way that the vendor participates in the worldwide information secu-rity community. Vendors who pay more than lip service to maintain the se-curity of their products are better equipped to serve the needs of enterprise users. Network and security managers considering the purchase of critical infrastructure must pay attention to these issues, no matter what the origin of the equipment.

4. Business issues: Not every threat to network security has its origins in bad or malicious software and hardware. An important, non-technical issue when considering suppliers from China is the differing cultural frameworks for both competition and intellectual property. The Chinese government and political infrastructure requires that any successful company be intertwined with the Communist Party, which itself is integrated into the government and military infrastructure of the country. This is normal in China. As long as buyers are aware of this as a standard part of doing business with Chinese manufacturers, and act accordingly, there is no particular reason to worry about one Chinese supplier over another. Huawei’s ties to the government and military are not a quiet conspiracy—this is just how big business hap-pens in China.

However, the commingling of interests between Chinese companies and the Chinese government means that Chinese companies owe their first loyalty to China, and not necessarily to their customers. The implication of this loyalty structure is that network equipment buyers must be sure to en-gage in secure practices when working with all of their vendors. Many IT

20

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

CHINA SYNDROME

employees have come to regard equipment suppliers as trusted partners, offering broad access to help in troubleshooting and sharing sensitive in-formation about network configurations and growth plans. Network and security managers dealing with Chinese companies should consider the dif-ferent attitudes and loyalties of these companies, and maintain a healthy distance when it comes to sensitive information and access controls.

There are a number of concerns worth mentioning that aren’t specific to information security. One is company stability. Is there any way to really know if Huawei and ZTE will be around next year, supporting the products they’re selling now? A related concern is a relative lack of transparency com-pared to most U.S. and European companies. When reports on company fi-nancials or even company ownership are unaudited or, in some cases, com-pletely unavailable, cautious buyers may have little to validate their choices. Even when information is available, it may not be easy to compare Chinese companies with their competitors. Huawei and ZTE, as two of the largest telecommunications vendors in the world with tens billions of dollars in sales, seem to be strong companies, but it is impossible for a typical network manager—or U.S. congressional committee—to say for sure.

HUAWEI SECURITY: IS THERE A RISK FROM BUYING CHINESE?Much of the rhetoric surrounding Chinese companies such as Huawei is short on facts and long on xenophobia, motivated more by political and financial con-cerns than any substantiated threat. Network and security managers consider-ing buying from Chinese companies should perform the same due diligence as with any vendor, considering product quality, support and their long-term vi-ability prospects before committing to a significant purchasing decision. While Chinese companies do operate under a different set of business rules than their North American and European competitors, these differences simply serve as an important reminder to protect sensitive information and maintain an ap-propriate arms-length relationship, as with any service or equipment provider, regardless of which nation that vendor calls home. n

JOEL SNYDER is a senior partner with consulting firm Opus One in Tucson, Ariz. He has worked in IT for more than 25 years.

21INFORMATION SECURITY n FEBRUARY 2013

By Robert Richardson

SURVEYING TODAY’S SECURITY RISKSMobile security dominates the worry list, the ground shifts beneath traditional antivirus, and cloud security products still don’t quite have legs.

SECURITY TRENDS

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

FOR THE PAST SEVERAL YEARS, security has remained a game of perimeters and scan-ning, despite frequent protestations that the perimeter is dead and static virus scanning won’t catch today’s customized and polymorphic malware. The shift away from old-school defenses is now more visibly underway, according to our latest IT security trends survey of your priorities, worries and plans for 2013’s security initiatives.

This survey, concluded at the end of last year, included responses from 1,882 participants and showed more skepticism than ever about static signature scan-ning, concerns about mobile and cloud technologies, and openness to newer

22INFORMATION SECURITY n FEBRUARY 2013

security technologies. Fully two-thirds of U.S.-based respondents working for organizations with more than 1,000 employees said they were “evaluating new threat detection technologies such as sandboxing, whitelisting and others.” And the good news is, many of them will have more money in their budgets this year to fund implementation of these technologies.

As an aside, many security practitioners may be pursuing these newer tech-nologies at new jobs. A separate IT Salary study conducted by TechTarget across all of its technology properties included approximately 200 practitio-ners who indicated IT security, compliance, risk management or disaster re-covery as their primary role within the organization. Of those indicating a se-curity or compliance role, only 25% were satisfied with their current job. And only 22% planned to stay in their current role over the next three to five years.

The respondents in both surveys, we should note, are well-seasoned. We’re focused on the Security Purchasing Intentions 2013 survey in this report: Glob-ally, 36% of respondents had more than 10 years’ experience. Within the U.S. and at larger organizations, security practitioners with more than 10 years of experience account for 47% of respondents.

SECURITY TRENDS

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKSInside you’ll find

Budget projectionsIs it still a hands-on job?

Mobile issues lead respondent concernsApp-aware firewall penetrationCloud security meets resistanceQuick cuts of other key concerns

23

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

TAKEAWAYGlobally,

49%of respondents said security budgets were

projected to be up in 2013.

qGEOCACHE

19% of all APAC

respondents say their budgets are up 10+ percent.

Nearly One in Five U.S. Enterprises to See Budget Increases of More Than 10%The good news globally is that this year’s budget, at a minimum, won’t be smaller. It may be flat—roughly 40% of U.S. enterprise respondents reported that no changes were expected year-over-year in their budgets—but only 7% of enterprises and 9% of smaller businesses expected a decrease in this year’s budget.

Worth noting is that the Asia-Pacific (APAC) region had a de-cided bias toward budget increases, with only 16% of respondents reporting flat projections and 63% reporting budget growth. If one further narrows the results down to focus exclusively on India, fully 72% of respondents reported their budgets would grow for 2013.

We should take a moment to say who the survey respondents were: a total of 1,882 security professionals who were not em-ployed by or affiliated with IT or security vendors took the survey worldwide. Common job titles for survey respondents included information security officers, directors of information security, se-curity staff, risk analysts, and the like. Thirty-six percent of them had more than 10 years of IT security experience. They were widely spread across various industries, with financial services being the most heavily represented at 15%.

SECURITY BUDGET FOR 2013:

SECURITY TRENDS

13%

0 5 10 15 20 25 30 35 40

Increase 0-5%

Decrease more than 10%

Increase 5-10%

Increase more than 10%

Stay the same

Decrease 0-5%

Decrease 5-10%

North America, organizations with 1,000+ employees; Source: N=473 North American Security Professionals; 1,000+ employees, "Security Purchasing Intention 2013 survey," TechTarget Inc. November 2012.

21%

19%

40%

2%

3%

2%

24

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

TAKEAWAY

Approximately one in five

respondents said they aren’t

necessarily going to remain

committed to antivirus over the next five

years.

qGEOCACHE

46% of Americans

said defending against nation-

state attacks like Stuxnet is a

priority. Only 24% of Europeans

held the same view.

The Job May Be Shifting, But So Is the Technology MixWe have sometimes wondered whether security is more about abstract concerns like “controls” or more about hands-on configu-ration and packet sniffing—whether adding firewall rules, running reports against access logs, or checking alerts from the intrusion detection system. Two questions we asked gave us the sense that there’s a shift, but not such a large shift that it’s somehow no lon-ger a technical job. Smaller organizations report a slight majority, saying there’s no shift away from technical issues; larger organi-zations are more or less split on the question. Configuration and technology still play a role for three quarters of survey takers, how-ever, regardless of the size of the organization where they work.

The kinds of technologies they’re likely to grab hold of come con-figuration time, however, seem to be shifting markedly. Confidence in static scans for known signatures seems, by now, to be heavily eroded, with only half of respondents believing such technologies are effective. Perhaps even more indicative of change in the wind, a fifth to a quarter of respondents, when asked to look five years ahead, said they don’t see traditional antivirus in the picture.

SHIFT AWAY FROM TECHNICAL FOCUS?

SECURITY TRENDS

My role has shifted over the past two years from a technical implementation focus to a heavier focus on policies, regulations and legal issues

TRUE 40% 38% 48%FALSE 60% 62% 52%

Security professionals in my organization are no longer responsible for the day-to-day management, configuration, and operation of security technologies

TRUE 23% 15% 23%FALSE 77% 85% 77%

Source: N=473 North American Security Professionals; “Security Purchasing Intention 2013 survey,” TechTarget Inc. November 2012.

Employees

p�<100

p�100-1,000

p�1,000 +

25

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

SECURITY TRENDS

TAKEAWAYThe top security

concern worldwide

across all sizes of business is compliance,

followed by viruses

and malware.

Top technology issue, however, is mobile security.

qGEOCACHETop mobile

initiative in all global regions is antivirus.

Mobile’s a Top Concern, MDM Is of InterestWhen asked what the top priority was for next year, enterprise security respondents worldwide saw compliance as the clear win-ner, while those at organizations with fewer than 1,000 employ-ees ranked viruses and malware as their top concern. In terms of specific, game-changing technologies, though, mobile was a top priority globally, except in Asia-Pacific, where it ranked well behind cloud security as a concern.

Survey participants reported that they had significant influ-ence in mobile initiatives within their organizations: only 23% of those in the U.S. said they had no role in mobile rollout (it was 20% elsewhere).

Top priorities for mobile security this year (in priority order): an-tivirus (we don’t get it either), authentication and encryption.

In terms of broader control over mobile devices (including but not limited to security concerns), there’s definitely traction for mobile device management (MDM), particularly in larger organiza-tions. Half of U.S. organizations with more than 1,000 employees are evaluating MDM this year; roughly one quarter of the respon-dents are using MDM already.

ARE YOU CURRENTLY USING, PLANNING TO USE, OR EVALUATING MOBILE DEVICE MANAGEMENT TECHNOLOGY?

0

10

20

30

40

50

Implementing MDM this year

0

10

20

30

40

50

Evaluating MDM

0

10

20

30

40

50

No plan to use MDM

0

10

20

30

40

50

Using MDM now<100

100-1,000

1,000 +

4%

38%33%

18%

17%12%

46%42%

49%

27%

8% 6%Employees

p�<100

p�100-1,000

p�1,000 +

Source: Source: N=473 North American Security Professionals; “Security Purchasing Intention 2013 survey,” TechTarget Inc. November 2012.

26

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

TAKEAWAYIntegration was

the primary issue

respondents cited as an

impediment to deploying next-gen firewalls.

qGEOCACHE

20% of respondents

globally are “inclined” to use

cloud-based firewall

administration services.

Survey graph data

Application-Aware Firewalls Split Between Basic Port Filtering and Granular App ControlsThere’s probably more than one way to think about the “next-gen” firewall, but what we asked about in particular in our survey was the “app-aware” firewall, a firewall that looks at traffic with an awareness of which applications are involved in which sessions. Because of their greater complexity and the higher demands they make on processing power, these firewalls can be tricky to deploy with success, but 43% of respondents globally report that they use them.

It’s worth noting, however, that of that 43%, 21% said they are using these firewalls only for basic port filtering. One could argue this is basically missing the point of the exercise. Twenty-two per-cent reported they are using app-aware firewalls in lieu of using a stateful firewall; the rest of those using next-gen firewalls are using them in conjunction with a stateful firewall.

Next-gen firewall vendors should take note, by the way: 18% of those not deploying next-gen firewalls claimed “vendor misrepre-sentation of capabilities” as an impediment to adoption.

DO YOU CURRENTLY USE APPLICATION AWARE FIREWALLS (ALSO CALLED NEXT-GENERATION FIREWALLS)?

SECURITY TRENDS

Yes, for granular application control

0

10

20

30

40

50

60

70

80

16%24% 29%

No

0

10

20

30

40

50

60

70

80

63%

54% 52%

Yes, but only forport filtering

0

10

20

30

40

50

60

70

80

21% 22% 19%

Employees: p<100 p100-1,000 p1,000 +

Source: N=473 North American Security Professionals; “Security Purchasing Intention 2013 survey,” TechTarget Inc. November 2012.

27

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

20+20+20+20+20zTAKEAWAY

One-fifth of respondents

said they can put the brakes on cloud projects when security concerns loom.

qGEOCACHE

27%of respondents

in Australia and New Zealand

said they use cloud-specific security tools,

compared to only

15%in the U.S.

Both Cloud-Specific Security Solutions and Security Services Delivered by Cloud Meet With ResistanceOn the one hand, our respondents said they had a lot less influ-ence over cloud deployment than they had where mobile is con-cerned. Twenty-one percent reported they can “recommend or specify” their organization’s cloud projects, compared to 57% who make recommendations for mobile security technologies. What’s interesting, though, is that 22% reported they can “reject or delay” projects based on security concerns.

Globally, 44% of the survey respondents are evaluating prod-ucts designed to secure cloud servers and data—the percentage is somewhat higher in the U.S. Overall, 15% of respondents currently use some sort of cloud-specific security tool, with 33% reporting they have no plan to use cloud security technologies (principally because their organizations aren’t using the public cloud).

As for moving security processes to the cloud, there’s a fairly high degree of resistance. Thirty-five percent said they’d consider disaster recovery as a cloud service, but 57% reported they simply don’t want to outsource security.

ARE YOU CURRENTLY USING, PLANNING TO USE, OR EVALUATING CLOUD SECURITY TECHNOLOGIES?

SECURITY TRENDS

<100

100-1,000

1,000 +

0

10

20

30

40

50

8% 7% 5%

Implementing cloud security technologies this year

0

10

20

30

40

50 48% 46% 48%

Evaluating cloud security technologies

0

10

20

30

40

50

31% 34%30%

No plan to use cloud security technologies

0

10

20

30

40

50

13%13% 18%

Using cloud security technologies now

Employees

p�<100

p�100-1,000

p�1,000 +

Source: N=473 North American Security Professionals; “Security Purchasing Intention 2013 survey,” TechTarget Inc. November 2012.

28

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

SECURITY TRENDS

0 10 20 30 40 50 60

Are you currently using, planning to use, or evaluating policy/risk management software?

No plan to use

Evaluating

Using now

Implementing

32%

35%

23%

10%

24%

0 10 20 30 40 50 60

Are you currently using, planning to use, or evaluating database activity monitoring?

No plans

Evaluating

Implementing this year

Using now

33%

8%

34%

29%

0 10 20 30 40 50 60

Do you currently use data lossprevention (DLP) technology?

Yes, for email/Web

Yes, for database applications

Yes, for flash drives, USB tokens

No DLP

24%

18%

55%

0 10 20 30 40 50 60

What encryption technology will you add in 2013?

Laptop

Mobile

Drive

Database

None

48%

41%

26%

33%

26%

0 10 20 30 40 50 60

Yes, for compliance and proactive response

Do you currently use security information and event management (SIEM) technology?

No, never used

No, stopped using

Yes, for compliance

5%

12%

24%

60%

0 10 20 30 40 50 60

Compared to 2012, how will your spending on laptop/desktop/drive encryption change in 2013?

No change

Increase

Decrease

39%

5%

54%

Additional key findings

Source: N=473 North American Security Professionals; “Security Purchasing Intention 2013 survey,” TechTarget Inc. November 2012.

29

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

MOBILE DEVICES COME IN all shapes and sizes, from smartphones, notebooks and tablets, to the new-breed hybrid convertibles and detachables that made head-lines at the Consumer Electronics Show 2013. While mobility boosts enterprise employee efficiency by delivering “anywhere access” to business data and sys-tems, it obliterates what’s left of the increasingly ineffective corporate network perimeter.

Many security managers have already discovered the disconcerting im-plications: less control than ever over enterprise data access from a myriad of consumer devices—including a groundswell of bring your own devices

By Lisa Phifer

BRING YOUR OWN DANGERAllowing employee-owned mobile devices doesn’t have to mean accepting all BYOD risks. Infosec pros share their BYOD security strategies.

BYOD RISKS

30INFORMATION SECURITY n FEBRUARY 2013

BYOD RISKS

(BYODs)—and more difficulty determining which devices are accessing which systems and data.

So it’s no surprise that as use of personal mobile devices grows and becomes pervasive inside and outside the office, employers are struggling to enable se-cure use of BYODs. Anthony Peters, director of information technology at Burr Pilger Mayer Inc., a 400-strong financial services firm headquartered in San Francisco, said his tidy, policy-driven corporate BlackBerry world was shat-tered several years ago by the Apple iPhone craze.

“Today, we’re almost entirely BYOD,” Peters said. “We allow iPhone 3GS and above, Windows Mobile and Android. We have just seven BlackBerrys left that I’m hoping to retire soon.”

Burr Pilger Mayer is not alone. Enterprise BYOD adoption rates vary by re-gion and industry, but by analyst estimates, have reached 40% to 75%—driven largely by consumer smartphones and tablets. According to Black Diamond, Wash.-based market research firm Osterman Research, there are now nearly twice as many personally owned iPhones, iPads and Android devices today than their corporate-issued counterparts. Simply banning BYODs from the workplace rarely works.

“Ask anyone who says they don’t have BYODs to review their logs—I guar-antee they’ll find Mobile Safari,” said Dave Martin, vice president and CSO at Hopkinton, Mass.-based EMC Corp. “Disallowing BYODs just pushes them underground where you lose visibility. I’d rather see BYODs and deal forensi-cally with risks than try to convince myself that I can block them outright. Ex-perience has shown that’s a failed strategy; users find a way in. But if you’re too permissive, you’re open to data loss. We are unable to lock down BYODs in the same way, so we need to be smarter about how we use them.”

GETTING A HANDLE ON BYOD RISKSBYODs pose many business risks; some widely recognized and others less-un-derstood. The Security for Business Innovation Council—a team composed of Global 1,000 information security leaders—cited lost or stolen BYODs as its top concern. The danger here is clear: Although BYODs that go missing may well contain sensitive data, according to Osterman Research, less than one in four can be remotely wiped.

What’s more, employers often cannot assess data breach exposure on

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

31

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

BYOD RISKS

unmanaged BYODs. “It comes down to losing control of your data,” Martin said. “When email is retrieved [over cellular] and opened on a BYOD, I lose vis-ibility into data access. In a phishing attack, I’d have no idea it even happened, and I [would] lose any chance of [forensic investigation].”

When BYODs bypass inbound filters nor-mally applied to corporate devices, they’re vulnerable to malware—a fast-growing risk, particularly in regard to Android devices. BYODs that bypass outbound filters elevate risk of non-compliance with data privacy laws and regulatory requirements. As BYOD use grows, so will the frequency of these risky behaviors.

It’s tempting to tackle these risks by lock-ing BYODs down just like corporate devices, but organizations that have tried run head-long into personal privacy barriers. “In the beginning, we had a lot of push-back,” Peters said. “[Users worried there would be] too much Big Brother and we’d be too involved in their personal lives. We talked to senior management, HR and legal from the start, spending significant time with individuals, showing them how [BYOD security policies] would work. That was really helpful in policy design.”

BALANCING BYOD RISK VS. PRIVACYThis push-back is precisely why many mobile device management (MDM) ven-dors are adding more granular policies and tools. For example, some MDM products can now be configured to collect and display location and call histo-ries from corporate devices, but not BYODs. Such options emerged because employers with international presence face additional risk when it comes to privacy regulations.

“Lack of clarity—especially for multi-nationals with EMEA presence—is giving employers pause,” said John Marshall, CEO of AirWatch, an MDM ven-dor based in Atlanta. “They don’t want to allow BYOD as a convenience and then find they’re not in compliance with some country’s regulations. We’re seeing customers being more careful about personal privacy expectations—not

When BYODs by- pass inbound fil ters normally applied to corporate de vices, they’re vulnerable to malware—a fast- growing risk, particular- ly in regard to Android devices.

32

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

BYOD RISKS

inventorying personal apps installed on BYODs, [and] not wiping personal data on BYODs, and the like.”

Although regulations vary from country to county, many require informed consent to access personal information. This has given rise to enrollment pro-cesses that notify users about all possible MDM capabilities, whether employed or not, followed by customized “terms of service” that describe how the em-ployer intends to manage the BYOD—what information will be collected, what actions can be taken, and what workers must agree to in order to complete en-rollment and gain access to business data and systems.

An organization can address many BYOD privacy and compliance concerns by focusing on business assets. “We’ll always have to manage devices; we’ll al-ways have to manage users, but what we manage about them can be narrower,” said Jonathan Dale, marketing manager with Blue Bell, Pa.-based mobile ser-vice provider Fiberlink Communications Corp. He said it is now possible and preferred for IT to secure mail, apps, content and users’ browser experience by applying different policies to certain user groups.

The MDM market is flooded with vendors offering integrated and stand-alone tools to manage sandboxed enterprise applications, corporate data con-tainers and secure Web browser environments. “If you’re just managing apps or

BYOD Agreement Checklist A BYOD agreement checklist recommended by the Security for Business In-novation Council includes:

■n Ensure that end users are responsible for backing up personal data;■n Clarify lines of responsibility for device maintenance, support and costs;■n Require employees to remove apps at the request of the organization;■n Disable access to the network if a blacklisted app is installed or if the de-vice has been jail-broken; and ■n Specify the consequences for any violations to the policy. n

SOURCE: “Realizing The Mobile Enterprise,” Security for Business Innovation Council, published by RSA Security.

33

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

BYOD RISKS

content, there’s no way you can make a mistake and see or wipe personal data,” Marshall said. “This approach generally allows a company to extend BYOD to a much larger audience.”

POLICIES THAT WORK FOR BYODSAt Burr Pilger Mayer, which uses Fiberlink’s Maas360 Software as a Service (SaaS)-based MDM product, BYODs are redirected to an enrollment portal, where user and device eligibility is determined. “Next, users must agree to give IT some control—for example, if your device goes missing, call us first so that we can wipe your phone before you call your provider,” Peters said. “Then we apply PIN length/change, encryption and wipe requirements.”

These controls are embraced as table stakes for all devices. But BYOD suc-cess lies in policy specifics. “Many people want to treat smartphones like desk-top extensions. This is a disaster in practice,” said Ahmed Datoo, chief market-ing officer of Citrix Inc.’s Zenprise MDM unit. “Smartphone users don’t have the pa-tience to tap in eight-character passcodes, including caps and numbers. All it takes is one device wipe accident, and users will start removing [IT-managed controls].”

In fact, 26% of the 500,000 corporate and BYODs under Fiberlink MaaS360 con-trol have policies that don’t require pass-codes. Of the rest, 53% require a 4-5 digit PIN, 16% 6-7 digits, and a mere 2% require alphanumeric passcodes, Dale said. While a malicious hacker could more easily crack a short PIN once he or she has possession of a device, it appears that employers are willing to accept that risk in trade for basic device restrictions, visibility and as-needed control.

For restrictions, full-device encryption is standard-issue on iPhones, iPads, BlackBerrys and brand-new Windows 8 phones, but only a subset of Androids. Dale reported that 44% of MaaS360 policies enforce encryption on Android devices. A growing number of employers may be adopting strategies similar to Burr Pilger Mayer, namely allowing unencrypted Androids, but compensat-ing by storing corporate documents in a secure data container or using self-en-crypted/authenticated sandboxed applications.

“Many people want to treat smartphones like desktop extensions. This is a disaster in practice.”— Ahmed Datoo, chief marketing officer, Zenprise

34

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

BYOD RISKS

“We make sure that our documents are encrypted and prevented from get-ting into the wrong hands,” Peters explained. “We also track which docu-ments people download and when they are synchronized with the cloud or for-warded.” By focusing [on] only these business assets, Peters said the company has been able to fully embrace BYOD without risking non-compliance or losing its ability to control and report on access.

AVOIDING BYOD SECURITY MANAGEMENT PITFALLSLimited BYOD management also enables more granular wipe. “Selective wipe has become the de facto standard,” Dale said. “Our customers are no longer us-ing full-device wipe on either corporate or BYO devices.”

Wiping only corporate settings, data and apps can protect business assets while leaving personal data and settings intact. Here again, policy matters: A scorched earth approach may mitigate business risk, but it removes MDM con-trol and visibility, inhibiting assisted remediation. Instead, a more measured approach begins with user/IT notification, followed by as-needed escalation.

For example, Burr Pilger Mayer uses blacklists to detect when data-sharing apps are installed. “We go talk to employees about what they’re using apps for and not to share our data,” Peters said. “If we see that same app on 100 devices, we can assess the trend and decide how to respond.”

At Zenprise, customer use of blacklists and whitelists is growing for differ-ent reasons. “If you look at blacklisted apps, they’re either games or sharing apps like Dropbox,” Datoo said. “Step back and consider why users download these. They aren’t looking to bypass security; they’re just trying to be produc-tive. IT should think about how to meet those needs more securely, such as let-ting devices link to SharePoint docs, surrounded by data leak prevention.”

FOCUSING ON ENABLEMENTEnablement is a common thread among many organizations with large, suc-cessful BYOD populations. Rather than thinking of BYOD as the replacement of corporate devices, Marshall said it’s better to conceptualize it as a strategy to enable mobility for those who never carried corporate devices—a formal BYOD program with automated, over-the-air onboarding and configuration can do wonders for productivity.

35

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

INFORMATION SECURITY n FEBRUARY 2013

BYOD RISKS

Integration between MDM and network infrastructure to automate on-boarding is growing, while precisely what those BYODs can access is shrinking. “We want to make our network easy to access and provide value, but if we gave BYODs access to legacy systems, that would be a miserable experience,” EMC’s Martin said. Instead of allowing BYODs to access core network resources, the company selectively publishes enterprise data to new mobile apps; users get the data they need, and the company ensures it can be accessed securely and wiped quickly and easily if necessary.

Dale sees growth geo-fencing—combining current location with policy, such as disabling cameras on mobile devices when they are inside high-security areas. “We see geo-fencing used in education and retail to enforce policies that prohibit taking pictures of students or require secure Web browsing on cam-pus,” he said. “Geo-fencing can be great for use cases where it’s helpful to re-provision the device based on location.”

To ensure safe, effective use of BYODs in the enterprise, Martin said IT and security teams should work in partnership to assess emerging tools such as data containers and sandboxed apps while getting started with basic controls. Those controls can allow for less arbitrary permit/deny decisions each time a user car-ries in a new type of device.

“If you’re doing nothing about BYODs, don’t sit on the fence and wait,” Mar-tin said. There’s significant risk that can be addressed at relatively little cost.” n

LISA PHIFER owns Core Competence Inc., a consulting firm specializing in network security and man-agement technology.

Join the Security Community at RSA® ConferenceCybercriminals continue to evolve which makes it more important than ever to collaborate together to protect our organizations. At RSA® Conference 2013, the power of community is evident as the world's best and brightest gather to share ideas, best practices and new approaches to solving complex security challenges. No other Conference brings you as many opportunities to best keep you prepared for any threat.

Don't miss out, register now!www.rsaconference.com/techtarget

Share the latest knowledge and advancements in information security!

5 information-packed days

22 dynamic tracks

275+ must-attend sessions

350+ leading-edge exhibitors in our expanded Expo

Security in

Knowledge

Mastering data. Securing the world.

GlobalDiamondSponsors

GlobalPlatinumSponsors

GlobalGold

Sponsors

PlatinumSponsors

GoldSponsors

SilverSponsors

36INFORMATION SECURITY n FEBRUARY 2013

EDITOR’S DESK

EDUCATION

SCAN: SECURITY

COMMENTARY, ANALYSIS AND

NEWS

[IN]SECURITY

CHINA SYNDROME

SECURITY TRENDS

BYOD RISKS

EDITORIAL DIRECTORRobert Richardson

NEWS DIRECTORRobert Westervelt

SENIOR MANAGING EDITORKara Gattine

SENIOR SITE EDITOREric Parizo

DIRECTOR OF ONLINE DESIGNLinda Koury

COLUMNISTSMarcus Ranum, Gary McGraw,

Doug Jacobson, Julie A. Rursch, Matthew Todd

CONTRIBUTING EDITORSMichael Cobb, Scott Crawford,

Peter Giannoulis,Ernest N. Hayden,

Jennifer Jabbusch Minella, David Jacobs,Nick Lewis,

Kevin McDonald, Sandra Kay Miller,Ed Moyle, Lisa Phifer,

Ben Rothke, Anand Sastry,Dave Shackleford,

Joel Snyder, Lenny Zeltser

USER ADVISORY BOARDPhil Agcaoili, Cox Communications

Richard Bejtlich, Mandiant

Seth Bromberger, Energy Sector Consortium

Mike Chapple, Notre Dame

Brian Engle, Health and Human Services Commission, Texas

Mike Hamilton, City of Seattle

Chris Ipsen, State of Nevada

Nick Lewis, Saint Louis University

Rich Mogull, Securosis

Tony Spinelli, Equifax

Matthew Todd, Financial Engines

VICE PRESIDENT/GROUP PUBLISHERDoug Olender

dolender@techtarget.com

TECHTARGET275 Grove Street, Newton, MA 02466

www.techtarget.com

© 2013 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or byany means without written permission from the publisher. TechTarget reprints are available

through The YGS Group.

About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused

websites enable quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our live and virtual events give you direct access to

independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

Cover and page 14: iStockphoto