CSO, Sticks and Stones: Picking On Users and Security Pros
Dark Reading, Mobile Devices Threaten Enterprises From Within
Help Net Security, The Dramatic Increase of Vulnerability Discoslures
SC Magazine, Four Tips to Secure Your Smart Phones
TechNewsWorld, The New Threats: The Bad Guys Up Their Game
What We’re Reading, Week of 8/23
Posted: August 27, 2010 by vpnhaus in HighlightsTags: mobile, Smartphones, Enterprise IT, Vulnerability
New Survey: Employees Complain About IT Security Policies
Posted: August 26, 2010 by vpnhaus in IT policyTags: security, employee security, IT security, information security, IT policy
You know the scenario, you implement your organization’s security policy, and then within minutes can hear employees groaning and mumbling about IT. According to a new survey, employees don’t just complain to each other – they are now complaining directly to IT.
Four in 10 CIOs interviewed for the Robert Half Technology survey said that it’s at least “somewhat common for employees to complain about security measures that limit which websites or networks they can visit at the office.”
IT professionals have long grappled with being the organization’s “bad guys,” limiting access and denying service to frustrated employees. To dodge outright mutiny, IT professionals can help employees better understand why we have to restrict and monitor what they do. To do this, we’ve turned the survey’s suggestions for employees confronting IT administrators on its head to make the list for IT professionals.
- Be Open to Questions. Nobody likes to be told policies exist “just because.” If an employee wants to know why a certain site or network is restricted, tell them why. And if they’re not super tech-savvy, do so in laymen’s terms. The answer can be simple, but fostering this dialogue will make employees more comfortable with restrictions.
- Listen to Business Cases. IT professionals are sometimes so far removed from the rest of the organization, they don’t understand why blocking certain sites and networks is detrimental to business. When employees are making legitimate business cases to change the IT policy, listen. We’ve heard stories of IT departments blocking social media channels at news organizations, leaving reporters scrambling on their mobile devices to catch up on breaking news stories.
- Explain Your Role. Let employees know that your job isn’t to deny them access to “fun” sites, it’s to protect the organization’s security. The better they understand your role, the more the policies will make sense.
- Be flexible. When possible, work with the employees. For example, set up one computer in the office that isn’t restricted so employees can occasionally access restricted sites. Compromises like this go a long way in helping employees make peace with IT security policies.
What We’re Reading, Week of 8/16
Posted: August 20, 2010 by vpnhaus in HighlightsTags: remote access, security, VPN
Dark Reading, Ferreting Out Rogue Access Points and Wireless Vulnerabilities
InfoWorld, 5 Reasons IT Pros Should Be Paranoid
Computerworld, Managing and securing iOS 4 devices at work
Technorati, Why a Blackberry Ban Won’t Affect Privacy
Q&A on IT/HR collaboration with Volodymyr Styran
Posted: August 19, 2010 by vpnhaus in Expert Q&ATags: security, provisioning, IT, HR, IT security
VPN Haus spoke with Volodymyr Styran, a security expert, about ways IT professionals can work more closely with HR on issues like provisioning. VPN Haus has long advocated for IT departments to make user provisioning a higher priority and Stryan has some ideas on how this collaboration can be turned into reality.
VPN Haus: Let’s start with basic tampering. How can IT administrators prevent users, especially ones who are tech-savvy themselves, from tampering with settings?
Styran: I’d suggest application of strong organizational policies and thorough logging of user actions. Changes to local policies are usually reflected in [programs like] Eventlog. Collect it centrally in a separate log management facility, review the logs regularly, and follow up the findings via disciplinary action. This may sound a bit aggressive, and is rather reactive than preventive, but in my opinion this is the most effective approach.
VPN Haus: What’s the greatest enforcement challenge?
Stryan: The greatest enforcement challenge is making HR execute disciplinary action. Punishing is not their favorite part of the job, because it affects image…So, when it comes to HR, one has to present and explain every bit of risk and harm introduced by a violation. And all this definitely makes little sense unless strong administrative policies are established beforehand.
VPN Haus: Can you provide 3 – 5 tips on how IT departments could work more closely with HR to foster better communication between the departments?
Stryan: Sure.
- Be friendly, while being firm when needed.
- Make it formal, while maintaining good relationships. Write your policies firm and strict, but socialize with HR in a positive manner.
- Pay more attention to HR’s needs and concerns; this is relevant to relationships with any other non-IT function as well.
- Always explain. [In most cases,] they know next to nothing about [IT]. “We know better” doesn’t work. Although, the more you explain in the beginning, the less explanations they will need later on. This is how trust is developed with time.
Volodymyr Styran is based in Ukraine.
Mobile Devices like a “Trojan horse” into the Enterprise
Posted: September 1, 2010 by vpnhaus in Industry CommentaryTags: mobile device, trojan horse, Dark Reading
John Hering, CEO of Lookout, a mobile security firm, recently told Dark Reading, allowing a mobile device access to critical data is “almost a Trojan horse into the enterprise itself. “ Powerful words.
We took Hering’s warning to heart and asked several security and enterprise experts: What major security concerns should the enterprise worry about when it comes to mobile devices, mobile terminals & the Windows CE client? Here’s what they had to say.
“One of the biggest risks is user indifference to security. Stats show, thousands of mobile devices (smartphones, USB sticks) are left in cabs, airports, etc. [This leaves] corporate and other data on them vulnerable to whomever finds the device. Along with this physical loss (and theft), the end user likely also loads sensitive corporate data on the device (emails, attachments, data files), increasing the overall risk.” – Barry Lewis, Owner Cerberus ISC Inc
“If the enterprise uses Windows CE clients, they will have thought about the devices and the platform quite thoroughly. This OS is most common in specialized embedded devices, used in Line-Of-Business solutions. Most of the (independent software) vendors in that market will have thought about data encryption, both on the device as well as during communication. The solutions commonly include a device management solution that will encrypt and wipe data on the device remotely when required. Windows Mobile is a whole different story, as those devices are not so specialized and much more consumer oriented.” – Aart Merkelijn, owner of iKnowMobility
“Massachusetts is one of the few states that have laws specifically targeting encryption for data at rest which contains PII (personally identifiable information). The ‘fix’, if you will, is to have addressed data encryption and maintaining logs to prove [a] missing device was encrypted. If you can get that addressed you will be able to sleep better at night. “ – Phillip Ogle, Systems Security Engineer
“The biggest threat to security is the human. Technology can be modified through programming or design. Humans must make a conscious effort to adhere to corporate policies and to police themselves. Policies need to address data at rest and in transit on portable devices.” – Larry Williams, Group Benefits Specialist