CSO: the art of catching the board's ear
- — 18 June, 2012 11:53
- ( 3 Comments )
The deceptive simplicity of the Cloud and managing mobility
Google has a different perspective on enterprise security: hand data and applications over to Cloudoperators who, in some cases, are better resourced than the typical small to medium enterprise (SME) to protect information.
Eran Feigenbaum, director of security at Google Enterprise, says there are two trends driving business to the Cloud: bring-your-own-device (BYOD) and low-level threats, like compromised credentials that are the most damaging to business.
“A lot has been said about perceived new vulnerabilities, especially as they relate to increasingly popular buzz words like advanced persistent threat (APT) and clickjacking,” Feigenbaum told CSO Australia.
“The benefits of mobility far outweigh the risks because you can wipe devices remotely and the device is physically close to you, but I think the real risk from mobility is the risk of carrying so much information with you all the time. You have personal and corporate information on a device”
Security vendor Trustwave’s 2012 Global Security Report backs up Feigenbaum’s claim. Hackers scanning the Web for remote access applications with default configurations were behind 61 per cent of infiltration cases in 2011.
Google has offered “two-step verification” for Gmail and Google Apps since October 2010.
Google’s two-factor system requires users to enter a code that Google sends via text or voice message upon signing in with their username and password.
Feigenbaum says two-step verification “drastically reduces” the chances of having Google Account information stolen, and “really helps combat many of the security vulnerabilities emerging today.”
Despite its cost effectiveness, compared with say tokens, SMS twofactor has been criticised by Gartner analyst Avivah Litan for having been defeated by banking Trojans like Zeus which enable so-called “man in the browser attacks”. Another factor is actual adoption. Google’s chief technology advocate, Michael Jones, commented at a recent security conference in Australia: “We beg people to do it but they won’t do it.”
However, SMS two-step verification enabled banks three years ago to ramp up mobile banking, aided by security education programs and free antivirus now common to most Australian banks today.
But when it comes to corporate mobile device access to internal applications,the technical security of the device is not the problem, says Girn.
“The benefits of mobility far outweigh the risks because you can wipe devices remotely and the device is physically close to you, but I think the real risk from mobility is the risk of carrying so much information with you all the time.
“You have personal and corporate information on a device, so how do you make sure the device gets wiped straight after you have lost it? Without a password the device effectively becomes an unshredded encyclopedia on your life. So the challenge is to educate people to make sure there’s a password, and they know how to wipe it remotely.”
While Girn says many companies are implementing mobile device management (MDM) technologies which allow them to wrap policies around the device, there’s still the human factor.
“The main issue is the person who loses the device has to ring the help desk and say, ‘Wipe it, I’ve lost it’.
“If you lose your wallet or your credit card, you’re going to phone very quickly and get it cancelled. But at this stage the behaviour of people, oncethey have lost their smart device, doesn’t have the same urgency as losing a wallet. As phones are increasingly used for cashless, near field communication (NFC) style transactions, clearly this behaviour will change rapidly.
” Resolving this is a matter of education “where you say, ‘Look, this is worse than losing your credit card, you’ve got payment capability, you’ve got your information.’”
Get exclusive access to CSO, invitation only events, reports & analysis. 
Comments
Mark Hatton
1
While a company’s safety can depend on improving communication between the CEO and CISO, as this article says, our recent survey found that 36 percent of CEOs don’t deem it necessary to get IT security briefings. Check out our CORE Security blog post here for more findings: http://bit.ly/MAAnfy
Andre Fernando Da Silva
2
IT and Information Security Management practices have come a long way improving the way security is planned, assessed and managed, but still depends on people to communicate well to ensure organizations achieve best from it. That means, security professionals in all levels need to mature skills on how to communicate and set the tone which make sense for specific organizations. The IT/IS Security Business Case is a good place to start learning the language.
Organization culture plays a critical role and if you don't align well with it I would say you should keep investing in building internal relationships. Find the right people to help you selling the message. Use spies to tell you how best to communicate with senior manager. It is not an exact science and our job is to be creative and optimist keeping the focus you our success.
In my experience working with different industries and culture backgrounds, I have to say that there is no recipe that fit all organizations. I would recommend our community to be open mind and to listen from every organization we work with and be willing to adapt and change our practices to win the game.
Start assisting your organization or customer on enabling efficient communication between the board and directors. The Security Committee Charter must be in your priorities.
Andre
lyricsjfal
3
Lyrics can be tricky to find, but not anymore with http://www.lyrzoo.com
This easy to use Lyrics search engine contains extensive database of over 700000 song Lyrics.
You can seach <a href=www.lyrzoo.com> Lyrics </a> database by song or artist.
Make sure you share it online and perhaps contribute to the website with new Lyrics.