Bring Your Own (BYO) what?
Take away the scenario of government and local authorities involvement and merely consider private industry then the latter may have no enforcement rights to control BYOD (bring your own device) smartphone usage as these employees and out-source workers are being used and are paying for company communications out of their wages/salary merely so that a natural business costs can be reduced or removed. Reported patterns of abuse by BYOD employees are scarce as are, funnily enough, the cost savings made by companies and as a consequence of the saving the beneficiaries of those company cost savings. What is the employment position to refuse BYOD? And what about employees and staff on wages and salaries under e.g. £40K down to national minimum wage; are they protected?
This "Bring Your Own" approach in business seemingly is not limited to devices. There is an instance of even an employer seeking to reduce vehicle fleet insurance costs by seeking the employee to have the company vehicle insured in their own name. So do we call this BYOI (bring your own insurance)? Significant problems could arise though if those company vehicles carry hazard items not disclosed to the insurance company. Moreover, would employees find themselves being coerced in the workplace if they refuse to comply?
Given the vast increase in personal mobile devices in the workplace the UK Parliament may need to consider preventative legislation to stop employer abuses in all cases of "Bring Your Own" (BYO) whether device orientated or not without punishing the employee to pursue some form of equitable estopple (a doctrine preventing one party from taking unfair advantage of another perhaps through false language or conduct) legal action where the employers tries to treat employees as if the employee is somehow holding out in the course of a business (UCTA 1977).
God forbid the next thing is BYOM (bring your own mortgage) to pay for the company office building.
BYOD - CJIS MOBILE APPENDIX - FBI
FBI analysis of BYOD. There are many references to BYOD in the report, but two statements applicable to employees and out-source workers where they use their own devices are noteworthy at 1.7.3 and 1.10.2 below.
1.7.3 Bring Your Own device (BYOD) employment
BYOD environments pose significant challenges to the management of secure device configurations. In many cases it may be impossible to apply effective security that is acceptable to the device owner or it may require extremely costly compensating controls to allow access to CJI on personally owned devices. While allowed by the CJIS Security Policy, agencies are advised to conduct a detailed cost analysis of the ancillary costs of compliance with CJIS Security Policy on personally owned devices when they are approved for use. In some cases, a BYOD user may agree to abide by the same device configurations and limitations as imposed on an agency owned device, but signed user agreements should still be in place to ensure the agency has a legal right to recover or clear the device of all data prior to device disposal or employee termination. In other cases, robust secure applications may provide acceptable levels of compliance in a BYOD environment for limited CJI access but application design and architecture should assume the device itself is un-trusted. If MDM/EMM software capable of detecting rooting or jailbreaking of the device is not installed, any CJIS or data access occurring from the device is at a substantially higher risk of compromise.
1.10.2 Malicious code protection/Restriction of installed applications and application permissions
The most common method of malicious code installation is enticing the user to manually install the malicious app which can be mitigated on organizational devices using an MDM or other application installation restrictions which prevent the user from installing unauthorized or unknown applications. Mitigation of this issue within BYOD environments may not be possible and will present a significantly enhanced risk to the device.
https://www.fbi.gov/about-us/cjis/CJIS%20Mobile%20Mobile%20Appendix%2020121214.pdf
Previous Discussions:
BYOD: Cyber Classification
http://trewmte.blogspot.co.uk/2015/08/byod-cyber-classification.html
Android Copy and Paste - what risks?
http://trewmte.blogspot.co.uk/2015/06/android-copy-and-paste-what-risks.html
BYOD risks and minefields
http://trewmte.blogspot.co.uk/2014/03/byod-risks-and-minefields.html
One hit, hits all
http://trewmte.blogspot.co.uk/2013/02/one-hit-hits-all.html
Smartphone BYOD
http://trewmte.blogspot.co.uk/2013/01/smartphone-byod.html
Showing posts with label BYOD. Show all posts
Showing posts with label BYOD. Show all posts
Saturday, November 21, 2015
Tuesday, August 11, 2015
BYOD: Cyber Classification
Having an effective Cyber defence requires " identification " of the methodology proposed for each measures adopted in the Critical Security Controls (CSC) programme. The Critical Security Controls listed below has been developed from the combined knowledge of actual attacks and effective defences of experts from every part of the cyber security ecosystem.
CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 5: Malware Defences
CSC 6: Application Software Security
CSC 7: Wireless Access Control
CSC 8: Data Recovery Capability
CSC 9: Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
CSC 11: Limitation and Control of Network Ports, Protocols, and Services
CSC 12: Controlled Use of Administrative Privileges
CSC 13: Boundary Defence
CSC 14: Maintenance, Monitoring, and Analysis of Audit Logs
CSC 15: Controlled Access Based on the Need to Know
CSC 16: Account Monitoring and Control
CSC 17: Data Protection
CSC 18: Incident Response and Management
CSC 19: Secure Network Engineering
CSC 20: Penetration Tests and Red Team Exercises
It is not surprising that given the adoption of CSC classifications it would be in the interests of organisations to adopt the short form code associated with the Critical Security Control in place found to have been breached. For instance where a BYOD is found to be the cause of the breach it may be said a CSC-7 breach took place. The use of a short form code
(i) informs immediately those who are aware of the short form code of the style of breach taken place.
(ii) creates standardization across the organisation
(iii) enables an organisation's first responder to identify and locate BYODs
(iv) labels a breach in accordance with internationally recognised CSC classification
(v) removes the need for organisations to generate in-house difficult and complex classifications that later require translation e.g. technically, legally, commercially......
CSC 7: Wireless Access Control
The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (LANs), access points, and wireless client systems.
Why Is This Control Critical?
Major thefts of data have been initiated by attackers who have gained wireless access to organizations from outside the physical building, bypassing organizations' security perimeters by connecting wirelessly to access points inside the organization. Wireless clients accompanying traveling officials are infected on a regular basis through remote exploitation during air travel or in cyber cafes. Such exploited systems are then used as back doors when they are reconnected to the network of a target organization. Still other organizations have reported the discovery of unauthorized wireless access points on their networks, planted and sometimes hidden for unrestricted access to an internal network. Because they do not require direct physical connections, wireless devices are a convenient vector for attackers to maintain long-term access into a target environment.
CSC 7 Procedures and Tools
Effective organizations run commercial wireless scanning, detection, and discovery tools as well as commercial wireless intrusion detection systems.
Additionally, the security team should periodically capture wireless traffic from within the borders of a facility and use free and commercial analysis tools to determine whether the wireless traffic was transmitted using weaker protocols or encryption than the organization mandates. When devices relying on weak wireless security settings are identified, they should be found within the organization's asset inventory and either reconfigured more securely or denied access to the
organization network.
Additionally, the security team should employ remote management tools on the wired network to pull information about the wireless capabilities and devices connected to managed systems.
CSC 7 Effectiveness Metrics
In order to test the effectiveness of the automated implementation of this control, organizations should measure the following:
1) Are systems capable of identifying unauthorized wireless devices or configurations when they are within range of the organization's systems or connected to their networks (yes or no)?
2) How long does it take to generate alerts about unauthorized wireless devices that are detected (time in minutes)?
3) How long does it take for unauthorized wireless devices to be blocked from connecting or isolated from the network (time in minutes)?
4) Are additional alerts generated every 24 hours after the initial alert until the system is isolated or removed from the network (yes or no)?
5) Is the system able to identify the location, department, and other details of where authorized and unauthorized wireless devices are plugged into the network (yes or no)?
CSC 7 Automation Metrics
In order to automate the collection of relevant data from these systems, organizations should gather the following information with automated technical sensors:
1) How many rogue wireless access points have been discovered recently in the organization (by business unit)? This should include non-persistent, temporary and transient access points.
2) What is the average time that it takes to remove rogue access points from the organization's network (by business unit)?
3) How many wireless access points or clients have been discovered using an unauthorized wireless configuration recently in the organization (by business unit)?
CSC 7 Effectiveness Test
To evaluate the implementation of Control 7 on a periodic basis, the evaluation team has to configure 10 unauthorized but hardened wireless clients and wireless access points to the organization's network and attempt to connect them to its wireless networks. In the case of wireless access points, these access points have to not be directly connected to the organization's trusted network. Instead, they have to simply be configured to act as a wireless gateway without physically connecting to a wired network interface. In the case of scanning for wireless access points from a wired interface, the connected access point has to have the wireless radio disabled for the duration of the test. These systems have to be configured to test each of the following scenarios:
• A wireless client with an unauthorized service set identifier configured on it.
• A wireless client with improper encryption configured.
• A wireless client with improper authentication configured.
• A wireless access point with improper encryption configured.
• A wireless access point with improper authentication configured.
• A completely rogue wireless access point using an unauthorized configuration.
When any of the above-noted systems attempt to connect to the wireless network, an alert has to be generated and enterprise staff has to respond to the alerts to isolate the detected device or remove the device from the network.
CSC 7 System Entity Relationship Diagram
Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control, it will be easier to identify how to implement them, test the controls, and identify where potential failures in the system might occur.
A control system is a device or set of devices used to manage, command, direct, or regulate the behaviour of other devices or systems. In this case, we are examining the configuration and management of wireless devices, wireless IDS/scanners, wireless device management systems, and vulnerability scanners. The list of the steps shows how the entities work together to meet the business goal defined in this control. The list also delineates each of the process steps in order to help identify potential failure points in the overall control.
• Step 1: Hardened configurations applied to wireless devices.
• Step 2: Hardened configurations managed by a configuration management system.
• Step 3: Configuration management system manages the configurations on wireless devices.
• Step 4: Wireless IDS monitor usage of wireless communications.
• Step 5: Vulnerability scanners scan wireless devices for potential vulnerabilities.
• Step 6: Wireless clients utilize wireless infrastructure systems in a secure manner.
CSC 1: Inventory of Authorized and Unauthorized Devices
CSC 2: Inventory of Authorized and Unauthorized Software
CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
CSC 4: Continuous Vulnerability Assessment and Remediation
CSC 5: Malware Defences
CSC 6: Application Software Security
CSC 7: Wireless Access Control
CSC 8: Data Recovery Capability
CSC 9: Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 10: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
CSC 11: Limitation and Control of Network Ports, Protocols, and Services
CSC 12: Controlled Use of Administrative Privileges
CSC 13: Boundary Defence
CSC 14: Maintenance, Monitoring, and Analysis of Audit Logs
CSC 15: Controlled Access Based on the Need to Know
CSC 16: Account Monitoring and Control
CSC 17: Data Protection
CSC 18: Incident Response and Management
CSC 19: Secure Network Engineering
CSC 20: Penetration Tests and Red Team Exercises
It is not surprising that given the adoption of CSC classifications it would be in the interests of organisations to adopt the short form code associated with the Critical Security Control in place found to have been breached. For instance where a BYOD is found to be the cause of the breach it may be said a CSC-7 breach took place. The use of a short form code
(i) informs immediately those who are aware of the short form code of the style of breach taken place.
(ii) creates standardization across the organisation
(iii) enables an organisation's first responder to identify and locate BYODs
(iv) labels a breach in accordance with internationally recognised CSC classification
(v) removes the need for organisations to generate in-house difficult and complex classifications that later require translation e.g. technically, legally, commercially......
CSC 7: Wireless Access Control
The processes and tools used to track/control/prevent/correct the security use of wireless local area networks (LANs), access points, and wireless client systems.
Why Is This Control Critical?
Major thefts of data have been initiated by attackers who have gained wireless access to organizations from outside the physical building, bypassing organizations' security perimeters by connecting wirelessly to access points inside the organization. Wireless clients accompanying traveling officials are infected on a regular basis through remote exploitation during air travel or in cyber cafes. Such exploited systems are then used as back doors when they are reconnected to the network of a target organization. Still other organizations have reported the discovery of unauthorized wireless access points on their networks, planted and sometimes hidden for unrestricted access to an internal network. Because they do not require direct physical connections, wireless devices are a convenient vector for attackers to maintain long-term access into a target environment.
CSC 7 Procedures and Tools
Effective organizations run commercial wireless scanning, detection, and discovery tools as well as commercial wireless intrusion detection systems.
Additionally, the security team should periodically capture wireless traffic from within the borders of a facility and use free and commercial analysis tools to determine whether the wireless traffic was transmitted using weaker protocols or encryption than the organization mandates. When devices relying on weak wireless security settings are identified, they should be found within the organization's asset inventory and either reconfigured more securely or denied access to the
organization network.
Additionally, the security team should employ remote management tools on the wired network to pull information about the wireless capabilities and devices connected to managed systems.
CSC 7 Effectiveness Metrics
In order to test the effectiveness of the automated implementation of this control, organizations should measure the following:
1) Are systems capable of identifying unauthorized wireless devices or configurations when they are within range of the organization's systems or connected to their networks (yes or no)?
2) How long does it take to generate alerts about unauthorized wireless devices that are detected (time in minutes)?
3) How long does it take for unauthorized wireless devices to be blocked from connecting or isolated from the network (time in minutes)?
4) Are additional alerts generated every 24 hours after the initial alert until the system is isolated or removed from the network (yes or no)?
5) Is the system able to identify the location, department, and other details of where authorized and unauthorized wireless devices are plugged into the network (yes or no)?
CSC 7 Automation Metrics
In order to automate the collection of relevant data from these systems, organizations should gather the following information with automated technical sensors:
1) How many rogue wireless access points have been discovered recently in the organization (by business unit)? This should include non-persistent, temporary and transient access points.
2) What is the average time that it takes to remove rogue access points from the organization's network (by business unit)?
3) How many wireless access points or clients have been discovered using an unauthorized wireless configuration recently in the organization (by business unit)?
CSC 7 Effectiveness Test
To evaluate the implementation of Control 7 on a periodic basis, the evaluation team has to configure 10 unauthorized but hardened wireless clients and wireless access points to the organization's network and attempt to connect them to its wireless networks. In the case of wireless access points, these access points have to not be directly connected to the organization's trusted network. Instead, they have to simply be configured to act as a wireless gateway without physically connecting to a wired network interface. In the case of scanning for wireless access points from a wired interface, the connected access point has to have the wireless radio disabled for the duration of the test. These systems have to be configured to test each of the following scenarios:
• A wireless client with an unauthorized service set identifier configured on it.
• A wireless client with improper encryption configured.
• A wireless client with improper authentication configured.
• A wireless access point with improper encryption configured.
• A wireless access point with improper authentication configured.
• A completely rogue wireless access point using an unauthorized configuration.
When any of the above-noted systems attempt to connect to the wireless network, an alert has to be generated and enterprise staff has to respond to the alerts to isolate the detected device or remove the device from the network.
CSC 7 System Entity Relationship Diagram
Organizations will find that by diagramming the entities necessary to fully meet the goals defined in this control, it will be easier to identify how to implement them, test the controls, and identify where potential failures in the system might occur.
• Step 1: Hardened configurations applied to wireless devices.
• Step 2: Hardened configurations managed by a configuration management system.
• Step 3: Configuration management system manages the configurations on wireless devices.
• Step 4: Wireless IDS monitor usage of wireless communications.
• Step 5: Vulnerability scanners scan wireless devices for potential vulnerabilities.
• Step 6: Wireless clients utilize wireless infrastructure systems in a secure manner.
Sunday, June 14, 2015
Android Copy and Paste - what risks?
This discussion may be relevant and useful to the process of evidence
gathering, eDiscovery investigations and examiner procedures. Experienced
examiners or investigators, new to industry or students that may be unaware of
this subject matter.
Key Classes
COPY AND PASTE
The manual examination test applied: select a new, blank SMS test message page and apply continued finger pressure to the text message field. The DUT vibrates and the dialogue box offers two options: PASTE or CLIPBOARD (see image below). Select CLIPBOARD.
The DUT responds with multiple choice of previously copied data that may be reused. The first entry box is a copy message from the Samsung SMS text message application. The copied data with a stated date and time stamp in the fourth entry box is data copied from a message in WhatsApp.
The Android clipboard-based framework (Android Content Provider)
enables copy and paste directly to and from the clipboard not only of simple
text but also complex data structures, text and binary stream data and application
assets.
Key Classes
- ClipboardManager
- ClipData
- ClipData.Item
- ClipDescription
- Uri
- ContentProvider
- Intent
This content provider enables the distribution of objects stored on the clipboard to be distributed among user applications subject to the permission granted for copying and pasting outside of a particular application.
The practical application for using clipboard copy and paste
might be generally understood by smartphone users but the less experienced
smartphone user may not know or realise that items stored on the clipboard may
still reside in memory on particular smartphones long after the paste function
was used. The same might also apply to examiners relying on extracted and
harvested data from a DUT (device under test) using a particular examination
tool of choice. The tool may not logically recover clipboard objects. Moreover,
the copied data may not be distinguishable from a deleted SMS message when
carving data from a physical extracted dump (JTAG/chip off), so checking the clipboard identifies is important.
Conduct a test on a smartphone of your choice. Tests run on
a random number of makes/models not all were found to allow revisiting pasted
data from previous copying, not all allowed data copied in one application
(e.g. WhatsApp) to be made available to another (e.g. text messaging). Thus,
manual examination might need to be applied during an examination process in
order to determine during discovery any vital data (evidence) excluded during a
tool’s recovery procedure.
As there are variances between makes/models it equally
raises concerns of any missed opportunities to recover data during past
examination.
DUT – Samsung GT-I9100P
COPY AND PASTE
The manual examination test applied: select a new, blank SMS test message page and apply continued finger pressure to the text message field. The DUT vibrates and the dialogue box offers two options: PASTE or CLIPBOARD (see image below). Select CLIPBOARD.
The DUT responds with multiple choice of previously copied data that may be reused. The first entry box is a copy message from the Samsung SMS text message application. The copied data with a stated date and time stamp in the fourth entry box is data copied from a message in WhatsApp.
Note the format change of the date and the clock is out by
one minute, when cross-referenced to the WhatsApp image below. Is this down conversion from one application to another? Are there two clocks being used on the same
smartphone? Was the SMS message created first and copied and pasted into WhatsApp? Or is it something
else?
Further issues to be considered. Subject to the matter as
mentioned above regarding permission granted to copy and paste outside of a
particular application; Android in itself does not require any permission to be
entered to write data to or read data from the clipboard. Consequently, this can
leave a security loophole in place where an application requires a user to copy their credentials
(passwords, PINs etc.) first before the user may make use of an application.
Moreover, the android.content.ClipboardManager.OnPrimaryClipChangedListener
is an interface within Android SDK enabling listener call-back that is invoked each
time a clipboard item changes. A change in password, PIN etc updated by a
particular application could update the clipboard previously stored data. This
could be problematical by causing a breach in security if malware were to be
unintentionally installed to the smartphone and then credentials leaked to an outside source. The smartphone security for copy and paste therefore can only be
as good as the permission granted within the applications being installed and
used.
Observations. When making analysis of security an examiner/investigator simply referring
to the latest makes/models of smartphones or apps on the market may well be flawed in
using that analytical approach. There are a considerable number of handsets out
there which are in use on a day-to-day basis for work and personal activity.
These can be e.g. 5yrs to 10yrs old. Operators are currently offering an
alternative to subsidised handsets by offering SIM ONLY contracts. The smartphone
won’t be updated. Companies may well fail in their fiduciary responsibilities
and duty of care at board level owed to the company to offload natural company
expenditure by avoiding providing communication devices to company employees. To
foster the notion to employees to BYOD (bring your own device) the employee is in fact playing
a part in subsidising a company’s communications system and therefore its security; retains the
opportunity for security loopholes to be created by employers assuming that smartphone users know everything about their smartphone, which is a fallacy.
Saturday, March 15, 2014
BYOD risks and minefields
I read the article in CIO Think_Deleted_Text_Messages_Are_Gone_Forever_Think_Again and the discussion that rumbles on about BYOD.
Firstly, a bit surprising the article suggests a "wow" factor associated with recovering deleted text messages. I would have thought it was common knowledge by now in business, generally, and particularly at CIO level.
Secondly, the notion and practice of companies getting employees to use their own devices (BYOD) to access company networks and company information seems to be an open invitation to allow a security breach (intentional or by accident) to happen. The corporate body and individual (at senior level) duty of care place encumbent obligations on both to conduct risk assessments, identify company assets, control dissemenation of company information in order to protect. It might be there are legal risks for companies demanding access to employees phones to go through their personal data.
There appears no persuasive technical/technological evidence to support BYOD propagation on the basis without it a company could not operate. Moreover, why require BYOD policies, practices and procedures that in essence generate further and continuing costs to maintain them anyway whereas in-house company devices (properly controlled) also means retention of company assets, devices have an asset value, depreciation allows for write down and tax relief etc.
BTW the points about assets and finance came from a specialist corporate accountant in this area where as accounting is not my forte. Mind you, brain surgery is not my forte either as I could not get any practice in the subject matter due to the patients; there was a shortage of volunteers.
Firstly, a bit surprising the article suggests a "wow" factor associated with recovering deleted text messages. I would have thought it was common knowledge by now in business, generally, and particularly at CIO level.
Secondly, the notion and practice of companies getting employees to use their own devices (BYOD) to access company networks and company information seems to be an open invitation to allow a security breach (intentional or by accident) to happen. The corporate body and individual (at senior level) duty of care place encumbent obligations on both to conduct risk assessments, identify company assets, control dissemenation of company information in order to protect. It might be there are legal risks for companies demanding access to employees phones to go through their personal data.
There appears no persuasive technical/technological evidence to support BYOD propagation on the basis without it a company could not operate. Moreover, why require BYOD policies, practices and procedures that in essence generate further and continuing costs to maintain them anyway whereas in-house company devices (properly controlled) also means retention of company assets, devices have an asset value, depreciation allows for write down and tax relief etc.
BTW the points about assets and finance came from a specialist corporate accountant in this area where as accounting is not my forte. Mind you, brain surgery is not my forte either as I could not get any practice in the subject matter due to the patients; there was a shortage of volunteers.
Sunday, February 10, 2013
One hit, hits all
As you know setting a 'percentage expectation' for disruptive events is common in any operating plan, QoS plan, security plan etc. Contingency (forward planning) of something that might/may happen as a percentage factored in advance in order to ensure support being available is standard practice.
The author Henry Basset's 'Red Sky Alliance' records in his blog (http://henrybasset.blogspot.co.uk/2013/02/attackers-collaborate-defenders-are.html):
"20-50 compromised computers per day (7 days/week) could (should) be expected."
The article does not state that 20-50 will happen daily. Moreover, it is very difficult to reconcile how events happening on weekdays will equally occur in the same percentage on weekends due to staff not working at that time, thus terminals not being used in the workplace, which is another factor suggesting the statement is geared towards forecast or contigency rather than actual fact.
It is not entirely clear either that the 'inventory computers' could corroborate a computer identified in that inventory being the disruptive source, as opposed to merely being a compromised device, thus repetition of events could continue to be propagated against that same device. A reason for that is that an inventory of computers may not take account for 'BYOD devices' (http://www.trewmte.blogspot.co.uk/2013/01/smartphone-byod.html), which, quite horrifically, are being proposed for business. Laundering such ideas as relevant, cost-effective (sorry, a cheap way for a company to provide IT/comms without cost to the company) and a must-have, apparently, on employee-centric wish-lists crudely ignores common-sense security policies, practices and procedures. Moreover, BYOD is more likely to increase the chances of ICT (information communications technology) disruption/compromise, which is crudely labelled 'cyber attack/crime'. Cyber attack/crime is itself is being used in an attempt to downgrade the important differences and characteristics between science technologies by applying to them a technology-neutral title, 'cyber' (c.f. Andrea C Simmons comments about cyber wrapping http://www.bcs.org/content/conBlogPost/1861 )
Promulgating the noun/adjective/verb 'cyber-', lauded as the title of the next big threat to the World will in itself generate changes down the line eventually forcing Governments to create localised technology standards to deliberately undermine and reduce the chances of global cyber attacks/crimes occuring based upon common code used by many countries. This perhaps can be illustrated in terms of the enormous economic and fiscal effort that has gone into maintaining the 'Euro' contrasted with the 'British Pound'. Were it the case the Euro actually went down the localised British Pound would still be there. Local individual currency proving a far sounder bet than global common currency. Or looked at from a different angle, if a local individual currency did go down it wouldn't drag down other currencies partners. This tends to reinforce the positive that 'local standards' offer far better security and protection but minimises disruption, whereas global standards create the greater threat of 'one hit, hits all'.
The author Henry Basset's 'Red Sky Alliance' records in his blog (http://henrybasset.blogspot.co.uk/2013/02/attackers-collaborate-defenders-are.html):
"20-50 compromised computers per day (7 days/week) could (should) be expected."
The article does not state that 20-50 will happen daily. Moreover, it is very difficult to reconcile how events happening on weekdays will equally occur in the same percentage on weekends due to staff not working at that time, thus terminals not being used in the workplace, which is another factor suggesting the statement is geared towards forecast or contigency rather than actual fact.
It is not entirely clear either that the 'inventory computers' could corroborate a computer identified in that inventory being the disruptive source, as opposed to merely being a compromised device, thus repetition of events could continue to be propagated against that same device. A reason for that is that an inventory of computers may not take account for 'BYOD devices' (http://www.trewmte.blogspot.co.uk/2013/01/smartphone-byod.html), which, quite horrifically, are being proposed for business. Laundering such ideas as relevant, cost-effective (sorry, a cheap way for a company to provide IT/comms without cost to the company) and a must-have, apparently, on employee-centric wish-lists crudely ignores common-sense security policies, practices and procedures. Moreover, BYOD is more likely to increase the chances of ICT (information communications technology) disruption/compromise, which is crudely labelled 'cyber attack/crime'. Cyber attack/crime is itself is being used in an attempt to downgrade the important differences and characteristics between science technologies by applying to them a technology-neutral title, 'cyber' (c.f. Andrea C Simmons comments about cyber wrapping http://www.bcs.org/content/conBlogPost/1861 )
Promulgating the noun/adjective/verb 'cyber-', lauded as the title of the next big threat to the World will in itself generate changes down the line eventually forcing Governments to create localised technology standards to deliberately undermine and reduce the chances of global cyber attacks/crimes occuring based upon common code used by many countries. This perhaps can be illustrated in terms of the enormous economic and fiscal effort that has gone into maintaining the 'Euro' contrasted with the 'British Pound'. Were it the case the Euro actually went down the localised British Pound would still be there. Local individual currency proving a far sounder bet than global common currency. Or looked at from a different angle, if a local individual currency did go down it wouldn't drag down other currencies partners. This tends to reinforce the positive that 'local standards' offer far better security and protection but minimises disruption, whereas global standards create the greater threat of 'one hit, hits all'.
Monday, January 21, 2013
Smartphone BYOD
Smartphone BYOD
The article about Application Performance Management highlights five factors to influence APM in 2013. Approaching APM not from the service angle (end-to-end interoperability) but what the user gains from it is an uncertainty with BYOD (e.g. mobile tablet etc), as stated by the article. BYOD is not simply about browsing habit to prove an issue or trend but whether such devices are used (a) as company property? (b) what work material is available? (c) is that on-site access or off-site access? (d) are external private access points accessible? (e) are there, regarding (d), obligations to reveal? .....and so on
During the heady parts of the recession, and even now, many companies operational costs and write down (depreciation) on operational assets (phones, computers etc) have been slimlined and moved some obligations on to staff to use their own smartphones and tablets, thus the company also realises reductions in capital expenditure by avoiding mobile services contracts, too.
Strange that so much effort and money has been spent and is being spent on cybercrime detection and prevention and yet the more likely statistic as to where an ICT attack would occur seems not to be determined from yet another market survey but plain, good old-fashioned common sense. If employees bring their own devices to work employers cannot legislate as to what happens whilst at work. If employers don't pay for communications devices/services because they want to turn an operating profit or 'twinkle' before their shareholders then it is not difficult to comprehend, from a security point of view, that smartphones are potential carries of 'digital infection' that are deliberately being allowed to propagate with BYOD. National societies have watched over the last two decades at the decay in common-sense and seen the removal of barriers that locked pandora's box shut. Why have the barriers been taken away? For the sake of emotional gratification of earning a short-term profit, globalisation and commercialisation that required reduction and removal of local barriers originally put in place by mandatory regulation.
The task for digital investigators is to now re-engage with digital access policies in companies and discover the implemented and evolving communications route plan.
http://www.apmdigest.com/compuwares-top-5-apm-predictions-for-2013
Additional research
zdnet - http://www.zdnet.com/byod-mobile-workers-thumbing-nose-at-it-security-7000003519/
Forbes - http://www.forbes.com/sites/markfidelman/2012/05/02/the-latest-infographics-mobile-business-statistics-for-2012/
Network World - http://www.networkworld.com/news/2012/061912-byod-20somethings-260305.html
The article about Application Performance Management highlights five factors to influence APM in 2013. Approaching APM not from the service angle (end-to-end interoperability) but what the user gains from it is an uncertainty with BYOD (e.g. mobile tablet etc), as stated by the article. BYOD is not simply about browsing habit to prove an issue or trend but whether such devices are used (a) as company property? (b) what work material is available? (c) is that on-site access or off-site access? (d) are external private access points accessible? (e) are there, regarding (d), obligations to reveal? .....and so on
During the heady parts of the recession, and even now, many companies operational costs and write down (depreciation) on operational assets (phones, computers etc) have been slimlined and moved some obligations on to staff to use their own smartphones and tablets, thus the company also realises reductions in capital expenditure by avoiding mobile services contracts, too.
Strange that so much effort and money has been spent and is being spent on cybercrime detection and prevention and yet the more likely statistic as to where an ICT attack would occur seems not to be determined from yet another market survey but plain, good old-fashioned common sense. If employees bring their own devices to work employers cannot legislate as to what happens whilst at work. If employers don't pay for communications devices/services because they want to turn an operating profit or 'twinkle' before their shareholders then it is not difficult to comprehend, from a security point of view, that smartphones are potential carries of 'digital infection' that are deliberately being allowed to propagate with BYOD. National societies have watched over the last two decades at the decay in common-sense and seen the removal of barriers that locked pandora's box shut. Why have the barriers been taken away? For the sake of emotional gratification of earning a short-term profit, globalisation and commercialisation that required reduction and removal of local barriers originally put in place by mandatory regulation.
The task for digital investigators is to now re-engage with digital access policies in companies and discover the implemented and evolving communications route plan.
http://www.apmdigest.com/compuwares-top-5-apm-predictions-for-2013
Additional research
zdnet - http://www.zdnet.com/byod-mobile-workers-thumbing-nose-at-it-security-7000003519/
Forbes - http://www.forbes.com/sites/markfidelman/2012/05/02/the-latest-infographics-mobile-business-statistics-for-2012/
Network World - http://www.networkworld.com/news/2012/061912-byod-20somethings-260305.html
Subscribe to:
Posts (Atom)