A random assortment of recent coverage involving sensitive information:
Archive for September, 2011
The world of mobile computing is coming to corporate prime-time as users bring their own devices to work and connect to applications and data through the company network.
For some organizations, the saying is “the more the merrier.” Want to use Blackberries, iPhones and Android smartphones? Bring-em on.
And, Android smartphones are gaining tremendous attention and purchases. A few recent pronouncements about Android include:
But for many large organizations, it’s Blackberry and iPhone only for the time being.
Why? What’s limiting the adoption for corporations?
Recent headlines at The Register offer a clue:
Featured from this story:
Google updated Android 16 times since September 2008, while the number of iOS updates over the same period is 29. When a new version of iOS (iPhone) is released it’s available to any iPhone user with the hardware to support the upgrade. But, Android users wait years for phone carriers to supply updates.
Part of the flaw in being able to fix security vulnerabilities on Android is found in the delays for Android updates. These delays are largely brought on by phone and carrier user interface (UI) modifications to the operating system, many of which are primarily superficial.
And, part of the flaw can be found in some fundamental security control flaws that need to be fixed in Android. The researcher mentioned in the story at The Register. Jon Oberheide, has some rather revealing details that can be found in:
The summary of his research includes privilege escalations that are easily exploited, including holes in Android, problems with the Android Web Market, piggybacking on-top of Angry Birds and other Apps, Rootstrap, and mobile botnets among others.
Some of the primary findings indicate the risks currently outweigh the rewards for corporate customers, including:
- · Security control flaws that exist in the current versions of Android
- · Android developers that can easily fool the marketplace
- · It’s still relatively easy piggyback on existing Android marketplace applications
- · Potential upside and downside from a ready market for jailbreaking Android phones
Encouraging the adoption of Android smartphones (and other devices) for corporate customers, might include changes such as:
- · Enforcing a single Android standard (Google)
- · Eliminating the delay-prone UI silliness (Carriers and phone manufacturers)
- · Rationalizing the distribution of OS updates and patches (Google, carriers, corporate customers)
- · Distributing UIs through the marketplace (Carriers and phone manufacturers)
- · Better qualifying content in the marketplace (Google)
- · Encouraging third-party security solutions through the Marketplace (Google)
Secure Sockets Layer (SSL) is a beautiful thing, or rather Transport Layer Security (TLS) is. Designed to prevent eavesdropping and tampering, SSL/TLS is visible to most people as the “s” in “https”, when two parties are connected across the Internet. Otherwise, it’s generally invisible to most.
Despite being invisible, SSL/TLS is relied on by all manner of governments, businesses and people for confidential communications, especially when using payment processing applications that rely on Internet communications to transact confidential business.
Is the Beauty now a BEAST?
But, recent headlines would have you believe SSL/TLS has been broken – forever!
Some of the headlines include:
From all reports, the recent BEAST (Browser Exploit Against SSL/TLS) exploit appears to require a combination of factors for it to work. These include:
a) Exploit Javacode must be inserted into a users browser
b) A Website must be visited
c) A network monitor must get in-between the website and the users browser for the length of the session, or as long as it takes to decode the SSL/TLS session.
Estimates of the time it takes for SSL/TLS sessions to be decoded in this manner are in the neighborhood of a half-hour – and longer.
Are you at risk?
Not yet: but remember that some will figure out how to leverage this.
Is SSL/TLS broken?
Not yet: but it’s probably only a matter of time before BEAST is further exploited.
What’s the Net?
It’s advisable to be careful.
Evaluate the evidence from the Ekoparty Security Conference in Buenos Aires taking place this Friday.
Push for an update from the current TLS 1.0 to 1.1 or 1.2.
A $2.3 billion loss on ETF trading at UBS
The recent trading loss of $2.3 billion suffered by UBS is a whopper of a financial loss, one coming on the heels of other very large trading losses experienced in the financial sector. Some interesting insight into some of the factors that might be involved can be found in the blog article, The ETF loophole (almost) everyone missed, written by Felix Salmon at Reuters. Another piece, Swiss miss, at The Economist points out some interesting observations about what this experience might mean for UBS and other institutions running trading disks.
The incident brings to light some rather interesting questions for supervisory and internal audit functions: probably just a few of the many functions that failed to catch the problem. The most obvious questions of course include: how did it happen, and what can be done to catch or prevent it in the future?
Obviously, more light on the specifics involving the trading losses experienced by UBS will be shed as evidence and testimony is gathered.
Magic is in the eyes of the beholder
In a larger sense, the events at UBS bring to mind the experience of watching a magician who places a noticeably white ball under one of three dark-blue cups, moves the cups around, and asks you to identify which of three cups the ball is actually in: after cups come to rest.
Invariably, you pick the wrong cup – time and again!.
Why? Well the world of magic is based on the study of illusion and human behavior. In this case, the illusion relies on your eyes paying extra attention to thehand that is moving all of the cups and the interaction you are having with the magician’s face and voice. Unseen by almost all who participate in this magic-act, is the other hand of the magician who deftly and cleverly moves the ball in or out of the cup: from the one you are intended to believe the ball is in.
This and similar illusions are successful for magicians, whether the act involves running a saw through a person in a box, pulling rabbits out of a hat, or making dove birds appear seemingly out of nowhere.
Learning what to pay attention to and what to ignore
Whether it’s magic, the recent trading losses experienced at UBS, or the world of managing risk related to the use or misuse of information and IT systems, the biggest problem for many organizations is knowing what to pay attention to: which is where internal control and information security functions come in.
Visibility and illusion: the crux of the problem
I’d be rather rich if I was paid by the number of times I’ve heard the phrase, “My biggest problem is what I don’t know (or what I don’t see).” The problem of visibility goes to the heart of unmasking illusion: be it knowing which cup the ball is under in a magic-act, illicit or highly-risky trading in financial markets, information security-breaches resulting in substantial business risk, or other endeavors in life.
Do you chalk-up success to guessing which cup the ball is under and pure luck? Well, if you do, you’re not guiding your own destiny nor that of your organization. What you might want to consider doing is shining a light on all of the visibly missing procedures that are directly related to prioritized risks.
The ITPCG has embedded results from across thousands of organizations into quick two-minute self-assessments that will enable you and your organization to assess the impact of your risk management practices – as these apply to the use of information systems – on outcomes, relative to others in your industry, your peers and the best performing organizations. A few of the assessments directly related to managing risk, include:
Risk and Compliance Management
Organizational and Policy Risks of Cloud Computing
Operational and Technology Risks of Cloud Computing
Reporting and Risk Management
We hope you find these sources of informative and useful as you make improvements in your own organization.
In this day-and-age, there seems to be no lack of focus on the topic of managing risk. Reflecting this, numerous sources of information are available to assist you with socializing and driving improvements through better risk management discipline and practice. Recent, and classic resources available on the topic, includes:
Accenture 2011 Global Risk Management Study
This is a broad look at company-wide risk management challenges and differences from research conducted by Accenture with about 400 companies across 10 industries in all major geographies. The reports focuses on trends in how risk is being experienced and addressed, challenges that lie ahead, and how some organizations are now using risk management practices to drive strategic advantage.
NIST Publication 800-300: Risk Management Guide for Information Technology Systems
An old classic that has not grown old with age, if you are in IT the document is worth reading if you’ve not already seen it. Coverage is especially focused on risk assessment, mitigation, evaluation and assessment.
Filling the gaps between generic risk management frameworks and detailed (primarily security-related) IT risk management frameworks, RiskIT provides an end-to-end, comprehensive view of all risks related to the use of IT and a similarly thorough treatment of risk management, from the tone and culture at the top, to operational issues.
ISO 31000 and 27005
ISO 31000 seeks to provide a universal paradigm for practitioners and companies employing risk management processes to replace the myriad of existing standards, methodologies and paradigms that differ between industries, subject matters and regions. ISO 27005 is addressed to the needs of information security risk managers.
ENISA: European Network and Information Security Agency
The ENISA site delivers methods, tools and insight into practices, along with the cross-functional integration.
IT PCG Risk Assessment: Comparative Benchmarks
The ITPCG embeds results from across thousands of organizations into quick, two-minute, self-assessments that will enable you to assess the impact of your practices on outcomes, along with comparisons against your industry, your peers and best performing organizations. A few directly related to managing risk, include:
- Risk and Compliance Management
- Organizational and Policy Risks of Cloud Computing
- Operational and Technology Risks of Cloud Computing
- Reporting and Risk Management
We hope you find these sources of informative and useful as you make improvements in your own organization.
And, we apologize for any unintentional oversight for others we’ve missed. Assist others by sending us your suggestions.
- Affiliate Members
- Charter Members
- Research Reports
- November 2013
- October 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- March 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- September 2010
- July 2010
- May 2010
- March 2010
- February 2010
- December 2009
- October 2009
- September 2009
- February 2009
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- January 2008
- December 2007
- July 2007
- March 2007
- November 2006
- August 2006
- March 2006
- October 2005