2012 has been quite the year for the mobile security industry. We’ve seen bring your own device (BYOD) come to the forefront of discussions, both in terms of its benefits and threats to network security. We’ve seen multiple strands of different trojans and malware that cost companies hundreds of thousands of dollars. Microsoft released Windows 8, thus sparking the debate over exclusively relying on DirectAccess in lieu of virtual private networks (VPNs). As a result of these major trends, we’re beginning to see industry-wide recognition that simple password protection is no longer sufficient. Rather, such techniques as split tunneling, two-factor authentication, and encryption offer safer ways to access corporate networks remotely. So we want to know, given the growing spotlight on threats to remote access, what solutions do you think should lead the charge for enhanced network security in the coming year? As always, feel free to elaborate in the comments.
Archive for December, 2012
Tags: BYOD, malware, Microsoft DirectAccess, Network Security, remote access, trojans, VPN
Tags: authentication, mobile, mobile devices, passwords, security, security threats, two-factor authentication
The proliferation of social networking and the acceleration of personal devices for corporate use can be a boon for remote workers. Unfortunately, this increase in systems and cross-platform networks can also be a huge opportunity for cybercriminals looking to launch targeted attacks.
In 2012, the sophistication of mobile malware intensified, damaging individuals, businesses and governments alike, revealing one of the year’s top security trends: that the traditional combination of username and password is not a strong enough security barrier.
With this in mind, the following security experts share their thoughts on why more secure authentication methods are needed in 2013:
“The fact is that passwords, as a security technology, are reaching the end of their useful life. Moving to a world where alternative authentication systems are the norm is incredibly difficult, and as a consequence we are entering into a period of time when we are going to have to continue to rely on a security control that doesn’t work. Encouraging users to pick longer passphrases, and proactively auditing networks for weak passwords are steps that can be helpful during this time. Increasingly, we are going to see attackers entering networks with legitimate access credentials without ever having to fire an exploit that would trigger an intrusion detection system. We need to be prepared for this type of attack activity.” Tom Cross, director of security research at Lancope
“Nine out of 10 intrusions involved compromised identities or authentication systems, so enterprises need to make sure they have a sound process for creating, managing and monitoring user accounts and credentials for all of their systems, devices and networks.” – Wade Baker, Verizon RISK Team
“The password-only security model is dead. Here’s why: Easily downloadable tools today can be used to crack a simple four- or five-character password in only a few minutes…Next year, we are likely to see an increase in businesses implementing some form of two-factor authentication for their employees and customers. This will consist of a Web-based login that will require a user password along with a secondary password that will either arrive through a user’s mobile device or a standalone security token. While it is true the recently discovered botnet Zitmo cracked two-factor authentication on Android devices and RSA’s SecurID security token (hacked in 2011), this type of one-two punch is still the most effective method for securing online activities.” – FortiGuard Labs’ 2013 threat predictions, Fortinet
What do you think? Will authentication attacks, including stolen usernames and passwords, continue to plague network security?
Tags: app store, mobile, mobile devices, security, whitelist
Question: Remote workers in my company access application stores through their mobile devices. How can I ensure app store security for my users?
The best approach is to deploy a mobile device management system that allows the capability to block access to public application stores, as well as allows for a whitelist of allowed applications. Depending on the number of mobile devices and the application requirements, it is best to operate a company-owned application store. This has many advantages and offers the best control overall.
Tags: Bring Your Own Devices, BYOD, control, personal identifiable information, privacy
Question: Our remote workers are entering the workplace with their own mobile devices and want to connect to our corporate resources. I want to allow them to do this, but before I do, I want to know the biggest risks of BYOD.
The biggest risks for enterprises that allow bring your own device (BYOD) environments are control and privacy. Deploying and enforcing security controls is typically more difficult on personal devices for two reasons. First, ownership of the device establishes a control mentality from the owner’s point of view. Second, restrictions on personal data or content, in general, are more difficult to argue from a BYOD policy standpoint. The most critical aspect is that companies must ensure they observe the protection of the users’ personal identifiable information (PII).