DDos Attack Protection

About once a year, usually around Black Friday, and coinciding with the flu season, mobile security takes center stage. Maybe more so this year, given the ascendency of the smartphone coupled with browsers finally good enough to make the mobile Web a worthwhile experience.

A week or so ago, RIM’s security chief spoke about smartphone viruses and their potential usurpation of the phone as a platform for DDoS attacks. This coupled with a critical mass of open operating system devices now make the mobile phone a tempting target. We’ve been talking about mobile viruses for half a decade. This time, the threat is real.

In the same way, these virtual petri dishes are black holes into which corporate IT has no visibility. Sybase (News – Alert) recently commissioned a study of European IT executives to evaluate the magnitude of this potential exposure. The findings are downright scary, and make one wonder about the level of attention IT departments have devoted to addressing the security requirements of their mobile workers. 66 percent stated that they have no visibility into the sensitivity of data stored on mobile devices, 38 percent have no visibility into applications, and only 15 percent are confident in their ability to contain exposure if the phone is lost or stolen. In my book, considering the magnitude of exposure, this lack of security should have these IT managers camped out at the corner unemployment office (or in a more draconian mood, at the local lockup).

These metrics align with the percentage of employee-liable phones used in the enterprise, now approaching 50 percent as reported by Yankee Group (News – Alert). I won’t go into the not unexpected conclusion from the presentation about the iPhone’s readiness (or lack thereof) for enterprise use.

So what’s an operator, an enterprise, or a smartphone subscriber to do?

Needless to say, once the phone is lost or infected, it is too late. An effective over-the-air security solution, deployed as part of an overall care architecture by the operator, for employee liable devices, or by the enterprise for corporate liable devices, is the foundation. This solution will be responsible for pushing firmware or software updates to the phone, ensuring that discovered vulnerabilities are quickly patched. Extensions to widely deployed FOTA architectures meet this requirement. In some cases, the operator may mandate anti-virus software, pushed to the device (or pre-loaded at time of manufacture) by the same update conduit. If the phone is lost or stolen, the management client of the device should be capable of locking the phone and/or wiping all data.

In parallel to the operator’s care platform, user education is essential. Password protection is a given, as well as the need for backup. However, it is almost criminal that employees using their smartphone for work purposes ignore this first line of defense. And, if the user wants that which happened in Vegas to stay in Vegas, he or she can’t wait a week to report a lost phone, hoping that it will miraculously re-appear. A phone locked after compromising photos or a corporate roadmap have made it to the Internet is not nearly as good as a phone locked before. Unlocking is as easy as making a call, nothing is lost if/when the “lost” device is once again found, as an over-the-air unlock is just as fast and easy as a lock.

The real area for improvement is in the area of IT control over employee liable devices. At Interop (News – Alert) in NYC, I participated in a panel addressing just this concern. We exchanged best practices, painting a picture of what should be, though not what necessarily currently exists. Our joint observation was that IT departments need to understand that mobile devices fall into a continuum. On one extreme, there are corporate liable Blackberries or mission-specific platforms upon which you can enforce restrictive, but safe, policies (on device encryption, strong passwords etc.). There will always be a place for this. On the other are the unwashed masses with a variety of personal devices with no policy or control enforced or deployed.

But the middle? Devices with reasonable VPN or ActiveSync support with on device encryption like Windows Mobile or the iPhone (News – Alert) 3GS? Good call, it is reasonable to expect encryption on the device, something that is supported by ActiveSync policies. However, some handsets, like earlier iPhones, will report back to the server that they support on-device encryption, when they don’t.

Convenient, but dangerous because you think that you are more secure than you are. Then there are devices which will fetch your mail off the Exchange server (if the server is configured to allow low security devices), but make no claim of any sort of ActiveSync on device encryption, such as recent Android devices like the Motorola (News – Alert) Droid or the Palm Pre. Even this is not cut and dried. For example, Touchdown, an ActiveSync corporate email app, runs on Android devices but reports support of on device encryption (at least as of late November 2009) even if that capability does not yet exist. The situation is complex.

The level of visibility into these devices, and IT’s willingness (and/or ability) to lock down an employee owned device , will inform what corporate resources are made available. This in effect addresses the concerns raised by the Sybase study. No visibility. No access to ERP or Exchange.

And if the enterprise does deploy security along the lines of Credant or Good, they’ve got to make doubly sure that there is no leakage of content (i.e., contacts or photos) from the ‘public’ to the ‘enterprise’ side of the device, certifying conformance on each and every OS platform and hardware family introduced. Here, the onus is on the IT department.

As I got onto the plane in JFK, I looked around at a rather unhealthy cross-section of the traveling population (compared to SFO), wondering if it was just my phone that I needed to protect…

Tags: attacks, DDoS, DDOS attack, DDoS Attacks, Internet, Security, vulnerabilities
Posted in Mobile Security | No Comments »

Cloud computing users face problems including loss of control over data, difficulties proving compliance, and additional legal risks as data moves from one legal jurisdiction to another, according to a assessement of cloud computing risks from the European Network and Information Security Agency (ENISA).

The agency highlighted those problems as having the most serious consequences and being among the most likely for companies using cloud computing services, according to ENISA.

ENISA examined the assets that companies put at risk when they turn to cloud computing, including customer data and their own reputation; the vulnerabilities that exist in cloud computing systems; the risks to which those vulnerabilities expose businesses, and the probabilities that those risks will occur.

When moving to cloud-based computing services, companies have to hand over control to the cloud provider on a number of issues, which may affect security negatively. For example, the provider’s terms of use may not allow port scans, vulnerability assessment and penetration testing. At the same time, service level agreements (SLAs) may not include those services. The result is a gap in defenses, ENISA said in the report.

Compliance could also prove to be a big problem if the provider can’t offer the right levels of certification or the certification scheme hasn’t been adapted for cloud services, the report said.

One of the advantages of cloud services is that data can be stored in multiple locations, which could save the day in the event of an incident in one of the data centers. However, it could also be a big risk if the data centers are located in countries with a shaky legal system, according to the report.

Other areas of concern are vendor lock-in, failure of mechanisms separating different companies, management interfaces that get accessed by hackers, data not deleted properly and malicious insiders.

To minimize these risks the report proposes a list of questions that a company needs to ask potential cloud providers. For example, what guarantees does the provider offer that customer resources are fully isolated, what security education program does it run for staff, what measures are taken to ensure third-party service levels are met, and so on.

In the end a good contract can lessen the risks, according to the report. Companies should especially pay attention to their rights and obligations related to data transfers, access to data by law enforcement and notifications of breaches in security, it said.

ENISA’s report isn’t all doom and gloom, though. Using cloud computing services can result in more robust, scalable and cost-effective defenses against certain kinds of attack, according to the report. For example, the ability to dynamically allocate resources could provide better protection against DDoS (distributed denial-of-service) attacks, ENISA said.

Tags: attacks, customer data, face problems, Hackers, probabilities, security agency, vulnerabilities
Posted in Computing Risks, Uncategorized | No Comments »