After some consultancy to one of the worlds biggest software company, a test lab was built that mimicked the environment that public users would use. After a few minutes of testing the security measures, it was found by one of my people that user computers were stored under the desks users would sit at. These machines all came prepared with CD ROMs and USB ports. These were found to be bootable and the BIOS was able to be manipulated so that other boot sources could be selected.
So what are organizations doing this year to better protect the physical computing environments?
As before, server computers are being locked away, machines in remote locations are being encrypted and the pre-boot authentication is being requested the challenge is how do these machines get rebooted remotely but vendors such as HP, DELL and IBM have built in remote management solutions that allow for the machines to be remotely managed even if the machine is turned off. This technology has been around for some time now but is proving more useful with remote lockdown.
Pre-boot authentication is typically what organizations are looking to implement between now and next year as to better protect their environments from physical attacks. Typically, a pre-boot authentication screen is loaded that will prompt a user for credentials before booting the operating system. The boot process may also enable the user to boot an encrypted hard disk after presenting the authorised credentials making the data on the disk more secure physically than before. (This technique together with the encryption option helps in achieving PCI DSS compliance).
With the digitization of documents and data repositories more data is available online. Document management systems now convert physical documents to digital documents in the blink of a scanner bulb. Customer details are being digitized and stored online in multiple locations in insecure ways. Client data dissemination is reported on; on a daily basis if the organization is high profile enough. It is clear that confidentiality needs to be taken more seriously and organizations are now taking this into account when deploying client machines.
When consulting organizations I often find that only mobile devices are are thought to be under threat. This is not the case, as all devices that store confidential data including desktops need to be encrypted. If the data is on desktops the threat remains evident as the assets will need to be disposed of at some point. If the machines are lost or stolen the loss of data may have the same impact on an organization from a privacy perspective and from reputation perspective. Device Encryption is a key element but so is Content Encryption as networked machines need to have network assessable data encrypted. When it comes to confidentiality, without a doubt, encryption is necessary.
End point security
A data theft technique known as Pod slurping is typical of where few technical controls are implemented that stop users from stealing data. Many organizations have now started to implement stronger technical controls that prohibit users from stealing data. These controls may come in the form of security software that restrict users from copying data to and from authorised organizational devices. Such software can be feature rich supporting file logging and shadowing, proving without a doubt which files were copied. The feature also secures data that is copied, as the copied data is shadowed onto the network each time the client is synchronised. Many other features like control of what can be plugged into the client machines and allowed to be used, and policies that allow for granular control of what devices can be used may prove useful.
Strong authentication is becoming more common throughout IT security and corporate estates. Organizations are seeking and implementing solutions that utilise a stronger form of authentication than the typical set of credentials being a username and password. What is strong authentication? Strong authentication comprises two or more forms of authentication from a group of authentication mechanisms. Respectively: something you have, something you know and something you are. Any mixture of any two of the above modules will provide for strong authentication. Using something you have and something you know would be a common example of a trend that many organizations world-wide have started to implement as a form of strong authentication.
As VOIP becomes an increasingly used and reliable technology more emphasis is placed on the security around VOIP. This was evident at a recent black hat event where significant VOIP vulnerabilities were uncovered and exposed. Identity theft, privacy and confidentiality again play a key role in the overall VOIP picture. It seems that the technology to secure VOIP devices is around but organizations have been slow to adopt such solutions. This is due to the cost and skill set required to design a more secure solution than what is offered out of the box.
Privacy has been substantially escalated as a priority by means of legislation and bills that have been passed internationally. Organizations have been slow to respond because of lack of skills and budget constraints. Some standards are taking a tougher stand and soon non-compliance will not be tolerated. This area of security is growing and lots of work in this security zone will need to be done in the next three years to get the contingent to an acceptable level.
As newer technologies emerge so do newer threats. Technologies like social networks are becoming more common, these networks may not be perceived as a threat but some security professionals would argue that these networks could be used to mine personal information that may be used to socially engineer a way into an environment. These networks are not only updated by the legitimate users but also frequented by malicious users to gather updated information that could be used against your organization so careful planning around all technologies from a security perspective is a must. However innocent the technology any leverage that can be gained by a malicious user could be used against an organization if left un-secured. In this case, knowledge is the potential risk. The link to the security trends this year is defence in depth (a layered approach) is a good approach.
In the replication the trend has been to replicate more, organizations have begun to build on DR and BCP more reliably and vigorously than before. This area of security has stabilised quite nicely. Organizations have a DR and BCP plan involving replication on the whole. Virtual machines are now also maturing and snapshot capabilities have been added and improved upon. Solutions that make machines that were physical to virtual for DR purposes are springing up (P2V, physical to virtual) and more reliable solutions are being developed.
Deepscan application control
Desktop threat mitigation is being converged into one product by the antivirus vendors. Spyware, malware, Rootkit, Antivirus, Browser hijackers, personal firewalls, application control, encryption, online backup and many more subscription services are being offered as the splurge of threats flourish. These seem under control for the moment however I find that vendors are bloating their applications to the point that they slow down the systems they are installed on and build a threat profile of their own. Security professionals that I deal with are very selective about the tools that they install and seldom do find those in the know using a single package that protects you against all threats. Typically a good mix of well written applications are used to better protect your system against malignant risk.
Personal firewalls are being rolled out as frequently as antivirus in large corporations even though users sit behind high powered corporate firewalls. The reason for this is multi fold and the benefit from a system protection perspective is evident in the application age. Recently I have noticed that cutting edge technologies that firewall systems at the switch layer are being utilised to replace personal firewalls as the investment has already been laid out in previous purchases or networking equipment.
Application control is a newer layer that is being adopted quickly by organizations world wide, kernel layer application scanning is added to the operating system that controls which applications are able to be run by users on their systems, this is possible by using unique application profiling that manages what applications are able to be run and by who. Essentially if this control is enabled no other applications are able to run, this includes parts of the operating system. Vendors argue that no antivirus is necessary as if a virus were copied to the machine it would not be able to run. My view is that a virus could still be copied to an unprotected machine and then executed if copying was allowed.
Security cannot be addressed by implementing one solution that seeks to be the security holy grail. Vendors know this and there are many offers for bundled applications that pretend to offer a complete security package. Defence in depth is a good approach and choosing the correct tools that best fit your organization’s requirements is no easy task. The quest for security continues.