Author Archive

Andrew Jaquith

Andrew Jaquith is the Chief Technology Officer of Perimeter E-Security. Before Perimeter, he was a senior analyst with Forrester Research and Yankee Group.
23
Jan

Paving Over the Proprietary Web: The Java Security Bigger Picture

Written by Andrew Jaquith. Posted in Blog Post

 

Perhaps you’ve heard about the recently disclosed Java 7 zero-day exploit. The flaw allows a remote attacker to take complete control of a computer. It has been incorporated into many exploit kits. The Department of Homeland security regards the Java exploit as sufficiently serious to recommend “disabling Java in web browsers until adequate updates are available.” Oracle’s fixes — aren’t.

Many of my colleagues at other security firms have spilled a lot of ink describing why this particular Java exploit is bad. It is indeed that bad; Apple, for example, has forced down an update that blocks the Java 7 plugin from executing in the browser at all, at least until Oracle is able to distribute an update. If you are in the habit of keeping Java switched on in your browser, you should turn it off — of course. But that isn’t always possible. Client-side Java, for example, powers GoToMeeting. Many other companies — including my own — rely on client-side Java for critical functions. So one cannot simply rip it out, or mandate that it be banned. Reality has a habit of messing up the best-intended recommendations. But make no mistake, at some point very soon Java on the client needs to go. CIOs, please take note.

Client-side Java is part of the web’s proprietary past, and its time is ending. That proprietary past also includes ActiveX and Flash, two other technologies that saw widespread adoption in the early 2000s. That all three of these technologies came of age at roughly the same time isn’t a coincidence; they all filled gaps in the web experience. ActiveX was Microsoft’s way of adding native client functionality to a then-crude web experience; client-side Java (Swing, Java Web Start etc) did the same. Flash and its cousin ShockWave provided smooth video and animations.

Since 2005, though, the native web has changed dramatically, and for the better. HTML 5, CSS and JavaScript toolkits have been the major catalysts of a revolution in web design. The canvaselement added to HTML 5, for example, allowed standards-compliant browsers to draw shapes, create and fill paths, and animate objects. This, plus the video element, freed designers from needing Flash. Cascading Style Sheets (CSS) Levels 2 and 3 gave designers increasingly pixel-perfect control over the placement and appearance of content — a task made even easier with CSS pre-processors such as LESS and Sass, and with kitted CSS assemblies such as Twitter Bootstrap. On the JavaScript front, third-generation toolkits such as jQuery made it simple to make websites dynamic and responsive. You can do all of these things for free, without needing to buy any of the various Studios from Adobe or Microsoft.

The slow-motion revolution in how the Web is made means that the raîson-d’être for proprietary web technologies is going away. Like a lumbering concrete mixer, HTML5 and JavaScript are slowly paving over the parts of the web that had previously been occupied by Flash, ActiveX and Java. Ironically, the vendors of these proprietary technologies have, in their own ways, added limestone, clay and water to the paving machine.

Microsoft, for example, turned an entire generation of web developers against it with its long, and ultimately fruitless, resistance against robust CSS support in Internet Explorer. Although modern versions of IE are highly standards-compliant, Internet Explorer did not pass the CSS Acid3 test until September 2011. Any web developer who has been working with CSS for more than 5 years, for example, can probably regale you with stories of massive hacks needed to allow older Microsoft browsers to work with standards-based websites.

The roots of Adobe Flash’s decline are a little different. Nothing was “broken” with Flash, functionally speaking1. Two related events resulted in a decline in Flash usage: Steve Job’s public refusal to add Flash support to the iPhone and successor iOS devices; and Google’s decision to convert its vast library of YouTube clips to HTML 5-compatible WebM and H.264 formats.

These actions, plus the increasing viability and efficiency of WebM and H.264, meant that you didn’t need Flash video any longer. This has clear implications for customers. For customer-facing websites, you can (and should strongly consider) retiring Flash video in favor of H.264. This is a quick win; the re-encoding process is relatively quick and painless. That said, the need is not as urgent compared to Java. Adobe’s security team (under the leadership my former @stake colleague Brad Arkin) has upped the tempo of bug fixes, adopted auto-update, and is taking security seriously enough that Flash has become less risky than it had been. Still, if you can remove a dependency on a third-party component that needs to be maintained and updated in addition to the base operating system, why wouldn’t you?

Java, on the other hand, is simply a mess. From a pure features perspective, Java’s caretaker parent, Oracle, no longer employs the kind and number of Java engineers that will keep it up-to-date — never mind put it back on the cutting edge. Most of the Java engineers and visionaries such as James GoslingJosh BlochTim BrayAmy Fowler, and Adam Bosworth — the people I learned from and looked up to while I was learning Java J2EE — left long ago to greener pastures. Although server-side Java is still widely used, nobody I know would consider it for greenfield development for use with a browser.2

From a security standpoint, it is hard to see why Oracle would be Johnny-on-the-spot with security fixes. As my other (!) former @stake colleague David Litchfield has pointed out, the company doesn’t have the best track record on security. We can reasonably assume that fixing client-side Java security holes isn’t anywhere near the top of Oracle’s priority list. And even if it becomes so because screaming customers demand it, legacy products get legacy engineers. That’s just the way it is.

The same goes for Microsoft’s ActiveX. Developers don’t use it for new web-based projects, and the company has for several years recommended that developers use other technologies3 to make dynamic websites. The risks associated with ActiveX continue to be high, no doubt because ActiveX controls are basically chunks of native code written by various vendors of varying skill, remotely triggered by websites that may or may not be under the user’s control. (What could go wrong withthat?) To be sure, Microsoft has done as much as any vendor in the industry to set the standard for responsible and secure development practices. Over the years, they have responded relatively quickly to the various ActiveX security issues that have popped up over the years. But as with client-side Java, it’s legacy technology maintained by legacy engineers.

It is much, much easier to talk about how the slow-moving concrete machine that is the modern web — HTML 5, CSS, and JavaScript — will slowly pave over the proprietary web. It is harder to state with confidence what it will mean for security. However, one may hazard a few guesses. The decline of these three technologies should increase the overall level of security over time. Logic dictates that a browser festooned with fewer proprietary plugins is a more secure browser. Put differently: migrating older websites to use CSS, HTML 5 and JavaScript support will have the effect of concentrating the attack surface by reducing the number of parties who must defend that surface. Over time, the broad public ought to be better served by having Apple or Google or Microsoft be responsible for the entire web browsing experience — including security.

But in the short term, it won’t be so clean. Based on vulnerability counts — an imprecise metric at best — the “younger guys” don’t score well. For example, the US National Vulnerability Database shows that the WebKit browsing engine had over 198 disclosed vulnerabilities last year. Internet Explorer? Just 61. Meanwhile, ActiveX, Java and Flash had 73, 169, Flash 67. I draw no other conclusions from these data, other than the simplest one — increased use of native browser capabilities is likely to increase risks in the short term, even as the decreased use of proprietary technologies decreases it. At some point the two lines will cross.

In the meantime, the cement truck keep rumbling.


1 Functionality aside, Flash’s security track record has been poor for a while.

2 Java development is alive and well on the Android platform, of course.

3 It’s fair to say that Microsoft has been all over the place on this subject over the last 10 years: DHTMLXAML/SilverLight, and now Windows 8-style apps.

17
Jan

My Review of Gene Kim’s new novel, “The Phoenix Project”

Written by Andrew Jaquith. Posted in Blog Post

Over the Christmas holidays, I read an advance copy of Gene Kim’s first novel, “The Phoenix Project“. Gene’s co-authors were Kevin Behr and George Spafford. It was a better read than I was expecting. It is about 350 pages; I read it in essentially one sitting with a break for lunch. Here’s my review.

The book aims to describe how to bring TQM and “lean” (as in, “manufacturing”) disciplines to IT. Although TQM is especially important in the context of operations, the book shows how “systems thinking” that spans the development and IT operations organizations, and reaches upstream into finance, sales and marketing is critically important for technology-reliant companies. Because all but the most hidebound companies rely on IT to run (and transform) their businesses, the lessons in this book are generalizable to every company.

03
Jan

Tackling BYOD: What Tools Do You Need?

Written by Andrew Jaquith. Posted in Blog Post

Taylor Armerding at CSO Magazine just published a story on bring-your-own-device (BYOD) strategies: “BYOD keeps expanding, and IT just has to deal with it“. He contacted us as a source for his story. He had three questions for us:

Gartner recommends mobile data protection (MDP), network access control (NAC) and mobile device management (MDM) tools. Do you agree?

Is there anything else IT departments should be doing?

The debate is ongoing about the economic and security benefits vs. disadvantages of BYOD. Where do you come down on it? Should enterprises embrace it or discourage it, and for what reasons?

These are all important questions that CISOs must answer. You can see Taylor’s published story here, in which I was briefly quoted. As a service to our customers, however, I thought it might be fun to show you the full text of my email reply to him:

1. Gartner recommends mobile data protection (MDP), network access control (NAC) and mobile device management (MDM) tools. Do you agree?

I do agree, but with some caveats. Gartner’s recommendations cover a broad swath of IT devices, so it is important to understand which kinds of “bring your own” devices a company wants to protect: (1) laptops (which are “mobile devices” in the sense that they are portable PCs) or (2) Post-PC devices like smartphones and tablets?

For laptops, Gartner recommends using MDP tools, which basically means buying full disk encryption hardware and software, along with management tools. This is good advice; company sensitive information should always be encrypted at rest.

However, companies might want to take a look at what they already have before they buy a third-party product. For example, if the company has a modern PC fleet running the enterprise versions of Windows 7 or Windows 8, the built-in BitLocker full-disk encryption feature might be good enough. But most employees who bring their own PCs are not likely to bring in a Windows machine; it will probably be a Mac. In that case, Apple’s built-in FileVault 2 full-disk encryption feature, which is very good, might be enough if the Mac runs Lion or Mountain Lion. That said, companies who want a FIPS-validated solution or something that integrates with PC-based encryption management tools should look at vendors that provide Mac support such as Sophos or Symantec.

For smartphones and tablets, mobile device management (MDM) tools are essential. (Disclaimer: Perimeter offers a cloud-based MDM service). MDM can help ensure that the most essential mobile security policies are enforced, for example requiring a PIN and an “auto-destruct” policy. MDM can ensure that content- or full-device encryption is enabled on platforms that support it, such as iOS and BlackBerry. However, Android devices offer no guarantees about whether encryption will be present or not, so we generally recommend retrofitting Android devices with a lightweight encrypted container app such as Nitrodesk’s TouchDown product. TouchDown will provide encrypted storage for email, tasks, calendars and contacts when used in conjunction with MDM and ActiveSync. (It’s a type of “lightweight” MDP, I suppose, because it covers just part of the device.)

Gartner recommends NAC, but NAC is a “fussy” technology that doesn’t work well in dynamic environments. The idea is noble: block any devices not known to IT from accessing the network. Sounds nice, but in practice NAC is very brittle because it presupposes that IT can somehow know all of the devices that should be allowed to be on the network. With BYOD, they can’t — indeed, that is the point of BYOD. For most companies, NAC doesn’t bring much benefit, and adds a lot of hassle.

Instead of NAC, companies should use MDM in conjunction with their email systems to block devices not managed by MDM from accessing email. This is done via an ActiveSync proxy that integrates with MDM; every device that tries to get email is referred to MDM to see if it is enrolled. If not, the device is blocked. Nearly every MDM product has an ActiveSync enforcement proxy. This is a much simpler process than NAC, and it makes sense because everybody needs to get their email. So why not use it as a chokepoint?

2. Is there anything else IT departments should be doing?

Technology can only get IT so far. To manage BYOD effectively, managers need to address two other components: policy and law. The law increasingly dictates what companies can (and cannot) do with employee-owned devices, which in turn drives the policies. Companies should:

  • Create an explicit Bring-Your-Own-Device oriented Acceptable Use Policy
  • In the AUP, clearly spell out data protection obligations; support roles and expectations; reimbursement; data collected while the device is under management; employer rights to monitor, confiscate and wipe devices (and under what conditions); data ownership; and what happens when the employee leaves the company.
  • Require employees to sign off on the AUP when bringing their devices to work
  • Create simple, common-sense IT security policies. For example, always require encryption for sensitive company information in motion and at rest. Protect each device with a 5 or 6-digit numeric passcode; when combined with a 10-wrong-tries auto-destruct policy, this policy is stronger than a typical desktop password policy, and easier to use as well.
  • Minimize the data you collect from employee-owned mobile devices; the less the better
  • Use MDM to enforce your polices through technical means whenever possible

[Note: I didn't mention it in the email reply to Taylor because it would have been crassly commercial, but you should know that Perimeter's Cloud MDM service was built for BYOD. We provide out-of-the-box policy templates that enforce best-practice security policies for passwords, encryption, email and data collection. We also provides a Model Acceptable Use Policy template, co-developed with a leading international law firm, that companies can use as the basis of their Acceptable Use Policy for employee-owned devices. The Model AUP is written in simply worded but legally correct English, and specifies the twelve key policies and practices that every BYOD program should have. We wanted companies to be able to enjoy the benefits of BYOD, and get them as close to zero effort as possible. That's why we don't just offer an MDM technology product, but a total solution spanning the disciplines of technology, policy and law.]

3. The debate is ongoing about the economic and security benefits vs. disadvantages of BYOD. Where do you come down on it? Should enterprises embrace it or discourage it, and for what reasons?

For PCs, I am not convinced that BYOD makes sense economically. It makes more sense to simply procure the devices employees want, within reason. For example, if your developers want Macs, you should buy some for them. If a company is small, you can manage the security aspects of the Mac centrally (through Active Directory policies), and let employees go to the Apple Store for break/fix. Larger companies will want to bring some of the Mac break/fix competencies in house. But regardless, on the economic and security questions, there is much less ambiguity if IT keeps the devices company-owned.

For smartphones and tablets, the BYOD ship has already sailed. Most companies that allow ActiveSync access already have a BYOD problem; they just might not know it yet. BYOD is not a question of “if,” but of “when.” The advantages of BYOD are clear: more choice and a happier workforce. What companies need are answers and solutions to ensure that costs and risks are properly managed.

For smartphones, IT can make a very clear economic case for BYOD. If the employee pays for some or all of the data plan, those savings can be used to pay for MDM. Imagine that an employee wants to move from BlackBerry to iPhone. Suppose the combined savings from (a) not paying for BlackBerry data service and (b) letting the employee cover some or all of the data plan, is $35 per month. MDM costs range from $3 to $10 per month. Even if you add in some “soft costs” to run set up the BYOD program, the savings far outweighs the costs. It’s a no-brainer. From the security perspective, the risks can all be managed using the strategy I’ve described above.

21
Dec

Five Myths about Cloud Computing that will be Debunked in 2013

Written by Andrew Jaquith. Posted in Blog Post

Cloud migration and its associated benefits and challenges continue to inspire a great deal of debate in IT circles. There are many arguments for and against cloud adoption as a viable alternative to on-premise solutions. Some of these arguments are based on fact; others are based on perception, FUD (fear, uncertainty and doubt) factors, or myths. I recently contributed a list of five of the most common myths related to the cloud that are likely to be exposed in 2013 to Wired Innovation Insights.

1. Security issues will remain the biggest obstacle to cloud adoption

This is simply not true. What remains the biggest obstacle to cloud adoption is the idea that the cloud is not as secure as on-premise systems. In reality, the cloud has proven equally to more secure. It’s analogous to keeping your money safely in a bank versus keeping it home under your mattress. Everyone knows a bank is a better, safer option. But when it comes to data, we haven’t quite gotten there yet. It’s all about perception versus reality.

 2. The cloud is less reliable than on-premise

Despite FUD-provoking headlines, downtime of on-premise solutions continues to outpace the cloud. Cloud vendors commit to and generally meet a 99.9% uptime threshold as part of its SLA; a level of service that cannot be easily replicated by on-premise solutions. But outages do happen — things do go wrong. And when they do, what’s most important is transparency from the vendor — in ongoing, truthful communication and in action when downtime occurs. This transparency is absolutely critical in building trust between customer and provider. [Ed: see my 2013 Predictions post about why metrics will be important here.]

3. BYOD is a major drain on IT resources

There’s no doubt that Bring Your Own Device (BYOD) is the hottest thing in IT — and the revolution’s got countless IT departments scrambling to establish corporate policies to keep pace. But contrary to popular belief — and many panicky stories in the press — BYOD management can be much simpler and less resource-intensive than they’re made out to be — if done right. This means applying holistic, yet sensible management and security policies that are grounded in the law and enforced through technology.

4. All cloud services are the same

This may have been the case once upon a time, but today, nearly all cloud providers offer customized solutions to meet the specific needs of your business including high service level agreements, integration with existing business applications, private cloud options and specific, tailored contractual terms.

5. IT needs to make the case for cloud conversion

Relying on internal resources to make the case for cloud adoption is a losing proposition. It is cloud vendors — not IT departments — who are responsible for making the path to the cloud simple, safe and secure. 2013 is the year to start demanding more from your potential cloud providers , especially when it comes to convincing your executive team and board that it’s time to make the move.  Additionally, it’s your right to demand functionality, transparency, clarity and assurance around your provider’s data protection policies. In fact, this should be built into your contract — as well as the right to audit the provider’s practices.

For more predictions from Perimeter, take a look at my blog post unveiling five new predictions for 2013 and what they will mean for your organization.

21
Dec

Five Security Predictions for 2013

Written by Andrew Jaquith. Posted in Blog Post

From the desk of Perimeter E-Security CTO Andrew Jaquith: New -as-a-Service risks, the hot mess that is Android, why your password policy stinks, and two other sizzling security predictions.

In 2012, we saw increased worries about nation-state-sponsored cybercrime, mobile security, and the resurrection of an old tactic: the venerable denial-of-service attack. On the heels of our year in review post, in which we examined a number of topics that got and held our attention in 2012, last week we unveiled five new predictions for 2013.

Prediction 1: CISOs will wrestle with the risks of “as-a-Service” platforms

“The Cloud,” to many, has become a way of characterizing hosted applications and services that have had some “extras” added to them: elastic usage, geo-redundancy, instant-on, instant provisioning and by-the-drink pricing. Or to put it differently, ten years ago, when we talked about The Cloud, what we meant was a highly available application hosted by Somebody in a bunch of distributed Somewheres, the net effect of which was to create the effect of seamless availability; applications as a utility. Salesforce.com is the example par excellence of what The Cloud was to many observers just 10 years ago.

But as with every maturing technology, the cloud has split into three layers. At the top is what the cloud used to be: traditional web applications, such as Salesforce, and many cloud email vendors (including us!). At the bottom sit Infrastructure-as-a-Service (IaaS) vendors such as Amazon’s EC2 service that provides virtual machines for hosting your own servers; this category emerged five to seven years ago.

The cloud’s middle layer, Platform-as-a-Service (PaaS) is the newest to emerge, and by far the most vibrant and interesting. This layer includes application, storage and middleware services that customers can use without worrying about the underlying hardware. PaaS includes database-as-a-service vendors such as Cloudant and Platfora; Web framework cloud providers such as CloudBees, Google and Joyent; and mobile specialists such as Kinvey. More and more IT projects are moving to these types of vendors, and as a result, risk — and customer data — is moving out to these environments as well. Speaking as a weekend developer and observer of our own practices here at Perimeter, PaaS is by the most interesting area of IT today. It’s why the “Dev Ops” role, which has become the hottest job title for Internet-time companies, is also the hardest to fill.

Most CISOs have been insulated from, or have been willfully blind to, the adoption of PaaS by business units and internal development teams. It’s also safe to say that traditional risk auditors have no idea what to do with PaaS. But in 2013, we think that Platform as-a-Service will rocket to the top of CISOs’ list of concerns.

Prediction 2: Android’s security issues will force CISOs to take action

The numbers from Big Research are clear: the majority of email and Internet-capable devices sold today are smartphones and tablets, not traditional PCs. And the majority of smartphones are Android devices. Most are ActiveSync-capable and can access corporate email. It stands to reason that many employees will want to bring their Android devices to work.

Android has lots of problems, though. The first problem is that Android is highly fragmented. On the market today, one can find hundreds of devices from dozens of manufacturers running a dozen versions of the Android operating systems, and all with different security capabilities. Some have hardware-based encryption; most don’t. Customers have no guarantees what key security capabilities will be present, such as detailed password controls, encryption, app management or device restrictions. And then there’s the malware problem: without a centralized system for verifying application provenance, it is easy for malware writers to create and distribute malicious apps. In short, Android is a hot mess. We think that in 2013, increased malware, and limited corporate security and manageability features, will force CISOs to take drastic measures to deal with Android devices on their networks.

Prediction 3: Cloud application vendors will compete on metrics

If your CIO wants to move popular workloads to the cloud, such as customer care, email or Web hosting, you have many choices. But too often, the market for cloud services is an opaque one. Most cloud application vendors promise “availability” and “reliability,” but what does that mean? Actual, hard evidence is lacking. We’ve looked at the popular so-called “dashboards” that many cloud application vendors provide. Nearly all of them are terrible; most of the time, you see only crude checkboxes that say your service is up, or that it is down, or that it might be down. I call these types of displays “up, down, whoops” dashboards. Worse, you very rarely see time-series information about how services have been trending over time, and performance data (latency and throughput) is nearly always omitted. For customers that are seeking to justify their potentially career-limiting move to the cloud, this kind of opacity is no help at all. I can understand why opacity is the vendor’s default stance: publishing performance data gives customers more tools to measure against SLAs, and failure to meet SLAs costs the vendor money. But that’s a rotten deal for customers.

We think that in competitive markets, cloud vendors will find new ways to differentiate. Transparency is one area. We think cloud application vendors need to steal a leaf from developer platform vendor’s playbooks. For example, if you take a look at GitHub’s status page you can see a gorgeous chart with amazing detail, time-series analysis, commentary and performance data. It’s no secret why a developer-focused, Software-as-a-Service site might care a lot about their own performance: they are catering to people (developers, developers, developers!) who really, really care about performance too.

In short, in 2013 I predict that savvy cloud apps vendors will start treating their customers less like hostiles they need to hide things from, and more like audiences they must cater to. In 2013, expect to see “members-only” apps dashboards that offer far more than up/down/whoops.

Prediction 4: California will become the de facto privacy regulator

Data privacy is one of the CIO’s biggest challenges. Ten years ago (!), with SB 1386, California was the first state to adopt a data breach disclosure law that regulated personally identifying information. Forty-nine states have followed suit. The HITECH portion of the American Recovery and Reinvestment Act of 2009 (aka “The Obama Stimulus Bill”) did the same for protected health information, and it’s fair to say that 1386 served as a model for that, too.

In the last year, data privacy concerns have spread to the mobile realm. We wrote extensively about this topic in 2012. Now, with recent stories about the California Attorney General suing mobile app developers for failure to disclose mobile data collection policies, California is once again taking the lead in a new area of regulation. Indeed, we think that the scope of what is considered controlled information will spread to mobile user and location data.

That said, it would be foolish to wait for national regulation. Congress has bigger issues to think about (fiscal cliff, anyone?). In the absence of strong guidance from Washington, the government body that matters most is the state of California. As a result, we think CIOs at every U.S.-based B2C company will be forced to adopt the “high watermark” strategy for safeguarding customer data, using a “California first” strategy of establishing what that watermark should be.

Prediction 5: Your password policy will undergo a major overhaul

Every company’s information security policy starts with the need to have a “good” password. But passwords have been stuck in a time warp since the 1990s. Your policy probably looks like this: eight mixed-case letters and numbers, one special character and mandatory changes every 30 to 90 days. Why this formula? It is about the most complex password that employees can tolerate without clawing their eyes out in frustration.

But advances in password-cracking clusters mean that your decade-old password policy isn’t going to cut it for much longer. A 24-GPU cluster, for example, can break any conceivable Windows eight-character password in just a few hours. Many CISOs would conclude that logically, one can simply to require passwords to be  longer, for example 12 characters. This would be the easy choice, but it would also be the wrong one.

Here’s why. When faced with a mandate to create a longer (“stronger”) password, we can safely predict that employees will attempt to cope by composing the weakest password they can possibly remember and change on a regular basis, for example, an 11-character English word with a number tacked on the end. Then each month, our fully-compliant employee will simply increment the number upwards by one. Paradoxically, this has the unintended consequence of making their passwords less random and therefore easier to crack.

There is another way out. Faced with the paradox that the need for longer — but still frequently changed — passwords will inevitably lead to weaker ones, many companies will do instead what they should have been doing all along: require longer passwords (16 characters), but eliminating the need to change then regularly unless there is a suspected compromise. This promotes “muscle memory” because a password that does not change can be committed to memory, and becomes automatic. Some companies may also take the opportunity to get rid of passwords entirely, and replace them stronger authentication methods such as certificates.

Happy Holidays

So, that is the quick rundown of our predictions for 2013. I’ve barely scratched the surface in this post; you can find much more texture, depth, nice-looking slides, color commentary and (yes!) a few jokes in our webinar recording. If you would like to hear how these fearless predictions issues will affect your business in 2013 — and most important, what you can do about them — check out our on-demand webinar here: Five Security Predictions for 2013.

See you in the New Year!

04
Dec

The Year in Review: 2012

Written by Andrew Jaquith. Posted in Blog Post

Greetings,

As the song goes, It’s The Most Wonderful Time of the Year. It’s the time of the year we write out our holiday cards, buy presents, think kind thoughts of our friends and family, and wax nostalgic.

Security is a big enough deal that it, too, warrants reflection and (dare I say it), a little bit of nostalgia. It’s the gift that keeps on giving. In that spirit, let’s dig up some of the tastiest chestnuts from the preceding 11 months, and gently roast them where appropriate. Given my sense of humor it’s going to be, shall we say, a dry roasting.

Here’s what got our attention in 2012. As is customary and appropriate, we spent a lot of time worrying about malware. The cloud — with all of its opportunities and challenges — was the second most important topic on our minds, along with mobile security. As you might expect, given our customer base of over 1,800 banks and credit unions, we analyzed financial services topics in depth. A variety of other topics got our attention, notably October’s National Cyber-Security Awareness Month and Mac security.

Each of these topics take time to review. So, let’s get nostalgic.

Malware

In 2012, it was clear that malware continued to be a problem for many companies. Of all of the topics we wrote about in 2012, we wrote about malware the most. Malware concerns came in four categories: web malware, new attacks, legacy malware and administrator-targeting malware:

  • Web malware — because of the ubiquity and reach of ad networks, attackers have made it a priority to attempt to infiltrate and infect ad servers. My colleagues, analysts Evan Keizer and Grace Zeng, wrote extensively about a banner-add infection campaign that caused MLB.com to inadvertently serve malware. Unfortunately there are no easy fixes for banner infections; webmasters (and their colleagues in marketing) must be extremely vigilant.
  • New attacks — the Flame malware family, which some have called the most sophisticated malware ever discovered, was discovered by our friends in May at Kaspersky and widely covered. We thought it was notable enough to write about, too. Just to show that I don’t have a monopoly on bad puns, my colleague Rick Westmoreland asked, “Flame: Is it getting hot in here?
  • Legacy malware — we saw campaigns targeting old-school programs like Symantec’s venerable PCAnywhere. (If you are asking yourself, “do they still make that?” you aren’t alone.) Malware targeting Microsoft’s RDP protocol also spread rapidly; we felt it was dangerous enough to issue an advisory.
  • Administrator targeting malware — the most insidious malware campaign we saw in 2012 was one targeting Plesk, an administrative console for website operators. This was a little scarier than most campaigns because it obviously targeted people who have a high level of privileges already — your IT guy. This is the kind of thing that presages an industrial espionage campaign, a topic I covered at length in my webinar “The Hype and Reality of APTs,” something you should watch. (Ed: I am not joking. Really, go watch this; it deflates the APT hype balloon.)
In addition, we gently ribbed the anti-virus industry in an amusing post (Ed: to me, anyway) called “The Best and Worst Data-Driven Security Reports of 2011,” where I made fun of the silliness that comes with the periodic rash of AV “threat reports,” while celebrating the genuine good stuff, such as the Verizon Data Breach Investigations Report.

Cloud security

In 2012, Cloud security topics were right up there with malware in our consciousness. Call me crazy, but to me “the cloud” is a fancy name for hosted services mashed up with virtualization, and juiced up with instant-on provisioning and elastic usage billing. It’s a new — and welcome — twist on an old concept. Companies want to use the cloud in areas where it makes sense — for hosted email, productivity, and sales automation — but they want to do it only when they can be assured that their data is secure.

My colleague, Grace wrote about a key class of cloud risks: the security of servers in the cloud. She performed experiments where she placed 12 unprotected servers in the Amazon cloud and watched what happened. The headline: on average, your new cloud servers will start seeing scans, probes and potential attacks within an hour! Scary stuff — if you haven’t already, you should read these posts.

On the positive side, Perimeter created a series of video blog posts called the Cloud Owners’ Manual that took strong points of view on how companies should think about the cloud, and what they should be asking their vendors. Looking spiffy in a suit, I spoke on camera about key customer concerns about the cloud, and gave prescriptive guidance on the cloud in general, customer fees, data protection, data privacy, contractual terms, and contract termination. As an analogy, I compared cloud security requirements to car safety belts. Did you know that since the advent of car safety technology, based on US DOT official statistics, people now drive faster and have fewer accidents? It shows how safety gear is a precondition for faster, safer driving. To put it differently: confidence requires security. And by analogy: so it is with the cloud.

Mobile security

From iPhones to iPads to Galaxies, mobile devices continued to move to the top of IT security managers’ list of concerns. Beyond the sheer proliferation of devices, we observed four key trends:

  • Bring your own device. When I was an analyst at Forrester, my then-colleague Natalie Lambert coined the term BYOD and wrote quite a bit about it. That was four years ago. Now, it’s the hottest thing in IT. What do companies do about it? For our part, Perimeter answered the bell in September when we unveiled our Cloud MDM service in partnership with AirWatch. In the service, we included strong default policies and a unique BYOD Kit that provides prescriptive guidance for all of the areas employers need to worry about: data rights, support, confiscation, and many other topics. We think the right solution to BYOD is holistic, and encompasses the domains of policy, technology and law.
  • Developer ecosystem concerns. In September, developer Blue Toad had 12 million Apple unique identifiers (UDIDs) stolen. This shined a spotlight on a fragmented, shadowy part of IT: the thousands of smallish, contract mobile app developers, very few of whom are likely following mobile app security best practices. Watch for this topic to explode in 2013 as the Mobile Backend-as-a-Service (MBaaS) category heats up.
  • Data privacy. In the first quarter, we saw a controversy erupt over the Path app, which was uploading customer address book records to their servers unbeknownst to customers. I called Path an example of “nosy apps” and characterized data privacy as the “third rail of mobile.” These kinds of negative stories had an immediate impact on handset makers. Apple, for example, added significant opt-in controls to iOS6 that require customers to explicitly authorize app access to address books, photos, calendars, tasks, FaceBook account information and much more.
  • iOS has been a benefit to security. Speaking of Apple, did you know that iOS is now over 5 years old? In that time, customers have gotten used to the idea of vendor-controlled app marketplaces, digitally signed and trusted operating system runtimes, and locked-down devices. We have Apple to thank for popularizing the concept, building on the kinds of concepts RIM and Symbian had initiated. See my in-depth 5-year iOS security retrospective for details about why I think iOS is overall an huge net win for companies and consumers alike.

Financial services

Banks, credit unions, broker-dealers and other financial institutions continue to be a significant part of Perimeter’s customer base. We noted many, many threats to financial services customers in 2012. The rash of denial-of-service (DDoS) attacks in September prompted us to issue a critical advisory to our customers. We followed up on the DDoS story in October; my colleague Rick Westmoreland called it “the new reality” for financial services firms.

In July, we inaugurated our first-ever Financial Services Threat Report for the first half of 2012, which described the most important threat trends our customers were facing in the year to date. We will be doing more of these reports, and our second-half report will be coming out after year-end. To help our credit union customers, Andrew wrote a three-part series on credit union security topics.

Other

Beyond these four main themes, Perimeter noted several other trends. We weighed in on this newfangled concept called “cyber security,” which is what happens when government-type people get their hands on an otherwise perfectly acceptable phrase — that thing that most of us used to call “information security” — and dumb it down. I suppose cyber-security is, to paraphrase Deng Xiaoping, Security With Government Characteristics.

Whatever you choose to call it, we helped celebrate National Cyber-Security Awareness Month in October with four posts by my esteemed colleague Mr Mike Flouton:

Midway through the year, Perimeter E-Security CEO Tim Harvey and actor/entrepreneur/restauranteur Robert De Niro hosted an exclusive New York event for 75 select partners and customers. The event featured an inspiring talk by two active duty Navy SEALs about building a high-performance, elite team capable of executing the most difficult missions. Tim’s summary of the event is here — in which he describes the key ingredients for success. For the record, I spoke at the event as well, but let’s face it: De Niro and the two Navy SEALs were hard acts to follow. It was a great event, though!

Lastly, Perimeter wrote about those devices your executives and developers are probably now carrying: Macs. In October, we released a survey showing that Mac usage is up, and that security concerns are increasing. Earlier in the year, alerted customers to something rather rare but important: real-life Mac Trojan outbreak in the wild: the Flashback Trojan.

Wrapping up

As I noted at the top of this post, security is the gift that keeps on giving. That’s good and bad. It’s bad for the obvious reason because the threats, concerns and challenges that got our (and the industry’s) attention affect companies and their customers everywhere. If security were a solved problem, we wouldn’t need to spend the time, attention and effort that we do.

I choose to be positive, though. Security threats and challenges are also good things. They remind us that, as professionals, we need to keep upping our game. New business frontiers such as mobile cause us to expand our horizons, become more involved with our colleagues and take the longer view.

As we look ahead to 2013, we are thankful for the continued support of our customers, colleagues and families. We at Perimeter wish you, dear reader, all the best this holiday season.

09
Nov

Heard on the Street for the Week Ending November 2, 2012

Written by Andrew Jaquith. Posted in Blog Post

The Perimeter STAR Team holds its “Heard on the Street” call every week. On these calls, the team discusses hot security trends, current events and issues that our customers should be aware of. Below is a summary of the topics discussed this week, which we present as a service to our customers and to the public.

What we heard this week:

Hurricane Sandy left a trail of scams, fake charities and shady contractors in its path. Cybercriminals regularly incorporate natural disasters into their spam and fraud campaigns, and Hurricane Sandy was no exception. David Coffey, team member and VP of Engineering, recommends keeping an eye out for suspicious emails. Don’t be fooled by phishing scams, suspicious links or donation requests through untraceable methods of payment. The Internal Revenue Service and Better Business Bureau both issued warnings about fake charities and urged people to do their homework before making any donations. Additionally, the Huffington Post reports that up and down the East Coast, some people offering to help clean up the mess may actually be looking to “clean you out.” To report a fraud or scam, you can call the FBI and National Center for Disaster Fraud’s (NCDF) hotline: (866) 720-5721.

Ethiopian kids learned how to hack a tablet – with no instruction. David also mentioned an interesting story about a group of illiterate young children in Ethiopia who were given tablets through the One Laptop per Child (OLPC) program – a project helping to educate the 100 million first-graders with no access to school. Without any instruction, these children – all between the ages of four and eleven – learned how to use apps, play games and even hack the Android operating system on Motorola Xoom tablets, reports Wall Street Journal. Amazing stuff.

Thousands of WordPress sites were hacked. In other hacking news, team member and Security Analyst Evan Keiser spent some time last week tracking a SPAM campaign against WordPress sites. WordPress claimed the campaign was not caused by a vulnerability, but was instead the result of weak passwords. However, with more than 300,000 WordPress blogs affected in a two-week timeframe, some aren’t quite buying this story.

RIM’s woes continue. News of U.S. Customs moving 17,600 staffers from BlackBerries to iPhones has brought RIM’s troubles to the forefront once again. Do security features (or lack thereof) factor into the decisions of individuals and organizations flocking to iOS? Team member and VP of Product Marketing Mike Flouton explained that RIM has an excellent security track record, but if there has been any acknowledgement that the switch comes with security and compliance trade-offs, these sacrifices have been outweighed by the pull of the iPhone in corporations, and to a lesser extent, Android.

The South Carolina Department of Revenue security breach could result in widespread identity theft. An anonymous hacker has accessed 3.6 million South Carolina tax returns. Essentially, every state resident’s name and SSN was obtained. But remember that there are two kinds of identity theft: cyber identity theft, which generally involves obtaining someone’s login credentials and wreaking virtual havoc, and offline (or “origination”) identity theft, which comprises 2/3 of the  identity theft reported to the FTC and has nothing to do with computers per se. Origination theft means piecing together enough personal information to obtain fake mortgages or credit lines, for example. It’s safe to say some South Carolina residents will be dealing with both kinds of fraud in the near future.

Perimeter partners with Columbia University on new security research project. Grace Zeng, Team Member, Research Analyst and Software Engineer, shared early details of an exciting new project Perimeter has begun in partnership with Columbia University. By sampling Web traffic from a variety of anonymous sources, the research team will identify patterns and information on mass hacking attempts on a number of popular platforms. Grace is just getting started on this initiative, but she looks forward to discovering new insights that will help us proactively protect our customers. Stay tuned for more soon.

That’s it for this week. Stay safe out there.

19
Oct

Heard on the Street for the Week Ending October 12, 2012

Written by Andrew Jaquith. Posted in Blog Post

The Perimeter STAR Team holds its “Heard on the Street” call every week. On these calls, the team discusses hot security trends, current events and issues that our customers should be aware of. Below is a summary of the topics discussed this week, which we present as a service to our customers and to the public.

What we heard this week:

The cloud can reduce the cost and complexity of email for credit unions – but not at the expense of  data security. On October 10, Perimeter CTO Andrew Jaquith presented a webinar “Email Security & Credit Unions: Migrating to Exchange 2010 Securely,” outlining four things every credit union needs to know about a safe and secure migration to Exchange 2012. Andrew shared his high-level recommendations with the team.

Cyber-criminals are mounting denial-of-service (DOS) attacks against major U.S. banks. Team member and security analyst Richard Westmoreland presented highlights of a New York Times article that described how data centers around the world have been infected with a sophisticated form of malware. This has enabled “amateur hackers” to wreak havoc on some of the nation’s largest banks, including Wells Fargo, U.S. Bank and PNC. Typically, DOS attacks are deployed through an application or botnet, but by infecting data servers first, attackers were given “the “horsepower and commercial grade capabilities to affect a massive attack.” The group Izz ad-Din al-Qassam Cyber Fighters took credit for these attacks, which have caused Internet outages and delays in online banking. In the wake of these incidents, we urge our financial institution customers to take all necessary steps to safeguard machines and follow security best practices. If you haven’t already, we encourage you to check out Perimeter’s own E-Security 1H 2012 Financial Institution Threat Report.

More than 60 percent of companies are concerned about laptop users’ security on WiFi networks. Team member and director of product marketing Jason Wong shared findings of a new Perimeter survey that examines the growing importance of security for both Mac and Windows users, especially when roaming off the corporate network. Check back soon for more details on the survey here on our blog.

Perimeter’s Cloud MDM is getting good reception with customers. Cloud MDM provides mobile device and application management, prescriptive policy guidance, compliance reporting and features a unique Bring-Your-Own-Device (BYOD) kit.  Andrew shared details how customers have reacted to demos of Cloud MDM service. Since unveiling the service two weeks ago, we’ve received an overwhelmingly positive response. The press has been positive too; read what Stefanie Hoffman of Channelnomics has to say about Cloud MDM here.

Does your grandson need money? It might be a scam. VP of Operations Jeremy Miller relayed snippets of a frantic phone conversation between him and his grandfather this week. When the phone rang Wednesday morning at the home of Jeremy’s grandfather, the caller identified himself as, well, Jeremy. “Jeremy” proceeded to tell his grandfather he had gotten into a boatload of trouble, was now sitting in jail and needed thousands of dollars for bail. Thankfully, Grandpa knew better and hung up on the caller. The scam – known as the “Grandparent Scam” – is gaining stream in today’s social media era. Con artists simply pull phone numbers and names of family members off of popular social channels, then dial away. This incident should serve as a reminder to our customers that low-tech methods of theft are still quite common, and that vigilance is important. Give your loved ones a call and make sure they don’t fall victim to this scam or others like it.

That’s it for this week. Stay safe out there.

01
Oct

The Cloud: The Great Equalizer for Small Businesses

Written by Andrew Jaquith. Posted in Blog Post

Small businesses often find themselves competing with larger companies. Fortunately, the cloud is making it easier for them to do so. The cloud gives small businesses the computing assets they need to focus on their customers rather than be distracted by IT.

To put this differently: most people wouldn’t try to do their own electrical work or plumbing; they would, instead, hire a professional contractor to do it safely and correctly. The same is true in the IT realm. Often, the manager of a small business is also the IT guy, the mailman, the plumber, and the garbage man. We view the cloud as like a specialized contractor brought in to manage technologies outside the scope of your normal business. If you are a small business, it just makes sense.

In the video I contributed to Partner Company IBM’s Ecosystem Channel, I explain how the cloud has become the great equalizer for small business.

http://www.youtube.com/watch?v=76s_KsLt4As&list=UUfhRKi-H5mfVdqQOixoi2RA&index=0&feature=plcp
Our partner IBM highlighted this point in a recent press release showing how their work with Managed Services Providers (MSPs) like Perimeter helps deliver industry-leading cloud solutions. And in May, in a blog post titled ‘The Consumer Effect: Increased Confidence in the Cloud,’ I and Andy Monshaw, General Manager of IBM Midmarket Business, described how cloud applications have become so common and convenient that we are beginning to take them for granted. For small and medium businesses (SMBs), the cloud levels the playing field, while saving them time and money.

At Perimeter, we give small businesses the ability to move essential services such as email to the cloud, managed by experts, using today’s most advanced technology, and in a highly secure manner — and at a fraction of the cost of doing it themselves. That’s quite an equalizer.

13
Sep

Five BYOD Traps to Avoid

Written by Andrew Jaquith. Posted in Blog Post

There’s no stopping the move to mobile. Gartner expects that by 2015, PCs will account for only 28 percent of Internet-capable devices sold. With this surge in post-PC tablets and smartphones (mostly made by consumer behemoths such as Apple, Google and Samsung), employees are increasingly demanding to use their personal mobile devices to access company information, such as email.

Forrester Research estimates that 65 percent of enterprise employees are already using personal devices for work purposes. Many CFOs are looking to cut BlackBerry contracts and telecom expenses from their budgets by letting their employees foot some (or all) of the monthly bill. This phenomenon is generally referred to as bring-your-own-device, or BYOD for short. For a company with 500 employees, we estimate that cost savings associated with BYOD could add up to $300,000 or more annually.  BYOD is even catching on in the financial services industry, which has traditionally been extremely conservative and security-conscious. We estimate that 50 percent of Perimeter’s banking and credit union customers are currently considering rolling out BYOD programs.

Despite the growing interest in BYOD, it is a phenomenon many IT departments continue to wrestle with. Countless press articles spread fear, uncertainty, and doubt (FUD) about the terrors of BYOD, which doesn’t help CIOs figure out what to actually do. In fact, if I had a nickel for every article on the topic, I’d be rich – but no closer to actually solving the problem.

What these articles don’t tell you is that BYOD doesn’t have to be complicated. The trick to managing successful BYOD programs is to set clear ground rules, create sensible security policies, devise a strategy for navigating the privacy minefield – and know what common traps to avoid, including:

  1. Not having a BYOD policy: Without a formal BYOD policy in place, organizations are unclear about what devices are allowed on the network, and left with an ambiguous set of rights regarding what protections they can reasonably assert over employee-owned devices. What is the company’s responsibility to secure an employee-owned device, or to wipe it if it’s lost or stolen? Who is responsible for repair when the device is broken? Who pays the bill? Without a policy in place, companies will likely act inconsistently on BYOD matters, frustrating everyone from the executive level down to entry-level employees. Even worse, these inconsistent actions could be used against the organization in court.
  2. Over-collecting personal data: If an organization has decided to allow employees to use personal devices for work, it may be tempting to use MDM products to track calls, data usage, browsing habits, device locations, inventory applications and so on. Where this may be reasonable in the world of PCs and company-issued devices — where absolute control over devices is assumed and assured — BYOD is a different story. If employees have to pay for their own devices, they won’t be happy about employers controlling the way they are used and monitoring all of their activities. It cross the Creepy Line. More to the point, it’s not always legal, and aggressive data collection practices usually have unintended side-effects. Many of the data-collection features in MDM will rapidly drain device batteries, which make these policies even less practical.
  3. Treating all devices the same: All devices are not created equal. BlackBerry and Apple iOS are both fairly secure and highly manageable. Android, by contrast, has only a limited number of native security features that can be managed by MDM products or Google Apps. Android is also not a monolith; it is a fragmented ecosystem of many vendors and countless devices – each with its own security capabilities. That makes it hard to know what devices to allow or disallow, and what policies you might need. For example, ask yourself this question: which Android phones support hardware-based encryption? Where would do you go to find out? Because not all mobile OSes aren’t created equal, you can’t treat them all the same. Less secure platforms — I’m looking at you, Mr Google — may need to be retrofitted with additional security software.
  4. Control freakery: Personal devices are just that — personal. Avoid laying down a blanket prohibition on using personal devices for personal activities during work. While it’s generally recognized that employees should keep personal activity to a minimum, it is sometimes unavoidable. Attempts to control personal devices can cause resentment. Requiring a 12-character complex password that must be changed every 30 days was generally acceptable on PCs, but expecting employees to do this on their own mobile devices is far too aggressive. If BYOD policies are too strict, you will be forced to make exceptions, and inconsistency is never a good thing.
  5. Relying on ActiveSync: ActiveSync enables non-BlackBerry devices to access email, calendars, tasks and address lists, and has the ability to implement a handful of security policies. Though these policies can be useful, they are not nearly enough. ActiveSync is implemented inconsistently across different platforms, forcing companies to go a least-common-denominator policy. ActiveSync also doesn’t do much to limit enrollments. Typically, when an organization allows an employee to use ActiveSync to connect to email, the employee is able to register as many devices as her or she likes. That’s not good. Furthermore, ActiveSync doesn’t allow the partial wipes of a device. Instead, when a device is wiped, the whole device is erased. If the device contains something personal photos or music, wiping it could be deeply upsetting. In fact, fear of capricious wipes creates a perverse incentive to not report security issues.

The bottom line: BYOD introduces new risks and operational burdens associated with employee-owned devices in the workplace. But by avoiding these common traps, while applying sensible management and security policies that are grounded in the law and enforced through technology, BYOD programs can be safe, secure and legal.

Interested in learning more? I encourage you to check out my on-demand webinar – The 5 Best and Worst Bring-Your-Own-Device Mobile Policies.