Come Join the Discussion

Add your comments to any of these postings or comments

Monday, February 20, 2012

Portable Device Security

Theft of tablets, laptops, smart phones, and other portable devices is on the rise. Originally stolen for their street value, these devices are becoming more and more a target for the information they carry. As these devices become smaller and lighter, they become more vulnerable to theft.

Common high risk areas of concern continue to be:

• airport security checkpoints
• airport curbsides, ticket counters, and gates
• airplane overhead compartments
• hotel rooms, and
• inside cars.

Losing a laptop is not just the loss of money: it is a significant loss in productivity and resources, especially if the data contained on it is not backed up. Even more serious is the loss of potentially sensitive information.

Basic common sense steps can be taken to help protect these now ubiquitous targets.
• Do not check your laptop with the rest of your baggage. It may become damaged, lost, or stolen.
• Keep your laptop in sight. When going through security checkpoints, do not place your laptop on the belt until the checkpoint is clear for you to walk through. Be especially careful when using the restroom or making a phone call. It takes a thief only a moment to walk off with your belongings. On the plane, if not using the laptop, stow it under the seat in front of you, not in an overhead compartment.
• Do not rest your laptop on top of a rolling luggage carrier.
• Keep your laptop with you on a train instead of putting it in the luggage compartment near the exit, where thieves have easy access.
• Don't leave your laptop or briefcase inside a car. If you must, store it inside the trunk, out of view.
• Never leave your laptop unsecured in a hotel. Use the hotel safe or a locking cable, or hide the laptop. Do not assume that your laptop is safe just because you are staying in a reputable hotel. Consider leaving the TV on at a moderate volume and placing a "Do Not Disturb" sign on the door when leaving the room so potential thieves will think the room is occupied.
• Avoid temperature extremes. To avoid damaging your laptop and data, don't start the computer when it is extremely cold or warm. Manufacturers recommend ambient temperatures of 45-95 degrees Fahrenheit. Allow your laptop to come to room temperature before powering it on.
Protecting the Information
• Ensure current antivirus protection. Connecting from a hotel or other travel site puts you outside the protection provided by the County's firewall, so be sure your laptop's virus definitions are up-to-date before traveling. Virus definitions are normally automatically updated on PCs managed by the company, when connected to the Internet.
• Never store a password on the computer or in the computer bag. A stolen laptop with a stored password provides easy entry to a company’s network.

A Strategic Approach to Vulnerabilities at the Application Layer

Most organizations spend large amounts of time and money to protect their networks and infrastructure from attacks and threats. But, no matter how good a defense may be, it usually falls short in addressing security vulnerabilities inside the network at the application layer.

A number of research findings indicate that organizations' applications are one of the highest-risk areas and where the most damage can be done. As example, look at the amount of confidential and personal information that is stolen each year.

In sharp contrast with ISO/IEC 9126 - Software Quality Standard, all current software development methodologies (agile, waterfall, MSF, and others) hardly mention the word security. In fact, the use of these methodologies has not resulted in a measurable reduction of security related defects, which is evident by the fact that CERT tracking of security attacks continue to grow.

With exceptions, most companies' applications can be targeted, from the outside and from within, with a multitude of attack methodologies, including SQL injection, Cross Site Scripting (XSS) and Cross Site request Forgery (CSRF) vulnerabilities, which can be used to perpetrate various scams, purportedly compromising vast amounts of sensitive and personal information.

Companies need to embark on a "Security Development Lifecycle" (SDL) for all custom application development. One of the needs to support this type of methodology and fulfill this security process is an application security management solution that can test, correlate and manage application security vulnerabilities. The first component is a static scanner that is used with application development that scans source code, alerting development management and developers of security problems within that code as it's being developed. The second component is a dynamic scanner that scans newly developed applications in a staging environment, as well as applications currently in production, to detect security vulnerabilities so they can be quickly addressed by Application Development or, in the case of COTS applications, by the vendor. The third component is an application vulnerability correlation and management application that correlates information gathered by static and dynamic application scanners, network scanners, eliminates false positives and duplicates, and allows escalation of issues to the responsible team based on the vulnerability found (application development or sys admin).

A full and thoughtful approach is necessary to ensure protection of companies' most important assets, their information.