Category Archives: User awareness & education

Data Leakage via Cloud Services

What do the cloud based backup services such as Evernote, Dropbox and Spideroak have all in common?  In some form or another they all give us the ability to centrally store our digital assets such as our photos, documents, music files, or virtually anything that is digital to their cloud based servers and give us the ability to access them from anywhere in the world.  That seems a very cool thing since for many of us it will simplify the storage and retrieval of our digital assets.  Just drop it on the cloud and then retrieve whenever you need it.  For personal usage i think these services offer great convenience by allowing us to store our files and have them accessed anytime from anywhere.  With proper security precautions it shouldn’t be a problem using these services.

In enterprise networks, there should be a careful study of why these services are needed, who should have access to them, and what information is or is not allowed to be posted to these services.  With the proliferation of these cloud services, their usage becomes a real concern because of the opportunity it presents for sensitive corporate to leave the corporate boundary.  For this reason i think it should be an important topic that should visible on the radar of IT security departments.

Most of these services use either the HTTP or HTTPS protocols to send and synchronize data between the client and their servers.  Hence, it will be very difficult for the IT controls most organizations have to detect malicious users using these channels to leak important data.  Unless a stringent information security policies coupled with technological controls such NAC, DLP, and Web filtering are in place, these channels will fast become proffered channels for data to leave the boundaries of an organization.

Some related articles

Survey shows users still unaware of online threats

A survey released by G-Data Security titled “Security Survey 200 – How do users assess threats on the internet” show users are misinformed by the type of threats that are online and the type of protection required to mitigate to the risks emanating from those risks.

As i blogged yesterday, this survey just reinforces that user education should be a paramount objective in any security program since end-users are now the prime objective of hackers as opposed to the well protected server network.

Tagged , , , , , , ,

2011 – The year of breaches

If you are in the information security industry these days, the events of this year show that the battle against the bad guys is increasingly becoming harder and difficult to win.  Security incidents at big security product/service vendors, huge multi-national companies as well as government agencies throughout the world show we are still very far off from achieving the ideal security within our organizations.  The question which poses itself is how these incidents are becoming so frequent while we have so many cutting edge technologies available to detect and prevent these incidents?  Technologies such as IDS/IPS, SIEM, WAF, DLP, EPS and many others that the security industry has produced are capable of at least detecting sophisticated attacks, attacks that are termed as advanced persistent threats.   So why are we still seeing huge data leaks and compromises at prestigious companies and military organizations left and right?

Back to the basics

I think the answer in my own little opinion is although we have made great strides in the technology side, we are still lacking a lot in the people and processes side.  I think we need to go back to the age old Security = People + Process + Technology formula.  Security can not be achieved by relying solely in technology or by thinking it the sole responsibility of IT departments.  If we go back and analyze most of the breaches of 2011, we see a trend of targeted attacks against end users via social engineering attacks.    I think people are the weakest link in this game and need to be educated or made aware of the importance of security in their day to day activity.  Like not opening suspicious emails as was the case with the RSA employee.  We need to invest heavily in user education and awareness and create the appropriate processes to control our information resources.

In order to do that information security efforts needs to be properly governed at the highest level of an organization to have a meaningful security program which protects information assets.  I was amazed to hear that a company as big as Sony did not have the position of CIO or CSO.  It shows that proper governance of security was not part of Sony.  Yet i believe Sony is not the only company in this and most likely the majority of organizations are still on the mind set of security belongs to IT.

Unfortunately until companies and organizations wake up as did Sony and realize that security needs to be governed at the highest levels, we are going to hear more and more of these breaches in the future.

Tagged , , , , , , ,