I strongly recommend to my mobile enterprise clients to block and automatically unenroll detected jailbroken devices for the simple reason that jailbroken devices have vastly more malware than non-jailbroken devices.

Additionally, managing a jailbreak/custom ROM installation is likely to be very help desk intensive, particularly in a distributed environment where IT does not get to stage each device but would rely on users in the field to install.  Those of you who have jailbroken a device can testify that it can be tricky for the average user, and if you lost power or connectivity during the jailbreak you can probably testify that it bricked the device.  Now imagine 10,000 Joe users doing this in the field.

Finally, consider this approach in a BYOD environment.  At separation for example, when a device is unenrolled, how do you restore the soon-to-be-ex-employee’s device to its original state?  This could be a management nightmare.

www.cybersecurityinformation.com

The pressure for IT departments to integration smart mobile devices into the enterprise are rising rapidly.  Unfortunately so are the risks.  There are some significant concerns that IT departments wrestling with this issue need to be aware of when embarking on a smart mobile device initiative.  Additionally, Legal and HR management need to understand what smart mobile devices in the environment mean to them.  The presentation discussing the mobile device environment, risks and concerns with iOS and Android, two primary architectures for MDM, and some non-technical issues and concerns to be aware of.   The presentation can be downloaded here: Mobile Device Management Presentation v1.2.pptx.

The largely accepted view and standard is that the protection of information assets is a technology function and hence in many organizations all “controls” are within the area of Information Technology.

While technology is an important aspect of any information security program strategy, it is at best only one of three legs of the footstool. Many information compromises start with threats that arise from weak procedures, and may include intentional or unintentional human acts.

Social engineering is the act of obtaining confidential information through the “art of deception”.  Most people have heard of or experienced phishing attacks through email.  The email entices the recipient to visit a website that downloads malicious software to the user PC or tricks the individual into providing sensitive information such as login credentials to business or personal accounts.

Vishing attacks, which are social engineering exploits delivered by phone, are frequently launched against customer service departments, help desks, and other business functions within corporations.  With caller identification easily spoofed and displaying the desired inbound number on the recipient’s display, the attacker poses as someone they are not in attempt to extract sensitive information.    The goal of the attacker may be to gain access to the company’s infrastructure, bank accounts, personal and private information or a variety of other reasons.  It is hard to image how technology can prevent such attacks if the employee is unaware and untrained.

Organizations that fail to look at risk to their information assets from a global perspective by analyzing business processes, identifying potential exposures, and determining the necessary controls to protect their information assets run a high risk of repeat and long-term compromise by both insiders and external attackers.

A well-balanced plan integrates risk management principles and focuses on a blend of preventative, detective and response measures across people, process and technology.   Establishing a plan starts with awareness at the business leadership level, analysis of the threats, and the development robust business-centric mitigation strategies.    While all compromises cannot be prevented, an organization that prepares will detect malicious activity sooner, limit exposure, protect its brand, and recover in a precise preplanned manner

Reputation Communications June 2010 Newsletter

“Organized crime, foreign government sponsored espionage, and employees with a growing sense of entitlement are all part of the growing menace that companies must recognize and address”, said Mr. Schmidt.  ”In order to begin to move forward organizations must start with the engagement of their governance and executive management teams.  Risk management principles must apply beyond the standard technology purview”.

The event was well attended by ASIS security professionals and a larger variety of vendors.  The event was the ASIS NYC 20th annual event.

The attacks, which originated in Europe and China, targeted major corporations and government agencies including pharmaceutical giants Merck & Co. and Cardinal Health.  The operation has affected some 75,000 computers in 196 countries.

Now is the time to examine your company’s business practices to make sure that your critical data and intellectual property are safe from complex electronic and socially initiated thefts.  Lapses in appropriate security measures can expose your company to major financial losses, both from theft and from civil lawsuits filed on behalf of clients or customers affected by the breach.

To protect your company and your shareholders from such losses or litigation, your company’s security practices must be up to date and in compliance with state and federal regulations.  Your IT security practices should also be part of your overall corporate governance, led by your general counsel so that this information is protected by attorney client privilege.

Information Defense Corporation and Interfor Inc. a leading global due diligence and investigations firm are partnered to offer our clients unique and comprehensive security solutions.  From physical security, asset recovery and crisis management to risk based and technical assessments of electronic assets and controls, the team is positioned to work with your company’s legal and combined security personnel to keep your assets, personnel, intellectual property and trade secrets safe or to help restore the integrity of your operations with incident response and forensics and other measures following a security breach.

For more information on the services offered by our team effort please use our contact pages here:  Contact Us

Three critical reasons why include:

(1) the CIO can neither create nor maintain the attorney client privilege without general counsel’s direction of the corporation’s cybersecurity efforts;

(2) for the same reasons, general counsel, not the CIO, is responsible for corporate governance at large, and cyber security is first and foremost a corporate governance issue; and

(3) the role of interpreting and directing action to meet federal and state compliance statutes, covering a wide variety of legal mandates from privacy, to identity theft, to notifications requires legal counsel to direct actions that protect corporate interests and meet the legal obligations.

The consequences of information compromises present business issues that require legal planning and action to mitigate the risks to the corporation and its shareholders.

Now is the time to be proactive and lay the groundwork to protect legal interests, promote strong corporate governance, and reduce the potential of legal missteps, significant litigation and other actions arising from information compromise.

Please contact us to learn more about our comprehensive solutions that will appropriately position your organization to address the growing business risks created by information compromise.

The attack also targeted two other entities, at least one of which is a government agency.  The attack was discovered over the summer, but could have taken place as much as a year earlier.  The case is being investigated by the FBI with assistance from the NSA, the Department of Homeland Security and Citigroup which is partially owned by the US Government.

Citigroup denies that the hack took place and there has been no comment from any government agency, but the report further details that the hack was discovered when officials noticed suspicious internet traffic coming from email addresses known to be owned by the Russian Business Network, a gang that has sold software used to access US government systems.  The gang had been silent for two years, but is suspected in other recent attacks.

Beyond the stolen money, a major concern is that the hackers could destroy information, wreaking havoc on the banking system or that once they have infiltrated one bank that they could use that access to get into other banks.

This further illustrates the point that I was making in the previous article that cyber terrorism is a very real threat and that our banking, communications, government and military systems are currently under assault from gangs and even the governments of other countries.

Protecting these systems must be a priority, and the efforts to do so must be coordinated, not a variety of independent efforts directed my multiple agencies.

By Juval Aviv, President & CEO of Interfor Inc, Strategic Partner of Info Defense