Subscribe to RSS - business continuity

business continuity

Mobility without compromising security: Best practices for securing enterprise mobile devices

Thursday, May 26, 2011

by Hongwen Zhang, president and CEO of Wedge Networks

The continued growth of mobile device use within the enterprise has created an abundance of management and control issues for IT and security departments alike. The need to protect information that is accessed and/or stored on these devices has become a priority as today’s next-generation mobile devices are fast becoming as sophisticated as computers; yet the security for these devices is lacking, due to the intrinsic constraints imposed by battery life, portability, and economics of connectivity. For example, a mobile laptop could become infected while in a WiFi or 3G mobile network, before its anti-virus software signature is updated.

Industry analysts are reporting that half of the devices connected to corporate networks will be mobile by 2015 and in recent years malware targeting mobile phones specifically has grown exponentially. According to a 2011 report, Google had to remove more than 50 malware-infested applications for Android devices from its marketplace.

The abundance of business applications on mobile devices increases the risk of data loss and malicious attacks. Poorly designed applications are also exposing private and corporate identity information and additionally, because many of these devices belong to employees, enterprise data and applications have a tendency to become integrated, thereby exposing content.

In many instances, employees download applications, as opposed to IT provisioning devices and accessible platforms and applications, which opens the door to malicious attacks both on and from mobile devices.

One example, the Zeus Botnet, uses SMS messages to break into users’ bank accounts. The thief hijacks both user name and password from the infected phone, and uses the information to access the victim’s bank account. Another Android mobile operating system attack, allowed users’ private information to be transferred to a remote site. Not to mention, “jail broken” iPhones and iPads immediately lose 70 percent of their security features.

There are some steps that enterprise organizations can take to address the vulnerabilities associated with mobile computing, including the following:

1. Protect Web and Social Media Data – Implement full content scanning and inspection across all network protocols. Include protection against third-party services or applications and Web-based services such as Gmail, Facebook and YouTube.

2. Secure Endpoints-before it’s too late: Eliminate malicious attacks before they reach mobile devices. Protect all endpoints including mobile devices, to ensure that network traffic is free of malware, spam and unacceptable URLs. Firewalls, and traditional intrusion detection systems (IDSs) provide only limited protection, and often slow down the enterprise network. Look into emerging technologies that provide accurate, high-performance threat detection, complete visibility of what is transmitted through the network and the ability to stop the transmission of malware in real-time.

3. Ensure Security, Anytime, Anywhere – Employees roaming outside of an enterprise’s protection perimeters can have their traffic routed through malware scanners to ensure the safe usage of mobile data and applications. Consistent enforcement of IT security policies and optimization of Web resources provides all staff with safe mobile usage across distributed enterprises while reducing time required for IT departments to spend on management and control issues.

4. Get Real-Time Visibility – There are great benefits when network traffic can be looked at across all layers including the application layer, enabling visibility into the actual intent of the traffic. If this reconstruction and comprehension can be done in real-time, real-time security policies can then be applied to the traffic. This kind of deep content inspection can provide visibility, comprehension, manageability and real-time action for the information.

Knowing that all of the necessary security protections are in place provides organizations with the guarantee that mission critical data on mobile devices will remain safe, and systems protected against the spread of malware.

Dr. Hongwen Zhang is president and CEO of Wedge Networks, an innovative provider of remediation-based Deep Content Inspection for high-performance, network-based Web security. He holds a PhD in Computer Science from the University of Calgary. With more than two decades of high tech leadership experience, Zhang is a co-inventor and holder of several patents in the area of computing and networking.

Former FEMA officer weighs in on business continuity after devastating tornadoes


WASHINGTON—The dozens of tornadoes that ripped through the South last week left 340 people dead and hundreds still unaccounted for, according to the latest reports from the Associated Press. As one of the worst natural disasters to hit the region since Hurricane Katrina in 2005, people and businesses are scrambling to recover from the incredible devastation. But is it even possible for businesses and its employees to prepare for devastation of this scale?

How Ernst & Young changed its emergency plans after Sept. 11


NEW YORK—In 2010, Ernst & Young, a professional services firm, was ranked by Forbes magazine as the ninth largest private company in the United States. It has member firms in more than 140 countries and employs more than 144,000 people worldwide.

Earthquake, tsunami and nuclear threats spur business contingency plans into action


YARMOUTH, Maine—Events in Japan continue to unfold after a catastrophic earthquake, which was recently upgraded to a magnitude 9.0, followed by a devastating tsunami on March 11.

Conviction of transit officer leads to riots

Friday, July 9, 2010

There were riots in the streets of Oakland, Calif. last night following an involuntary manslaughter conviction of a white Bay Area Rapid Transit police officer for shooting a 22-year-old unarmed black man on January 1, 2009.

That sentence carries a maximum four-year sentence.

But some in Oakland expected a tougher penalty for the former police officer, and took to the streets in protest, reported CNN.

Oakland Police Chief Anthony Batts said the high point of the protests there were about 800 people in the streets, which lead to the arrests of 50 people.

The shooting was captured on a bystander's cell-phone video camera:

At his trial, the officer claimed that he intended to draw and fire his Taser rather than his gun. But I wonder: How does a legally sworn officer make that kind of mistake? I'm not an expert on guns or Tasers, but it's my understanding that they're held and fired quite differently. It's apparent from the video that this situation was getting out of hand and there was a lot of chaos, so maybe the officer just lost his head? But I wonder too if this is any indication that these officers aren't properly trained?

Especially after watching the video, it seems like inexperience and chaos likely contributed to this outcome. There's a moment in the video, right after the shot is heard (around the 1:25 mark), when the officers seem completely stunned, especially the officer with the gun. It seems like they don't know what to do with the body or how they should deal with the situation.

Of course, it's still murder, regardless of whether he meant to do it or not. The officer will be sentenced August 6, and it'll be interesting to see how many years he gets and what the public's reaction will be.

DHS adopts ASIS standard for emergency preparedness


WASHINGTON—On June 15, the Department of Homeland Security announced the adoption of the final standards for the Voluntary Private Sector Preparedness Accreditation and Certification Program (PS-Prep), which is aimed at improving organizational resilience and preparedness in the private sector.

No teamwork at World Cup: Police break up security riots

Monday, June 14, 2010

As I indicated in an earlier blog, there have been some serious concerns about the strength of security at World Cup events. Just today, the game between Italy and Paraguay was nearly canceled after security stewards (that must be what other people in the world call officers) walked off the job because of pay disputes, according to this article. Walking out on game day forced South African police to take control of security at the stadium.

But this wasn't the first big issue involving security and police. On Sunday, stewards stationed at a different stadium (but who were employed by the same security company, Stallion) clashed with riot police also over wage issues. And it gets worse:

Police fired rubber bullets and stun grenades to break up a protest by around 400 stadium staff protesting what they said was a pay cut from 250 rand ($A39) to 190 rand per day.

So now police resources are being used to fight security officers? You're suppose to be on the same team, remember?

Here's a statement from Rich Mkhondo, head of communications for the local World Cup organizing committee, who said the protest did not impact on security at the match (uh huh):

"Two hours after the end of the first match at the Durban stadium last night, there was an internal pay dispute between the principal security company employed by the organizing committee and some of the static security stewards employed by the company at the match," Mkhondo said in a statement e-mailed to the AP. "Police were called on to disperse the protesting stewards."

Attempting to secure an event like the World Cup is not exactly easy. There are a lot of logistics involved, including efforts to coordinate multiple entities who likely have not worked together in the past (read all about these challenges in this SDN article). While I empathize with the workers who are allegedly being screwed by their security employer, game day is not the time to make one's point (although it is certainly effective at drawing attention). Security is too important at this event and there are too many lives at stake for such disputes. I'm assuming police forces are taxed at the moment and they certainly don't need to be spending resources to battle the people who are suppose to be their partners.

In a disaster, FEMA is depending on your business continuity plans


WASHINGTON—During a presentation at the Center for National Policy on April 23, Timothy Manning, deputy administrator for the Federal Emergency Management Agency, discussed the criticality of the private sector in national disaster preparedness and recovery.