Can Technology Provide a Complete Security Solution?

Back in 2009, I wrote a couple of blog posts about security – one about whitelisting/blacklisting applications and one about the “cost” of security on productivity (they are both still relevant and worth a read). Recently, I have been working a lot on policies to ensure the security of mobile devices. While doing this, I have discovered an interesting phenomenon: There are some people who believe that it is possible to use technology to provide a complete security solution.

I am certainly not saying that it is impossible to use technology to provide a complete security solution – I am simply saying that it is improbable, difficult, and very costly. Those who believe in a pure technological solution are missing an important piece of the security puzzle: the human factor. This MUST be addressed through published security policies, user training on those policies, enforcement of policy compliance, and required refresher training.

If end users are educated about the risks and consequences of policy non-compliance, I believe that most will work to be compliant. If you couple education with real, random enforcement and consistent consequences (for continued non-compliance), I believe that you can get very close to complete compliance with security polices, and thereby, a complete security solution. Regular reminders about risks and consequences will also help users to stay compliant with security policies.

The bottom line is this: If you implement only technological security solutions and fail to educate users about risks and consequences, you will find yourself with users who are intentionally circumventing the technological solution (either because they don’t understand the risks or because they know that there are no consequences for their actions).

Windows Phone 8 – a Quickie

I recently got my hands on a couple of Windows Phone 8 (WP8) devices – the Lumia 822 and the HTC 8X. My first impressions are that they are lightweight and have big, beautiful screens. The Lumia has a nice feel to it and feels good in your hand. The HTC is THIN and also feels good in your hand.

The live tiles are cool and all, but for me, they made my home screen too busy. I really only care about new email and calendar activity, so I got rid of the Photos tile and the People tile (among others). They were just too distracting. The Microsoft Store has some good and familiar apps, but it doesn’t compare to the Apple App Store or the Google Marketplace. I hope that Devs support it and build apps for it. There is currently no VPN support, nor is there support for a proxy server in the web browser (even though there is a Web Proxy app that allows user-enforced proxying).

As for end-point security, Microsoft is saying that Anti-virus, Anti-malware, and Firewall are not necessary due to the device OS architecture and the application approval process for the Microsoft Store. This is a similar story to what RIM says about the BlackBerry and what Apple says about the iPhone. For device encryption, MS leverages TPM 2.0.

Overall, I like both of these devices, and I like the OS pretty well. Not giving up my iPhone yet though.

Screen Captures from the MiFi 2200

Security at any Cost?

I am a FIRM believer in securing systems and data at a level equivalent to the value of the systems or data or the risk associated with the loss of the data or system.  But I have to draw the line when securing data or a system results in interruptions to the operation of what was, up to this point, a secure and well-run system.

Let me use an analogy here to make my point:  When you carry cash, checks, and/or credit cards (CCC), you carry them in a purse or wallet which then goes into your pocket.  You don’t put your CCC into a safe and carry the safe around, do you?  You don’t keep your CCC secured away at home and then run back home every time you need access to CCC to make a purchase, do you?  And we are talking about items that could result in your losing a significant amount of money, or worse, identity theft.

Drawing on this analogy and applying it to systems and data – how much security is too much security for your systems and data?

Do you spend much of your day working through the security mechanisms just to access your systems/data?  Are your systems/data so important that they must be very difficult to access?  Isn’t the purpose of having your data in electronic form so that it is readily available and easy to access?

Stepping back, maybe it is worth looking at what the security folks are trying to do.  Obviously, they are trying to protect data and systems from being breached, compromised, or lost.  Sounds good, right?  But their idea of protection may be so draconian that you have a difficult time accessing your email or accessing and editing a document.  I understand the security viewpoint that any individual piece of information may not be important enough to merit protecting, but when you put together a finite number of pieces of information, that may become something worth protecting.

And here we get back to the question – protect the systems and data at what cost?

Sorry to say that I don’t have any answers here.  But I do want to make a few points:  Security personnel should spend some time and brain cycles understanding the value of the systems/data and the risk of them being compromised, breached, or lost.  It is much easier to apply a blanket security policy, but seldom does one policy truly fit all.  If security personnel understand the systems/data and their function and value, maybe they will craft an appropriate security policy that strikes a balance between making the systems and data available to authorized users and protecting it from the bad guys.

As always, please let me know if you have questions or comments, and I will do my best to address them.

Whitelist or Blacklist Applications?

I get this question a lot from folks – both as it applies to mobile devices and also as it applies to the managed network in general.  Here are my thoughts.

A blacklist is a list of applications that are not allowed.  A whitelist is a list of applications that are allowed.  It is that simple.  In my opinion, a whitelist is MUCH easier to manage than a blacklist.

Why?  Because you know the applications that you want your users to have access to.  It is a finite, limited list, and if a new allowed application comes along, you can easily add it to the whitelist.  It should always be a fairly small list.  On the other hand, a blacklist is an infinite list of applications that are not allowed.  Can you imagine managing this?  How on earth do you manage this list without knowing about every application on Earth?  Granted, you could create a blacklist of applications already installed in the computing device that you don’t want the user to run and then lock that computing device’s image so that no additional applications could be installed, but that is more work.  This “image lock” method makes it difficult to push AV engine and signature file updates as well as Operating System patches.

Now with a whitelist, you still have to manage a list, but you know what applications you will allow.  And you can easily add to the list if needed.  Everything else is not allowed.  Now, this still allows a user to install pretty much anything they want, but they can not run it unless it is on the list.  And chances are good that the install will fail, as the install program will almost certainly not be on the list.  You may also have issues/difficulties with AV and Operating System updates/patches.

Bottom line – whitelists are easier to implement and manage, plus, they don’t require image lock.  You will have to figure out AV and Operating System updates/patches in either case.

As always, please let me know if you have questions.  I will do my best to answer or clarify.

And now for a few words about securing PDAs

Not everyone needs a SME-PED (a secure mobile messaging device developed by the NSA).  But a lot of people carry Personal Digital Assistants (PDAs) or Personal Electronic Devices (PEDs).  For this post, I will call them Mobile Devices (MD).  These MDs include Blackberry, Windows Mobile, iPhone, and any other phone/device that lets you do email, SMS, MMS, pictures, or store any kind of data on it.

Imagine that you are out a restaurant.  You are having a nice meal.  You brought along your MD, because you never leave home without it.  You have it sitting on the table near you (or in your coat pocket or wherever).  You have it set up to synchronize your work email as well as your personal email.  You store your contacts (work and personal) on the device, and you also keep a couple of Notes on the device that have some password/PIN/account info in them.

You get up to use the restroom.  You leave your coat behind.  You return and finish your meal.  You leave the restaurant.  You get into your car and decide that you will check email before you head home.  You reach for your MD and realize that it isn’t there.  You run back into the restaurant and back to your table, but your MD is not there.  You ask the server and manager if they have seen one or if one has been turned in.  They have not.

Time to panic?  Maybe not.  Do you have the device set to time out after a certain amount of time?  Do you have a password or PIN set to unlock the device?  Do you have encryption technology on the device?  Do you have anti-virus software installed on the device?  If you can answer “Yes” to most or all of these questions, then you can rest easy, because you are out a few dollars for the device and some pain calling your carrier and having the phone/SIM killed.  Then you have to go out and get a new phone/plan and rebuild it.  Painful?  Yes, but not as bad as it could be.

Here is a true story (names/locations have been removed to protect the stupid).  I got a call several years ago from one of my users asking me to “kill his device”.  I asked him what had happened to it, and he told me that he had lost it.  When I hung up with him, I decided to call the phone number of the device.  I did, and the device was answered, but no one was there.  I sat on the line for 5 minutes or so, listening to background noise, and I soon realized that the device was near a cash register.  I started saying “Hello” over and over again.  I did this for about a minute, and finally, a confused woman picked up the phone and responded “Hello?”  We had a brief conversation.  I found out that she was a server at a restaurant down the road from where I was working at the time.  I asked her to set the device aside and told her that I would be down in a few minutes to pick it up.

I retrieved the device and brought it back to my office.  I noticed a couple of things:  There was no PIN/password protecting the device.  It had the user’s business email synchronized to it (up to the minute I was holding the phone).  It had the user’s contacts, calendar, and some notes.  One of the notes had his account login information for several business critical systems (including username, password, and account number).  I also found a note with some of his personal information in it.  Bad?  YES.  But this is not the worst thing that could have happened.

Can you imagine if someone else had found it?  And what if that person was a bad guy?  Fortunately for the user, I recovered it, and I proceeded to wipe the device and rebuild it.  I will let you all use your imagination to form a picture of what might have happened if a bad guy had found it.

Bottom line – protect your mobile device.  You need a PIN/password to unlock the device at the VERY least.  You should also have AV software if you do email, web, or texting on the device.  If you are storing personal or professional information that could be considered private, you should strongly consider getting encryption software for the device.  Protect yourself by protecting your data.  It only takes a second to unlock your device (if you remember your PIN/password).  But it may take you weeks or months to recover from the theft of your personal or professional information.

As always, please let me know if you have questions about this.  I will try my best to answer them or clarify what I was trying to say.

A few more thoughts about securing data

Yesterday, I posted a lengthy discussion of securing personal data (including email). After doing so, it occurred to me that I forgot to talk about encryption.  Short and sweet – if you have data on your computer that you believe (for whatever reason) is so private that something terrible would happen if it ever saw the light of day, then you should strongly consider encrypting your data.  This can be done using a variety of tools available, or if you have Vista and a machine with TPM, you can use BitLocker (part of Vista) to encrypt your hard drive.  I am not going to go into how to do so here, as there are plenty of well-written articles on how to use BitLocker.

Bottom line – if you are worried about your data on your home computer (especially your laptop), strongly consider encrypting that data.  As always, if you have questions, please let me know, and I will do my best to provide a coherent and clear answer.