Category: Mobile Device Security

How to Suck at Information Security

Security Policy and Compliance

  • Ignore regulatory compliance requirements.
  • Assume the users will read the security policy because you’ve asked them to.
  • Use security templates without customizing them.
  • Jump into a full-blown adoption of frameworks such as ISO 27001/27002 before you’re ready.
  • Create security policies you cannot enforce.
  • Enforce policies that are not properly approved.
  • Blindly follow compliance requirements without creating overall security architecture.
  • Create a security policy just to mark a checkbox.
  • Pay someone to write your security policy without any knowledge of your business or processes.
  • Translate policies in a multi-language environment without consistent meaning across the languages.
  • Make sure none of the employees finds the policies.
  • Assume that if the policies worked for you last year, they’ll be valid for the next year.
  • Assume that being compliant means you’re secure.
  • Assume that policies don’t apply to executives.
  • Hide from the auditors.

Security Tools

  • Deploy a security product out of the box without tuning it.
  • Tune the IDS to be too noisy, or too quiet.
  • Buy security products without considering the maintenance and implementation costs.
  • Rely on anti-virus and firewall products without having additional controls.
  • Run regular vulnerability scans, but don’t follow through on the results.
  • Let your anti-virus, IDS, and other security tools run on “auto-pilot.”
  • Employ multiple security technologies without understanding how each of them contributes.
  • Focus on widgets, while omitting to consider the importance of maintaining accountability.
  • Buy expensive product when a simple and cheap fix may address 80% of the problem.

Risk Management

  • Attempt to apply the same security rigor to all IT assets, regardless of their risk profiles.
  • Make someone responsible for managing risk, but don’t give the person any power to make decisions.
  • Ignore the big picture while focusing on quantitative risk analysis.
  • Assume you don’t have to worry about security, because your company is too small or insignificant.
  • Assume you’re secure because you haven’t been compromised recently.
  • Be paranoid without considering the value of the asset or its exposure factor.
  • Classify all data assets as “top secret.”

Security Practices

  • Don’t review system, application, and security logs.
  • Expect end-users to forgo convenience in place of security.
  • Lock down the infrastructure so tightly, that getting work done becomes very difficult.
  • Say “no” whenever asked to approve a request.
  • Impose security requirements without providing the necessary tools and training.
  • Focus on preventative mechanisms while ignoring detective controls.
  • Have no DMZ for Internet-accessible servers.
  • Assume your patch management process is working, without checking on it.
  • Delete logs because they get too big to read.
  • Expect SSL to address all security problems with your web application.
  • Ban the use of external USB drives while not restricting outbound access to the Internet.
  • Act superior to your counterparts on the network, system admin, and development teams.
  • Stop learning about technologies and attacks.
  • Adopt hot new IT or security technologies before they have had a chance to mature.
  • Hire somebody just because he or she has a lot of certifications.
  • Don’t apprise your manager of the security problems your efforts have avoided.
  • Don’t cross-train the IT and security staff.

Password Management

  • Require your users to change passwords too frequently.
  • Expect your users to remember passwords without writing them down.
  • Impose overly-onerous password selection requirements.
  • Use the same password on systems that differ in risk exposure or data criticality.
  • Impose password requirements without considering the ease with which a password could be reset.

Thanks for Lenny Zelster for its awesome cheat sheet. For original document please see http://zeltser.com/security-management/suck-at-security-cheat-sheet.html. If you have any suggestions other than the ones at above, let me know! ismail@realinfosec.com

How to make iPad Secure?

The iPad has been a very popular new device sold by Apple. But the iPad isn’t really enterprise ready, in terms of manageability and security. IT organizations are buckling under pressure to support the iPad, even though the iPad wouldn’t have passed last year’s enterprise security requirements. If you use this device you may be concerned about the iPad security. Here is some information you might be interested in.

Although Apple has an enviable reputation for producing secure computers, there has been many concerns expressed with the security and safety in devices like the iPad. This device uses a standard called iOS 4.

A recent report indicated that a Russian software was developed which can enable people to gain access to password protected iOS data backups.

Even more disturbing is the fact the iOS keeps virtually a complete log of everything a user types of the keyboard. This includes credit card information, account numbers, etc.

In addition these types of mobile devices require frequent updates which increase the risk of security breaches even more so.

It was reported by a French research firm called VUPEN Security that there are two major flaws which leaves iOS vulnerable. One is a memory corruption error which occurs when is processes a pdf file. And the other is an iOS kernel error.

This means that an app could get low level access to the operating system. Apple has tried to prevent this through the use of private API’s. However this has had questionable benefit.

How to Secure IPad?

AT&T has confirmed that the e-mail addresses of over 100,000 iPad 3G owners using its 3G network have been exposed. According to the carrier, it first learned of the issue on June 7 and resolved it on June 8.

Admittedly, AT&T’s security breach isn’t all that groundbreaking. If only e-mail addresses were stolen, it’s not the end of the world, since that wouldn’t be enough to use to steal more private information.

But that doesn’t mean it’s the end of the story. The iPad is just like any other computer, complete with the potential to access sensitive information. Realizing that, it’s incumbent upon iPad owners to engage in practices and use software that will make it easier for them to keep their private data secure.

Unfortunately, no product is safe from the crosshairs of malicious hackers. Try as consumers might to use products that will keep them secure, all it takes is one mistake or a network flaw beyond their control to wreak havoc on their personal lives. Let’s take a look at some things that iPad owners can do to keep their data private and secure.

1. Keep syncing

It might sound rather simplistic, but users should keep syncing their iPads with their computers as often as possible. The reason why is twofold. For one, the desktop computer acts as a removable storage device for the data on the tablet. Secondly, Windows machines or Mac OS X computers have better security controls than the iPad. If data is extremely important and consumers want to keep it away from prying eyes, having it in a more secure environment is always preferable.

2. Use security apps

The iPad runs iPhone OS. In other words, all the security tools that are available in Apple’s App Store that are designed for the iPhone will also work with Apple’s tablet. In some cases, the security tools aren’t all that useful, so exercising some vigilance before downloading certain applications is a good idea. But there are other apps that monitor network connections, keep passwords safe and much more. Although it’s easy to only browse iPad apps, some iPhone security apps will come in quite handy.

3. Work on trusted WiFi networks

Any iPad owner should be positive that the WiFi network he or she is on is trusted and safe. In far too many cases, WiFi connections on unprotected networks just aren’t as safe as they should be. And although it’s more difficult for folks to access information on an iPad than on, say, a Windows PC, sending sensitive information over that network can be dangerous, to say the least. Once again, the iPad is little more than a newly designed computer. Owners must always keep that in mind.

4. Stay off 3G wherever possible

Although AT&T’s 3G network has enjoyed relative security thus far, iPad owners should keep their tablets off the network as much as possible. When connecting over 3G, users are at the mercy of the network. They don’t necessarily know that it’s secure at all times, and they need to rely on the quality of AT&T’s service. But when surfing the Web on a WPA (Wi-Fi Protected Access)-protected router in their homes or organization, they have more control over security settings and what can be done to keep data secure. Little changes like that can go a long way in keeping iPad data safe and secure.

5. Remember Windows rules apply

iPads may not be running Windows, but some of the lessons learned in the PC ecosystem still apply in the iPad world. For instance, surfing to unknown, untrusted sites is never a good idea. Users should also refrain from opening attachments sent by people they don’t know. Unfortunately, these simple rules just aren’t followed by many iPad owners because they believe they’re safe. As AT&T’s network snafu has shown, there is no one who is absolutely safe from danger. Maintaining vigilance when using the iPad is the most important component of keeping it secure.

6. Physical security matters too

Physical security doesn’t always get the kind of play that network security does, but it’s arguably more important. If users really want to keep their sensitive information private, they need to be more careful with the iPad. They shouldn’t leave it on the table at a Starbucks when they pick up their drink at the counter. They also shouldn’t leave it lying around in plain view in the office for anyone to pick up. Those who want to steal sensitive information would rather have the device in hand than connect to it from other parts of the world.

7. Trust is a dangerous thing

Trust can wreak havoc on a person’s life when it comes to computer security. There’s little debating that there are few, if any, Websites that should be absolutely trusted. Not even e-mails from friends can be trusted, especially if they include unexpected attachments. In too many cases, Web users believe that simply because they have been to a site each and every day for the past three years, they will remain safe on that site. That’s a faulty belief. With some simple phishing scams or spoofing, all kinds of trouble can erupt. Don’t trust anything—even when using the iPad.

8. Passwords mean everything

Passwords are extremely important. With strong passwords, users can have a little more peace of mind if an iPad is stolen and is in the hands of a malicious hacker. Too often, folks use the same passwords for all their different online identities. The password someone uses to log in to Gmail is the same password he uses for online banking. The password he inputs to tweet with friends is the same as the code he uses when he needs to pay down his credit card balance. That’s not a good thing. As soon as attackers have one password, they will try it everywhere else. At the same time, the difficulty of breaking a password must always be kept in mind. iPad owners can’t use “1234″ for a password. They should be using alphanumeric passwords that have capital letters and symbols. It might sound like a pain to type in such passwords every time, but owners will be happy they did so if the iPad is stolen.

9. Lock it down

The iPad comes with password protection. And anyone who wants to keep data safe should lock it down with a strong password. In the iPad’s settings menu, owners can opt to turn on the device’s passcode lock. Once this has been done, every time the screen is turned on, users will be required to input a password to access the iPad’s home page. Again, it’s a pain for those who don’t want to have to input a passcode each time. But when it comes to security and the safety of private data, it’s arguably one of the best things a user can do.

References:

http://discussions.apple.com/thread.jspa?threadID=2632583

http://www.eweek.com/c/a/Security/10-Ways-to-Keep-Data-Private-Secure-on-the-iPad-369345/1/

http://www.bnet.com/blog/technology-business/apple-iphone-ipad-security-goes-into-the-toilet-and-down-the-tubes/4653

http://www.securityextra.com/ipad-security-important-to-consider.html

http://www.ditii.com/2010/10/14/ipad-security-bug-helps-you-download-publications-for-free/