Tag Archives: risk assessment

When you play whack-a-mole with File Transfer tools, you chase the mole! DropBox blocked; Pipe wins

In the enterprise businesses are seeking to block channels of transferring files, and in many cases the need to manage these is valid and vital to specific business operations. In some cases such activities are based upon the unknown unknown fears that lie, and others upon identified disclosure risks of sensitive data / research and development in-flight materials.

A more common discussion is to block file sharing services directly – such as DropBox. The challenge here is how … some choose policies and others push to technical blocks within the enterprise. The more aggressive will even run regular end-point policy blocks to disable the applications on the work station, and policies blocking URL / IP browsing to the service providers addresses. This is one of the only way to really block, and does not prevent a sneaker network from occurring bypassing all of these mitigation efforts.

If though the business has achieved a high success rate of blocks and change of user behavior to some other approved file passing process, then all is good. In some cases “good” may be back to the “old way” or some newly designed implementation of an excellent corporate tool.

The risk is not filling in the need here of the end users, and that results in the need remaining and the market & user connecting with alternate solutions. This, of course, sustains the risk / threats that were raised to block the first “mole” into perhaps a less preferred channel.

I recently came across such an occurrence with the introduction of Pipe that uses Facebook Connect – allowing point to point file transfer of up to 1 gig of files. The ability to transfer files without a new user account; leveraging the existing user base, and capitalizing on the already permitted service of facebook internally (on corporate devices; ipads; tablets; iphones; etc…) is brilliant from a market entry point and user ease of use offering. From a business standpoint, this escalates the businesses need to develop a social media and mobile device strategy – not tactical solutions (b/c the market is shifting) and not policy (b/c the words will not stop the traffic from flowing alone).

Other considerations:

  • How are you assessing the risks of these emerging platforms; technologies?
  • Are you understanding the business processes of your business and where such tools and needs exist within the user base?
  • What monitoring and metrics exist to keep aware of these activities to improve the technology services to meet the business demands?
  • How is data management securing the sensitive and important data within the organization?
  • How is your security program / audit group (PCI QSA too) viewing the presence of these applications within the research; financial reporting; and card data environment?

Here is a nice article elaborating on Pipe and it’s offering, at the Verge.

Other thoughts?

Best,

James DeLuccia IV

Securing to Compliance w/ iPads and Tablets in a PCI world

A growing and undeniable trend is the consumerization of devices.  The usage of iPads and tablets in the enterprise and corporate board room is rapidly growing.  Anecdotally, 90% of 1st class on my last 10 flights were using iPads, and the last CxO work session 50%.  Recent stats show 95% of tablet traffic is from iPads.  Needless to say these devices are here to stay and information security professionals must adopt rapid models to Enable-Securely these end-points.  It is not possible, practically, to simply block or deny the use of these devices, as the enterprise value will continue to increase.  In addition, most organizations see these devices being utilized even with no policies, no technology enabling their usage, and no methods of risk awareness (let alone risk assessment, risk treatment).

I was recently asked how the usage of these devices in an enterprise would effect their PCI compliance state, and the security risks in general.  Now I feel there are a lot of ‘it depends’ and assumptions that are necessary with such a fragile Use Case, but lets entertain the following question.

What risks should enterprises be aware of as it relates to these devices, and in particular sustaining their security program in a compliant manner that satisfies, such things as, PCI DSS?

Risks to consider, at least:

  • Who owns the data?  When data is transferred or created on another device, who owns it?  This is important with forensic investigations; liability; and rights of usage laws.  This question on the surface with a consumer purchased iPad is one example, the actual in-store App purchases themselves are another example, but what of using Cloud enabled services (the Apps installed on the tablets themselves) – the necessity of understanding data ownership extends and rapidly becomes complex.
    • White list ; Black lists on service providers may be helpful here.  At the minimum understanding who owns the data; how responses will be managed; and guiding principles (that can be monitored w/ metrics) on usage of third party devices/apps/services would be key.
  • All the security in the world can be bypassed with physical access, so devise a “when lost do x” plan; ensure configurations exist to support that activity, and establish a protocol for the Cloud provider accounts linked to device
  • The above is directed at the device itself being lost (such as left on a plane), but when the device syncs with the home computer (who owns this computer and how secure is it?) usually the ENTIRE device is backed up as one large compressed file.  This file can be loaded in a host environment and provide access w/o the device.  Consideration of these sync systems is critical (note this is not iCloud or DropBox as those are over the air and this risk is aimed at over the wire activities)
  • Accept that sensitive data is residing on these devices – confidential; proprietary; sensitive; etc …  Plan accordingly.  Instituting careful data management can ensure that such data is enabled through channels that are secure on these devices and repositories that match the data risk and device exposure risk.
    • (PCI considerations) If this device is being used as a point of sale terminal, than the common care and management utilized is appropriate.  If the device is part of the Card Data Network w/o being key to the transaction, than perhaps some segmentation efforts would simplify the broader risks (if all end points are in the card data environment this is probably a larger problem than the population of iPads).  The same safeguards on the technology deployed with consideration of Sensitive data (prior item) can satisfy the requirements of PCI DSS, so a non-issue when deployed “appropriately”.
  • Mobile security safeguards and policies will not reflect the common computing system policies, as the use cases are different and there exists different advantages.  A nice point raised by Dave Whitelegg that mobile policies that enforce the complexity (alpha; upper/lower case; and special symbols) on a tablet would kill (my word) a key attractor of the tablets.  Therefore some balance needs to be achieved.  This is also true when deploying such applications such as “Good for Enterprise”.  The multi-layer password sandbox approach is the wrong approach in many cases, as it violate the first principle above and may not enable users sufficiently to prevent the Ghost-IT specter.
  • The risk assessment of these devices within the enterprise must consider beyond the simple hardware and operating system (both important to understand and consider), but must also consider the applications installed and the risk of converging these applications.
    • Applications – How are these applications handling data?  How are the applications leveraging / integrating with other third parties (i.e., linking to DropBox)?  How are these applications transmitting data, and what data is being transmitted (the Pulse full contact list transmission comes to mind here, a technically permitted activity but unexpected)?  Finally, how are those applications managing the data once received (note: we are not stating that they are securing the data, but first must understand how they are managing it and then ultimately whether they should be securing it .. demonstrating this security .. and continue such security)

Ultimately these emerging (emerged?) devices require the care and attention of all elements of the computing environment, and it is the opportunity and task at hand to influence and sustain a secure computing environment – with each type of advice.

On the question of can these devices be deployed within a card data environment and or be used in commerce… the answer is yes, of course with the proper care and awareness.

There is an emerging market on enabling these devices in the enterprise.  As I identify any of interest I’ll include them below (I have not vetted these so consider this  a simple index if you will):

This is a complex area and I value all input, so feel free to share; challenge, and redirect as appropriate.

Best,

James DeLuccia