As more businesses  are taking advantage of the benefits of cloud services, evaluating the information security posture of a potential cloud provider is essential, but can often seem like an exercise in futility. If you are going to trust a third party you need to hold their feet to the proverbial fire by undertaking proper due diligence. Before deciding to engage with a cloud provider, ask them to answer (truthfully) this security questionnaire to gauge their information security maturity.

1.  Does the organization have formal written information security policies?

This is an indication of their information security program maturity (or lack thereof). Companies that have not formalized their security policies should not be trusted with your sensitive corporate/customer data. Policies form the framework and foundation and without security is merely an afterthought.

2.  Are external third-party contracts required to comply with policies and customer agreements?

Similar to the concept of subcontracting, if you entrust a cloud vendor with your information and they in-turn use another provider (to store your information for example) does the initial vendor ensure that their partners comply with the policies and security agreements that were laid out in your contract? If not, these partners weaken the overall security of the information chain.

3.  Does the organization have a formal change control process?

Companies that implement changes and configuration in an ad-hoc manner are more likely to experience significant downtime in their environment. The leading cause of network outages can be attributed to poor planning and lack of change control. If the data you are sending to the cloud is time sensitive, you want to go with a provider that abides by a formal change control process, thus managing the inherent risk in unplanned changes.

4.  Is physical access to data processing equipment (servers and network equipment) restricted?

Often overlooked, physical security is equally important as technical/logical controls. If someone can physically access your data, then all security bets are off. Ask your vendor about how they control physical access to their server rooms and what procedures they have in-place.

5.  Do they follow secure data destruction processes for confidential data and IT equipment/media?

If you are storing confidential/sensitive data in the cloud and if the vendor does not properly destroy data from decommissioned equipment, the data is needlessly put at risk. Ask your vendor about their data destruction process.

6.  Do they implement controls to segregate your data from other customers?

The multi-tenant paradigm of cloud computing introduces a significant avenue of attack. For instance, if a multi-tenant cloud service database is not properly secured, a flaw in one client application could allow an attacker access to other tenant’s data. Additionally, check that the vendor is not using system-wide administrator accounts with “God” access to their entire cloud environment. Usage of such accounts should be minimal and should be monitored.

7.  Does the organization encrypt (and regularly test) its backups?

An untested backup is a useless backup. An unencrypted backup defeats the security controls in the production environment. Information needs to be protected across its entire lifecycle.

8.  Does the organization have regularly tested disaster recovery plans for data processing facilities?

If the data your company is sending to the cloud is time-sensitive, check with the vendor to see if they regularly test their disaster recovery plans. Well defined plans will minimize the length and impact of the disaster.

9.  Can they provide results of a third-party external audit conducted within the past two years?

Generally, companies that undergo an external audit have foundational security framework in place and an acceptable baseline of security can be expected. A less then scrupulous vendor may claim to have undergone extensive auditing while actually an auditor hadn’t come within 10 square miles of their business. Ask a prospective cloud vendor to provide results of their last external audit. A transparent company will have no qualms in granting you those results. If they refuse, chances are they do not want you to know their shady auditing truth.

10.  Will they provide relevant certificates of applicable compliance certifications?

Vendors will often claim to be compliant with a whole gamut of certifications  – ITIL, COBIT, ISO 2700, and the list goes on. Ask the vendors to provide proof about such claims. If they balk, chances are they are hiding something.

The cloud can be as secure as you make it. It is up to each and every cloud user to hold their cloud providers to an expected standard of security. The vendor’s underlying cloud environment is likely more secure than your local data center, but without asking the probing security questions you’ll never know.

Sources: Dominic Vogel/TechRepublic

The post 10 Security Questions to Ask Cloud Vendors first appeared on Northstar IT.

Why BYOD?

Many users now have devices that they are comfortable using. For example, some users may have a Mac Book Pro, a Linux notebook, an iPad, or a smartphone. BYOD can assist a company by achieving savings in outlay on IT items such as laptops or PCs.  Staff can use their personal devices, and by so doing can also be more connected in their off-hours and consequently more productive. The growth in BYOD has been fuelled by the growth in tablet computers and smartphones.

Security Issues

BYOD does bring with it a host of security issues. Malware and eavesdropping (in the case of using public Wi-Fi) are two possible risks. What we will do in this post is to take a look at some of the preliminary steps required for implementing BYOD. Ideally, a policy document on BYOD should be created and all staff members should receive a copy.

What devices are supported?

A good starting point for BYOD is: What sort of devices should be able to access the corporate network? Following on from this, what sort of operating systems should be supported on the corporate network, and what version(s)? The supported devices will, in some respects, be driven by what applications are required. A Windows 7 application, for instance, may have no equivalent on an iPad. If it is a critical application, then personnel won’t be able to use an iPad on the corporate network until the application is ported to iOS.

What levels of access are permitted?

Some users may be allowed different access depending on their job function. As an example, sales people may use tablets more than standard laptops/PCs. Support staff may use laptops or tablets when on the road. What this may mean is that support staff will have intrinsically different requirements for access compared to say, sales. Support staff may, for example, require access to in-house knowledge bases or to other databases. Sales personnel may only require intranet, email and messaging access.

What corporate applications are required?

The next consideration is what applications need to be installed on the user’s device. Depending on the user groups, some users may have access to differing levels of data. As mentioned above, support staff would generally need to access support databases, whereas other staff may only need access to email and the corporate intranet.

In addition to deciding what corporate applications are required, you may need to decide what sort of antivirus protection should be installed on a device. Other applications that may need to be installed are email clients, messaging, and Virtual Private Network (VPN) software – for staff that are likely to be working remotely.

Using a VPN for Remote Access

In particular, using a device on public Wi-Fi networks is probably the biggest headache. This is where a VPN solution is required. A VPN will require authentication and will encrypt data. For this reason, a VPN client must be amongst the list of software solutions installed on a user device. There are a number available.  The ones I have used are the Cisco VPN client and its successor, AnyConnect.

Set Passcodes

There is an area that is overlooked many times on tablets and on smartphones: set a security code. This is possibly the most important part of BYOD, particularly for personnel that are likely to be using public Wi-Fi networks. Theft of a device that has no passcode may still not let a casual user in, but having a passcode should be the primary level of defense.

In summing up, your BYOD policy needs to cover:

• First, what types of devices are permitted access, such as Android, iPad, MacBook, Wintel, and what version of the operating system is required.
• Second, decide which access level your different groups of users require.
• Next, determine what applications are required for a user.
• Fourth, and most important, a VPN is required for personnel likely to be using public Wi-Fi networks.
• Finally, educate users about the importance of setting passwords and passcodes.

These guidelines should help maintain the security of corporate data.

Source: Scott Reeves, TechRepublic

The post Make sure BYOD doesn’t mean ‘Bring Your Own Disaster’ first appeared on Northstar IT.

As an IT professional who works with businesses and organizations, I have personally witnessed numerous cases of employee fraud over the years.  Frequently these crimes are perpetrated by the most trusted employee – the one who has been there the longest, the one who has been given the greatest access to the company’s data and finances, the one who is counted as a company insider. Often these acts are committed over long periods of time, without detection, resulting in the embezzlement of impressively large sums of money.  In each case the business owners were blindsided when it was discovered.  “We would never have thought so-and-so could do this or that.”  A good rule of thumb for your employees should be:  The more trust is extended, the more caution should be exercised.

There are ways to manage these insider threats, but we first need to take a look at the types of threats that exist, the business roles of the people involved, and the signs that typically exist when an employee is not complying with policy, law, or ethics.  Armed with this information, organizations can then implement administrative, technical, and physical controls to mitigate insider risk.

Three Primary Types of Insider Threats

Intellectual Property Theft

Intellectual property (IP) is any “creation of mind” created or owned by an organization. For our purposes, examples include:

• Engineering designs/drawings
• Software created in-house
• Trade secrets

In many situations, the creators of IP (engineers, software developers, etc.) believe they have ownership rights. In others, financial gain or professional advancement is the motivation for theft.  The tipping point from good to rogue employee usually happens when creators don’t receive recognition for their work or when they don’t perceive themselves as adequately compensated and appreciated. The U.S. Computer Emergency Readiness Team (CERT) lists several objectives for IP theft, including:

• Starting a new business
• Providing a competitive advantage to a new employer
• Providing it to a foreign country (especially a country with which an employee has cultural, political, or ethnic ties)

Because people allowed access to IP are the ones most likely to steal IP, detection can be difficult. However, close attention to common IP removal paths is the first step in mitigating risk from IP loss, including:

• Company email
• Remote network access
• Storage on laptops and other mobile storage devices
• File transfer services (FTP or SFTP)

Fraud

Fraud is theft of financial assets. Employee fraud is much more common than most organizations believe. In an article at CFOOnline.com, Tracy L. Coenen writes, “Experts estimate that on average it costs companies 3% to 5% of revenue each year.” For example, a payroll clerk creating a false employee, paying that employee, and then collecting and cashing the check commits fraud. Other types of fraud include misuse of expense accounts or payment to vendors when they provide no services or products. People deep in debt with no hope of digging themselves out tend to top the list of insider threats in this category.

Fraud occurs across many channels, and involvement might extend beyond employees to external criminal individuals or organizations. Again, employees resorting to fraud usually seek financial gain. Methods include:

• Selling stolen information
• Modifying information to realize financial gains for self or others
• Receiving payment for adding, modifying, or deleting information

Most employees committing fraud avoid complex technological pathways. For example, the last two examples above simply require alteration of a database without removal of data. When data is removed, it is often downloaded to a home computer, copied to mobile storage, faxed, or emailed.

Damage to Information Resources

Damage to information resources is usually an attempt to break one or more business processes, thereby resulting in significant harm to the business. In most cases, only someone with administrator access can successfully achieve these goals. For example, a programmer might plant a logic bomb that destroys a database, irreparably damages server software, or causes an application to perform in unexpected ways. In addition to logic bombs, reconfiguration of network devices in ways that cause significant loss of productivity is a surreptitious malicious act often difficult to remediate.

Administrators don’t always want to make themselves known with a large, visible event. Rather, creation of additional administrator accounts often provides an attacker with long-term access for small but costly hits against a current or former employer. Organizations without proper log management would have a very difficult time assigning responsibility when the rogue account is eventually identified.

Collusion

Individual employees don’t always have access to everything needed for theft or system damage. Many organizations raise barriers with separation of duties enforced with role-based access control. Enterprising insider threats circumvent these controls using collusion. What is collusion? Peter Vajda writes, “Collusion takes hold when two or more individuals co-opt their values and ethics to support their own – and others’ – misdeeds.” The key word is support. While an engineer, for example, might have full access to all relevant components of the IP he or she intends to steal, a payroll or accounts payable clerk might not. Consequently, the person planning the theft might recruit key employees with access to information or processes otherwise unavailable.

Collusion increases the risk for the perpetrators, but it also decreases the opportunities to detect theft. Bypassing separation of duties via collusion circumvents a key control. According to CERT research, it isn’t uncommon for multiple individuals (including outsiders) to participate in long-term fraud.

Managers like to believe their employees will behave with integrity, but collusion is a common cause of insider risk. According to a Fraud Matters Newsletter article posted at the EFP Rotenberg website, “Collusion accounts for as much as 40 percent of fraud, with median loss of approximately $485,000 – nearly five times that of crimes perpetrated by an individual alone.” The amount of loss from fraud associated with collusion significantly elevates associated risk to levels needing close attention by security teams and management.

Up Next:  Mitigating Attacks

In Part 2 we will explore how to recognize problem employees and implement controls to reduce insider opportunities.

Additonal Sources: Tom Olzak/TechRepublic

The post Insider Threats — Part 1: Understanding the Risk first appeared on Northstar IT.

There are many reasons you may need to replace or upgrade your pre-existing electronic equipment and devices. What do you do with the components you just replaced? You can’t simply throw them away in the trash. You may be fined and the components of those leftover devices contain metals not suitable for a standard landfill. Let’s discuss just a few options available to properly and safely dispose your outdated electronic equipment.

Donation

You can donate your older equipment to a charitable organization and those donations are tax deductible. Some organizations will even pick up your equipment from you. Schedule a pick-up online, leave your electronics on your doorstep and they will take them away for you. Many private schools, churches and other community groups are delighted to get usable equipment – even if they aren’t state of the art.  Feel good knowing your devices are going to a good home and about the money saved.

Amazon

You can sell your device to Amazon for Amazon credit, even if you did not buy it from their website. Amazon calls this feature the ‘trade-in’ service and it can be used for cameras, cell phones, calculators, tablets, laptops, etc. Shipping is free and they offer competitive prices for newer electronics. The Amazon credit you receive can be used for any future purchases made on their website. If you make frequent purchases on Amazon, their trade-in system is definitely worth your time.

eBay

If you’re replacing a broken device, you might be able to sell it for parts on eBay. eBay is a community online auction website, which makes money through listing and sales fees. Making an account and browsing active listings on eBay is free and easy. You can look up your device you plan to sell and see its current value, list the item and ship the device to the auction’s winner. The majority of monetary transactions on eBay utilize PayPal services so will have to create a PayPal account if you do not already have one.

Craigslist

You can use craigslist’s local ‘for sale’ section to post a description and a picture of your device. Potential buyers will contact you through a randomly generated email address (Keeping your personal information hidden). The benefits of using craigslist are convenience and anonymity. There are no fees for listings and you can keep the sale local. This is an excellent way to sell broken electronics, as many people are willing to buy the device for replacement parts.

Retail Store Recycling

Many retail stores such as Best Buy, Office Depot and Radio Shack offer electronic waste recycling services. This service is the easiest, allowing you to simply walk into the store and drop it off. There is no need for an appointment or an explanation. This is the closest you will get to ‘tossing out’ your old electronics, so do not expect any reimbursement from the retailers. This is especially useful if you don’t want to schedule an appointment, register an account, create a listing or ship a package.

Contributions to this article courtesy of Devin Sag, Tech Helpline Technical Analyst

The post Tech Trash first appeared on Northstar IT.