BYOD Password Policies – First Level of Defense

A  ThreatPost tweet (Donohue, 2012) and coverage on NBC’s Today Show (How safe is your smartphone’s data?, 2012) provided broad visibility to a recent study sponsored by Symantec and Sprint called The Symantec Smartphone Honey Stick Project. (Haley, 2012)  In late 2011, the experiment was conducted by placing fifty smartphones in five large cities in places where the phones would have appeared to have been misplaced by their owners in an effort to identify what would happen with the phones when found.  Phony personal and corporate applications were loaded on the phones along with software that tracked the access to these applications and GPS location of the phones.  No passwords or any other security features had been enabled on any of the fifty phones.  The project’s results showed that 83% of the phones’ finders accessed the phony corporate data.   The fake corporate email application was accessed on 45% of the phones while the corporate data planted on the phones was accessed on 53% of the devices.  ([OPERATION HONEY STICK] Where’s Your Smartphone?, 2012)

The experiment summary document includes several recommendations for both corporations and consumers to better protect the data that resides on smartphones.   One recommendation specifically targeted the password policies established by corporations for these devices.  “Organizations should develop and enforce strong security policies for employees using mobile devices for work; this includes requiring password-enabled screen locks. Mobile device management and mobile security software can aid in this area.” (Wright, 2012)  This experiment commissioned by Symantec reinforces the need for corporations creating policy statements to integrate BYOD (Bring Your Own Device) into their operating models to ensure that strong password policies be established for employee-owned smartphones that have access to corporate data.

Good Technology (Bring Your Own Device Individual Liable User Policy Considerations, 2012) recommends establishing password and device locking policies for employee-owned devices that are similar to those established for company-owned PCs:

1. Policy should state the requirement of a password for the device.
2. Policy should specify the required length of the password to be 6 characters.
3. Policy should specify that the password include at least one letter or number where the device supports alphanumeric passwords.
4. Policy should state the frequency required for password changes to be every 90 days.
5. Policy should state the number of passwords retained in password history is four.
6. Policy should state that after 30 minutes of inactivity, the device will be locked requiring the password to unlock.
7. Policy should state that after 10 invalid logins, the device locks the account.

Andrew Jaquith, Chief Technology Officer of Perimeter E-Security, has a more practical approach toward setting password and device locking polices for mobile devices aimed at balancing a strong, secure password selection with device usability. (Jaquith, 2011)

1. Policy should state the requirement of a password for the device.
2. Policy should state the requirement of an  8-digit numeric PIN (not allowing the use of simple PINs)
3. Policy should state that the device will lock after 15 minutes of inactivity (with a 2 minute grace period)
4. Policy should state that the device will automatically be wiped or permanently locked after 8 invalid login attempts.

(No policy exists specifying the frequency of PIN changes or requirement to maintain password history.)

In a recent Forbes article (Gupta, 2012), PJ Gupta sites that one of the common BYOD policy mistakes is “Leaving Passwords Up to the Users”, as users will not consistently implement password protection on mobile devices unless required.   He instead sees the need for IT departments to establish BYOD policies that require passwords on all devices with appropriate levels of complexity standards set for these passwords.

Of all the policies required for the integration of BYOD into a corporation, password policies represent only a subset of those that are required.  But as shown by Symantec’s Honey Stick Project, password and device locking policies can provide the first level of defense in the protection of corporate data on mobile assets.

NOTE:  Symantec is in the process of building its capabilities to manage mobile devices across the enterprise with its recent purchases of two companies, Odyssey Software and Nukona.  Odyssey Software provides Management Device Management (MDM) services while Nukona provides Management Application Management (MAM) services. (Symantec Corporation, 2012)  The recent results of the study encourage the consideration of their new product offerings.

_________

[OPERATION HONEY STICK] Where’s Your Smartphone? (2012). Retrieved from symantec.com: http://www.symantec.com/content/en/us/about/presskits/b-honey_stick_wheres_your_smartphone.en-us.pdf

Bring Your Own Device Individual Liable User Policy Considerations. (2012). Retrieved from http://www.good.com: http://www.welcometogood.com/byod/byod_policy_wp.pdf

How safe is your smartphone’s data? (2012, March 8). Retrieved from msnbc.msn.com: http://today.msnbc.msn.com/id/26184891/vp/46665467#46665467

Donohue, B. (2012, April 4). Symantec Experiment: Half Of Those Who Find Smartphones Don’t Return Them. Retrieved from threatpost.com: http://threatpost.com/en_us/blogs/symantec-experiment-half-those-who-find-smartphones-dont-return-them-040412

Gupta, P. (2012, February 27). Developing a BYOD Strategy: The 5 Mistakes To Avoid. Retrieved from forbes.com: http://www.forbes.com/sites/ciocentral/2012/03/27/developing-a-byod-strategy-the-5-mistakes-to-avoid/

Haley, K. (2012, March 9). Introducing the Symantec Smartphone Honey Stick Project. Retrieved from symantec.com: http://www.symantec.com/connect/blogs/introducing-symantec-smartphone-honey-stick-project

Jaquith, A. (2011, March 7). Picking a Sensible Mobile Password Policy. Retrieved from perimeterusa.com: http://blog.perimeterusa.com/1180/

Symantec Corporation. (2012). Symantec Advances Enterprise Mobility with Odyssey Software and Nukona. Retrieved from symantec.com: http://www.symantec.com/theme.jsp?themeid=nukona-odyssey

Wright, S. (2012). The Symantec Smartphone Honey Stick Project. Retrieved from symantec.com: http://www.symantec.com/content/en/us/about/presskits/b-symantec-smartphone-honey-stick-project.en-us.pdf

Diverging Collaboration of Chinese and US Information Security Firms

by Brad Clawson

On March 7, 2012 Northrop Grumman issued a report entitled Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage. Commissioned by the U.S.-Economic and Security Review Commission, the report offers an insight into the Chinese information security capabilities. The report covers a broad swath of topics ranging from military operations, initiatives in information warfare, analysis of criminal vs. state sponsored activities, and risks posed to the US telecommunications supply chain as a result of dependence on Chinese made hardware. One additional compelling topic covered by the report is the collaboration between US and Chinese Information Security Firms.

The interrelationships between global multi-national corporations add additional complexity to an already challenging problem of protecting American IT Infrastructure. Fortunately, according to the Northrop Grumman Report, collaboration between US and Chinese firms has not been common to date.1 A joint venture in 2007 between the Huawei Shenzhen Technology Company and Symantec is the only formal partnership formed between a US and a Chinese information security company. Recently, it has been announced that this joint venture will be dissolved as Symantec intends sell its stake to Huawei for $530 million effectively eliminating any ties Symantec has to the Chinese company. 2
According to a New York Times article, Symantec chose to dismantle the relationship over concerns that ties to a Chinese organization would prevent it from gaining access to US Government classified information relating to cyber security threats. 3 This decision reflects the emerging policy of the US Government to disseminate classified threat data to public organizations. This policy is having an immediate and potentially long lasting impact on the future of joint Chinese and US ventures. The logic on the part of Symantec represents the collective interests of US based corporations who need to sustain their current domestic customer base and participate in these public/private forums.

As the US Government continues to trend toward greater collaboration with US information Security companies it is safe to assume that this will also occur China. Chinese governmental and corporate organizations are already tied closely together as the Chinese government has significant influence over their domestic industries. Thus, the Symantec decision is an indication that further divergence between information security firms in both countries will continue. This most likely will focus initially on software and services industries, however it is likely that the hardware supply chain will also come under further scrutiny and may lead to more policies restricted the collaboration between US and Chinese firms.
The overall impact of this divergence remains to be seen, but clearly these recent events represent the future challenges facing public and private enterprises in an era of heightened information security risks. As greater regulation and oversight occurs, private industry has to fundamentally adapt their business models to comply. This type of activity is not unique to the information security domain. However, since this domain is relatively new it will take years for government regulation and business adaption to reach maturity. Eventually a relative balance between security risks and business interests will be achieved and the entire global information security industry will move forward.

___________________

1 Bryan Krekel et al., “Occupying the Information High Ground: Chinese Capabilities for Computer Network Operations and Cyber Espionage”, March 7, 2012, 104.
2 Nicole Perlroth, “Symantec Dissolves a Chinese Alliance”, New York Times, March 26, 2012, http://www.nytimes.com/2012/03/27/technology/symantec-dissolves-alliance-with-huawei-of-china.html (accessed March 30, 2012).
3 Perlroth.

Protecting Company Information – Policy, Training, or Technology?

Protecting company information – this is a topic that may never enter in to the average employee’s mind.  In fact, if you were to ask most employees to react to the concept, their first thought would likely be related to protection from external sources, such as cyber criminals (‘hackers’). However, if you were to ask a Chief Information Officer (CIO), Chief Security Officer (CSO), or any member of the IT security team, this would almost definitely be at the top of their lists of concern. So, what is it really that is of such a concern? Furthermore, what can be done to address the concerns and protect the company?

There are many areas that need to be examined when developing an overall information security plan. Two of the most obvious of these are protecting intellectual property, which is any innovation, unique name, symbol, logo, or design used commercially, and protecting trade secrets, which include any formula, pattern, compilation, program, device, method, technique or process that is used in one’s business.[i]  However, other factors that may be somewhat less obvious at first glance need to be addressed as well, such as data/backup storage, mobile devices, external storage devices, email, customer and employee information, and more.

Knowing the many facets of this issue, companies are still left wondering, how do I fix the problem? Unfortunately, the answer can end up being almost as complex as the question. Many organizations look at technology as a fix, others feel that policies can address the issue, and some, though often times a smaller number, will address the issue through training. The best approach, though, is not to look for a single solution that will address all concerns; companies need to focus on all three options, policy, training, and technology.

Policy

Policies should form a foundation for the company’s information security plan. There is a delicate line, though, on the number of polices that should be written – it becomes almost a balancing act of having enough to be effective, but not so many that employees begin to ignore them. Though there are many policies that could make sense in individual business settings, there are ten core policies that most businesses should evaluate. The first of these is the Acceptable Use Policy, which broadly discusses appropriate employee security measures for using and protecting company data. The second is an Antivirus Policy, which makes it mandatory to have updated antivirus software on any computer that connects to the company network. Third is an Audit Policy, which clearly gives authority to the security team to perform routine audits. A Backup Policy will define the approved ways to backup data, the frequency of backups, and even the retention period. A fifth policy, which is often overlooked but can add a lot of value, is the Data Classification Policy, which classifies data in a manner that clearly lets employees know the confidentiality level of documents and files. The sixth policy a company should consider is the Electronic Communications Policy, which addresses items such as discussing company matters on social sites. An Email Policy is absolutely essential, as it describes appropriate use of email, forwarding of emails, and may also discuss retention periods. The eighth policy, an Information Security Policy, is somewhat generic, but can be written to cover many topics related to security of company data. Ninth, the Password Policy, may seem like common sense, but enforces strong passwords and good practices. Finally, the tenth policy that companies should consider is a Remote Access Policy, which describes who should access the intranet remotely and the method for gaining access. [ii] While this is not a comprehensive list, these ten policies will form a solid foundation and provide guidance on some of the most critical aspects of data protection.

Training

Personnel training is one of the most critical, and most often overlooked, aspects of information security.[iii]  A lack of training, or poorly implemented training program, is a large and growing threat to security. According to CompTIA’s 7th Annual Trends in Information Security survey, human error is the primary cause of the most severe security breaches, yet significantly fewer organizations (45%) provided security training for their non-IT staff in 2008 compared to 53% in 2007. [iv] Providing a solid, and mandatory, training program is essential for ensuring that the company’s goals, and policies, are understood and implemented. Training will help ensure users understand their roles and responsibilities, understand policies, procedures, and practices, and have at least a base understanding of the tools and technology available to them. [v] New hire orientation is a perfect time to initiate training; however, it is important that employees have recurring training throughout their career.

Technology

No information security plan would be complete without addressing technology. Often, especially in the past, companies rely on technology alone to keep their information safe. This had a better chance at success in the past, when companies were less complex and attacks were usually external to the company. However, now, internal users are as much of a risk, if not more, than external users. In addition, businesses are much more complex than they were in the past. Companies now have to worry about emails, mobile devices, remote data storage, external storage devices, and more, which makes simply protecting the perimeter less effective.[vi] That being said, technology is definitely a crucial aspect of the plan. Intrusion detection/prevention systems, firewalls, antivirus software, desktop monitoring software, internet monitoring software, and more should be implemented and used to ensure the safety of the corporate network and data.

In conclusion, a company must address data protection in many ways in order to provide a comprehensive information security program. Three key aspects of a security plan include policies, training, and technology; however, companies need to continue to consider other items, such as physical barriers and other access controls. In addition to creating a solid foundation, it is just as important to keep the training, policies, and technology up to date and to always evolve as threats to information change.

---

[i] http://www.stopfakes.gov/sf_what.asp

[ii] http://www.dmoz.org/Computers/Security/Policy/Sample_Policies/

[iii] https://blackboard.andrew.cmu.edu/webapps/blackboard/execute/content/file?cmd=view&content_id=_203189_1&course_id=_895198_1

[iv] http://itmanagersinbox.com/1161/lack-of-end-user-training-is-a-large-and-growing-threat-to-it-security/

[v] http://csrc.nist.gov/publications/nistpubs/800-50/NIST-SP800-50.pdf

[vi] http://www.securitymattersmag.com/security-matters-magazine-article-detail.php?id=327