Security Matters | Summer 2011

Page 1



C O N T E N T S

Volume 5, Issue 2 Summer 2011

FEATURES 16

20

22

THE CLOUD CONUNDRUM Although the benefits of cloud computing are well documented, many businesses are still wary of taking the leap. For companies that can overcome these reservations, they might just realize that the cloud is much more than a place where data is stored

THE MAGICAL MOVING ENDPOINT In the wonderful world of endpoint security, there is nothing more frustrating for a company these days than keeping track of the devices its employees use to conduct business. From smart phones to tablets to portable printers, the endpoint keeps changing, meaning securing all this technology is no easy task

DUAL PROTECTION At first glance, Payment Card Industry compliance seems like a daunting task for many retailers, but in the end, ensuring the security of collected credit card numbers not only protects the business from potential data breaches, but also its loyal customers

COLUMNS & DEPARTMENTS 6

NEWS & NOTES

8

HEALTHY WORKPLACE Kae S. Roberts on teaching respect at work

10

PRIVACY MATTERS

24

PRODUCT FOCUS — VIDEO SURVEILLANCE

Dr. Ann Cavoukian on the integration of privacy and security in the cloud

Honeywell • Pelco • Genetec • Pivot3

WWW.SECURITYMATTERSMAG.COM

26

COOL STUFF

28

ASK AWAY

30

IN MY WORDS

11 SC CONGRESS CANADA PREVIEW

Computer Viruses • Data Breaches

CSIS’s Gene McLean chimes in on the proliferation of video surveillance cameras and their overall effectiveness

FOLLOW US ON

AND

• SECURITY MATTERS 3


E D I

T O R ’ S L E T T E R Publisher/Editor

Lessons Learned

Paul Grossinger paul@securitymattersmag.com

Director, New Business Development Frank Shoniker

Advertising Sales There is nothing like a good old data breach to get the general public talking about security. Take the recent Sony incident as an example. It proves that information security can make the front page of the news, when its impact is so vast and potentially damaging as this case is (and will be). In the Sony security breach, more than 77 million PlayStation Network accounts were compromised in April. To date, data leaked, lost and/or stolen includes account information, such as names, birth dates, e-mail addresses and login information, for players using Sony’s PlayStation Network. In total, 10 million credit cards were believed to be involved. Of the total number of accounts compromised, about 36 million are in the United States and the Americas, while 32 million are in Europe and nine million in Asia, mostly in Japan. In response to the incident, Sony has added software monitoring and enhanced data protection and encryption as new security measures. “We deeply apologize for the inconvenience we have caused,” said Kazuo Hirai, chief of Sony Corp’s PlayStation video game unit, who was among three company executives who bowed their heads for several seconds at their Tokyo headquarters in the traditional style of a Japanese apology. Hirai did admit that not enough security precautions were instituted prior to the breach, and promised that the company’s network services were under a basic review to prevent a recurrence. He also noted that the FBI and other authorities had been contacted to start an investigation into what the company called “a criminal cyber attack” on Sony’s data centre in San Diego, Ca. So what does the Sony incident teach all of us? Well, firstly, no data is safe from loss, leakage or theft. Wherever data is stored, there is the potential of it being compromised; whenever data is shared, it has the potential of being used other than its intended use; and whatever security precautions are used, they are sometimes not enough to ensure the safety of personal data so many people hold dear to their heart and wallet. For consumers, such a security breach is irrehensible, and should never happen. For security practitioners and people responsible for network and data security at Canadian businesses, it is not surprising for they understand that where there is data, there is the potential for a breach. For me, the Sony incident just proves that ongoing vigilance when it comes to security it is vital for the survival of every business. Continuous education by corporate, IT, and security executives is a must, while ongoing awareness training of employees and consumers at large is the only way such breaches can be mitigated and minimized.

Paul Grossinger paul@securitymattersmag.com

4 SECURITY MATTERS • SUMMER 2011

Paul Grossinger

Editorial Assistant Angela Rotundo

Art Director Mark Tzerelshtein markintoshdesign.com

Contributors Graham Bushkes Dr. Ann Cavoukian Lynn Greiner Ian Harvey Tarun Khandelwal Gene McLean Kae S. Roberts Security Matters provides Canadian businesses with information that helps them secure their staff, assets, facilities and data. It is published four times a year by KAP Publishing Ltd. The views expressed by the authors are not necessarily those of Security Matters. All editorial submissions are subject to editing. No part of this publication may be reproduced without the express written consent of KAP Publishing Ltd. The content of this publication is provided for the general guidance and benefit of our readers. While efforts are made to ensure the accuracy and completeness of the information at the time of publication, errors and omissions may occur. All rights reserved.

Publications Mail Agreement No. 40752539 Return Undeliverable Canadian Addresses to KAP Publishing Ltd. 1136 Centre Street, Suite 199 Thornhill, ON L4J 3M8 ISSN 1911-5067 Printed in Canada Security Matters 1136 Centre Street, Suite 199 Thornhill, Ont. L4J 3M8 Canada Tel: 905-370-0736; Fax: 416-633-7084 info@securitymattersmag.com www.securitymattersmag.com twitter.com/secmattersmag


®

ADT Remote Access and Video Services We manage your monitoring, so you can focus on the bigger picture.

ADT® Remote Access and Video Services are innovative ways to get more out of your video security investment. Now ADT can help you do a better job of protecting your people, property and profits. UÊ i «ÊÀi`ÕViÊv> ÃiÊ> >À ÃÊ> `ÊV ÃÌ ÞÊw iÃ

UÊ6iÀ wi`Ê>VViÃÃÊV ÌÀ

UÊ"«Ì âiÊ}Õ>À`ÊÀià ÕÀVià UÊ i «Ê âiÊÌ ivÌ Ài >Ìi`Ê ÃÃ

UÊÊ >ÃÌ]Ê>VVÕÀ>ÌiÊ`iV Ã Ê > }Ê> `Ê incident response

UÊ i «ÊÃÕ«« ÀÌÊÜ À « >ViÊÃ>viÌÞÊ > `>ÌiÃ

UÊ/>À}iÌi`ÊVÀ iÊÀi`ÕVÌ Ê «« ÀÌÕ ÌiÃ

iÌÊ ÕÀÊ /ÊëiV > Ê «iÀ>Ì ÃÊÌi> Ê > ` iÊÌ iÊ Ì À }Êv ÀÊÞ ÕÊvÀ Ê ÕÀÊ1 ÃÌi`Ê Ì À }Ê Vi ÌÀiðÊ7iÊÜ>ÌV Ê ÛiÀÊLÕà iÃÃiÃÊ> Ê>VÀ ÃÃÊ > >`>°Ê ÌÊ /]Ê > }ÊÃÕÀiÊÞ ÕÊV> Êv VÕÃÊ ÊÞ ÕÀÊ business is our business.

To learn more about ADT Remote Access and Video Services and other innovative solutions, call 1.866.312.8960 or visit us at www.ADT.ca.

Video Alarm Verification Remote Access Control Security Guards Video Escort Video Assist Remote Monitoring RBQ 3019-4070-50. © 2011 ADT Security Services Canada, Inc. All rights reserved. ADT and the ADT logo are registered trademarks of ADT Services AG and are used under licence.


N E W S & N O T E S GFI Software recently alerted its customers of an anti-virus scam that hit the Internet prior to Easter. The scam was targeted at web surfers searching for printable Easter cards. By clicking on a link promising a free Easter card to send family and friends, users were redirected to a very convincing fake security alert that urged them to download what appears to be an anti-virus program, but which was actually malicious malware that infected their computer.

IBM found more than 8,000 new vulnerabilities in 2010, a 27 per cent rise from 2009. Public exploit releases were also up 21 per cent from 2009 to 2010. This data points to an expanding threat landscape where sophisticated attacks are being launched against increasingly complex computing environments.

Symantec’s most recent Internet Security Threat Report shows more than 286 million new online appeared threats last year. The report highlights dramatic increases in both the frequency and sophistication of targeted attacks on enterprises; the continued growth of social networking sites as an attack distribution platform; and a change in attackers’ infection tactics. The number of data breaches nearly doubled in 2010 compared to the previous year, according to the 2011 Verizon Data Breach Investigations Report. Conversely, the amount of stolen records decreased significantly, dropping from 144 million in 2009 to four million last year. As many as 50 high-profile celebrities have been targeted and/or victimized by a ring of

6 SECURITY MATTERS • SUMMER 2011

hackers seeking to steal their personal information. Norton has put together a quick checklist for consumers to help keep their personal documents out of the hands of cybercriminals.

The Children’s Place, a popular clothing retail store, confirmed its customer e-mail address database was recently accessed by an unauthorized third party. According to company officials, the database is stored at an external e-mail service provider, which stated that only e-mail addresses were accessed and no other personal information was obtained. According to a breach notification letter sent out by the company, the e-mail appears to have come from Adobe and directs customers to a web site where they are asked to enter their credit card number in order to update software. Lieberman Software Corporation has joined the Cloud Security Alliance (CSA) to help guide cloud service vendors and their customers in adopting best practices. Lieberman Software will work with the CSA to provide insights on managing privileged identities in private, hybrid and public cloud environments. According to MessageLabs Intelligence there has been an increase in spam containing malicious file attachments, including both zip file attachments and PDFs. MessageLabs also saw a large increase in the amount of data traffic hitting its spamtraps despite of malicious e-mails sent. An investigation revealed this increase is due to the Cutwail botnet sending a higher than usual number of e-mails with zip file attachments.

Fortinet’s latest 30-day Threat Landscape research shows the re-emergence of the Torpig botnet, accounting for 30 per cent of new botnet activity. Most command and control detections for Torpig originated from machines in Russia and Sudan. By comparison, the Hiloti botnet accounted for roughly 15 per cent of new botnet traffic — the majority of which was found in Australia and Sweden.

After being dubbed the third highest Stuxnet-infected country, India has now been found to be the fourth lowest country in terms of security adoptions by McAfee. In a global report released by the anti-virus company, India’s critical infrastructure industries (e.g., railways and energy plants) only fared better than Brazil, France and Mexico in adopting security measures.

A recent report released from AVG shows Android and Facebook have seen a rash of security breaches recently. The AVG Community Powered Threat Report for the first quarter of 2011 shows a dramatic increase in the overall number of global attacks, including “malicious campaigns which exploited the viral nature of Facebook users, which have increased threefold in the last 12 months.”

A study by Websense concludes that 93 per cent of e-mails are spam. Of these, 2.5 per cent are phishing attacks. Another trend emerging is the attack based on search words. The search terms and trends vary based on the geography and


N E W S & N O T E S seasons. As social media platforms, such as Twitter and Facebook, gain more acceptance, criminals also track these social networks and gather an individual’s personal information.

Following extensive testing, NSS Labs, in its Network Firewall Comparative Group Test Report for the Q1 of 2011, says five out of six firewalls certified by other labs let external hackers in. Computer failure at one of South Korea’s most popular banks is being investigated as a possible case of cybercrime. For several days in April, customers of the National Agricultural Cooperative Federation were blocked from online and automated teller machine transactions. While some services have returned, issues persist with access to credit card information. The incident has generated 300,000 complaints and prompted pledges of compensation to the agricultural lender’s customers.

WWW.SECURITYMATTERSMAG.COM

After a year of consultations with public and private sector stakeholders, the U.S. government recently released the final version of its National Strategy for Trusted Identities in Cyberspace (NSTIC). The strategy, first unveiled last June, draws a roadmap for the public and private sectors to build an “ecosystem,” whereby the identities of individuals, organizations, networks, services and devices involved in online transactions can be trusted, according to the final document. Servers belonging to WordPress.com, a popular blogging platform, have been hacked, with the target being the company’s source code. In his blog, Matt Mullenweg of Automattic, WordPress.com’s parent company, wrote: “We presume our source code was exposed and copied. While much of our code is open source, there are sensitive bits of our and partners’ code. Beyond that, however, it appears information disclosed was limited.”

The Texas Comptroller’s Office has confirmed that unencrypted personal records of 3.5 million Texans were left exposed for more than a year after they were copied onto a public FTP server. Social Security numbers, birthdates, driver’s licence numbers, addresses and other personal information were posted to a publicly available server.

After being criticized for a lack of “important” security features, Facebook has added some new security elements in its effort to “make Facebook a more trusted environment.” In his blog, Arturo Bejar, a director of engineering with Facebook, explained the new upgrades, with the most noteworthy feature being introduction of two-factor authentication. According to the blog post, users who turn on the new feature will be asked to enter a code anytime they try to log into Facebook from a new device.

FOLLOW US ON

AND

• SECURITY MATTERS 7


H E A LT H Y W O R K P L A C E

with Kae S. Roberts

TO TRAIN OR TO EDUCATE?

T

here is a common misnomer in the world of education that stipulates “training” is a means to make employees behave in the workplace. In my estimation, however, when it comes to creating a safe and respectful workplace, the question really comes down to: is it training that will get us that or should we consider the concept of “educating” our personnel? Generally speaking, human beings do not have the capacity to shut emotions on and off. Emotions run every system in our body, and based on that, they show up in every interaction. It’s important to acknowledge that there may be times when we must keep our emotions in check. The Merriam-Webster Dictionary defines training as “the act or process of imparting knowledge or skills to another and or a period of undergoing practical instruction in one’s job or career.” Already, by virtue of this definition we can see that training employees to be respectful and behave in the workplace is incongruous. Training people to be respectful is not

8 SECURITY MATTERS • SUMMER 2011

achievable in the day-to-day reality of their work lives. I say that because human emotions are not knowledge or a skillbased attribute, rather they are an integral aspect of our “being” that depending on the unfolding events, certain ones will present. Simply put, we can’t teach people how to “be” respectful. We may want to explore the definition of “educate” to determine if we are on the right track. As per Merriam-Webster, while it does define “educate” as speaking to a skill, it also states that it is to: develop mentally, morally, or aesthetically especially by instruction and to persuade or condition to feel, believe, or act in a desired way. The broader definition, and that which it speaks to, beyond the intellect of us, is that the concept of educating feels much more congruent with the intent to see employees “be” resourceful in their responsibility to create a safe, healthy and welcoming workplace. It is incumbent upon workplaces and their leaders to provide a learning forum in which their human resources team can

Human emotions sometimes get the best of us, which is why the concept of respect is a hard one to instill in employees tap into and learn more about their human being-ness. This is not about giving them a biology 101 lesson. Rather it is about creating an education forum that allows for the conversation to address what is going on in and for each employee at the level of their human being-ness. In my experience as a Use of Force Instructor at the Ontario Police College, recruits who passed through our doors were trained in various skills as they related to use of force. This was a step by step process whereby repetition of the movements, creating muscle memory, allowed for the fluidity of the technique being taught without having to think about it. Human emotions do not respond to a step-by-step process per se. However, if we create a learning forum that educates the learner that we all possess emotions and that they are showing up in every interaction, based on our awareness, we can be resourceful in their firing. Short of that, organizations may be protecting themselves from greater liability because they’ve “trained” their personnel, but they continue to deal with the issue of disrespectful workplaces. There is a big difference between training personnel to “do” respectful and making them resourceful in their human being-ness. The education forum is far more likely to see the latter being achieved. We all possess emotions, and wherever we are, they will be too.

Kae S. Roberts is a former police sergeant with the Ottawa Police Service and the founder of Awakening Wave, Organizational Evolution (www.awakeningwave.ca), which specializes in harassment/discrimination workshops and training programs, as well as offers diversity in the workplace and personal wellness seminars.



PRIVACY MATTERS

with Dr. Ann Cavoukian

CLOUD COMPUTING WITHOUT

COMPROMISE When it comes to the hottest trend in IT, privacy and security can both be achieved

R

ecently, Security Matters reported on a survey conducted by Leger Marketing that showed that a majority of Canadian business executives are confused by the concept of cloud computing. The survey also showed, however, that a majority understand that the cloud is more than just “hype.” The promise of significant bottom-line advantages makes it likely that cloud computing will become a major focus of IT initiatives in the coming years. Though the cloud is still in its infancy, it has been suggested that Canada is wellpositioned for leadership in this area thanks, in part, to our regulatory frameworks, including those in privacy. Essentially, the cloud changes computing by decoupling data processing, data retention and data presentation — in effect, divorcing components from location. This has significant implications for privacy and security. In the traditional data security model, a security perimeter divides trusted parties from untrusted ones, containing processing and storage activities to the trusted area. But in cloud computing, there are no clear boundaries around where the processing or storage of data physically occurs. As such, consumers and business leaders are understandably wary about how privacy and security can be assured in this environment. Having laws that protect privacy is certainly helpful. But meaningful privacy protection cannot be assured by legislation alone. This is the time — while cloud computing is still in its infancy — to design privacy into this emerging technology and the systems that support it by applying The 7 Foundational Principles of Privacy by Design. To support these efforts, my office has published two papers on this topic: Privacy in the Clouds, and Modelling Cloud Computing Architecture Without Compromising Privacy: A Privacy by Design Approach. Both

10 SECURITY MATTERS • SUMMER 2011

papers dispute the widespread notion that individuals and organizations must make a choice between privacy and functionality in order to use the cloud — they do not. The thought that only one of these requirements can be satisfied — either privacy or functionality, at the expense of the other — reflects a “zero-sum” mindset. But with proper privacy protections designed into the system from the very beginning of its lifecycle, and integrated at every system layer, a “positive-sum,” or doubly-positive, outcome is achievable. Privacy by Design holds that, by considering privacy at every step of the development cycle, the functionality and usability of a technology need not be compromised by after-the-fact, ‘bolted-on’ privacy measures. In Modelling Cloud Computing Architecture Without Compromising Privacy: A Privacy by Design Approach, we describe potential architectural elements that would achieve the positivesum outcome of ensuring data privacy while also maintaining system functionality in two key areas of cloud computing: 1) protecting data that enters the cloud and maintaining appropriate access, and 2) ensuring the integrity of the protected data, without losing privacy. While architectural elements are important, they must be implemented in the context of an approach that is, overall,

privacy-protective. A cloud environment, for example, raises new and different privacy and security threats. New tests and standards are needed for assessing cloud delivery mechanisms against these threats. Similarly, organizations must rethink their established software development, validation, certifications and accreditation processes in response to the need to push or pull applications from the cloud. They may thus redesign their Software Development Lifecycle, embedding privacy into the process and developing solutions or evaluation techniques that extend beyond the trusted perimeter. Ultimately, organizations moving toward leveraging the benefits of the cloud should focus on early and comprehensive integration of privacy and security into the software design phase. There are many tools available to support these efforts, including Privacy Impact Assessments (PIA), especially Federated Privacy Impact Assessment methodologies, which can help organizations articulate privacy requirements throughout the design process, and demonstrate their data protection efforts. Cloud computing has the potential to offer many advantages, but this potential will never be realized if consumers and businesses alike cannot be assured that personal information stored or processed in the cloud will be strongly protected. Privacy by Design gives organizations the tools they need to build privacy in from the ground up, and to assure themselves and their customers that appropriate privacy measures have been implemented.

Dr. Ann Cavoukian, Ontario’s Information and Privacy Commissioner, is recognized as one of the leading privacy experts in the world and the originator of the concept of Privacy by Design (www.privacydesign.ca).


5 -1 14

o on nt or ro , T To tre tro Cen Me ion t en nv

ne Ju

Co

to

DON’T GIVE HACKERS THE UPPER HAND Attend SC Congress Canada and: Explore new and emerging threats. Identify ways to turn the tables on attackers. Learn how to improve your current safeguards. Discover technologies to detect and prevent security failures. Uncover best practices for reducing risk. Platinum sponsors:

Gold sponsor:

Silver sponsors:

Educational partner:

Register today at www.sccongresscanada.com. twitter.com/scmagazine

facebook.com/SCMag

Association partners:

Media partner:


SC CONGRESS June 14-15, 2011 | Metro Toronto Convention Centre | Toronto, ON, Canada

Cyberthreats are real... Cybercriminals are constantly changing and adapting. I’m sure you heard about the recent attack on computer systems at the Canadian government’s Finance Department and Treasury Board to capture passwords for access to government databases. No one is immune. Whether you work for the government, a financial institution, the health care industry, or anywhere else where intellectual property and customer data is critical to your business, SC Congress Canada is the place to find answers. As an IT security pro charged with preventing destructive and costly security incidents, you need to keep current on recent threats and ways to defend against them. And, on top of this, you must ensure your organization continually remains compliant with a bevy of regulations and other mandates. SC Congress Canada is coming back to Toronto to provide you with the knowledge and tools necessary to control your exposure to new and emerging threats. We have combined a program packed with vital information led by industry experts, with an exhibition that has top providers. You are sure to walk away from this event with practical ideas and technologies that can be put to work immediately. We at SC Magazine are all about helping IT security leaders enhance their knowledge and skills by providing you with information on the industry through our monthly magazine, website, and online and live events. We invite you to join us in June for our second SC Congress Canada, which will arm you with timely news and insights about cybercrime and how to fight it. I hope to see you there.

Speakers include:

Keynote Dr. Ann Cavoukian information and privacy commissioner, Ontario

Keynote Ron Deibert director, Canada Centre for Global Security Studies; Munk School

Keynote Rafal Rohozinski senior fellow, Munk School of Global Affairs; CEO, SecDev Group

Keynote Peter Stephenson CISO, Norwich University; technology editor, SC Magazine

Rich Baich principal, Deloitte & Touche LLP

Jerrard Gaertner director, technology assurance services, Soberman LLP

Christopher Henry CIO, information technology services, Grant Thornton

Michael Iseyemi global CSO, Aditya Birla Minacs Worldwide

Joanne Kerr IT director, Havergal

Sharon Polsky president, AMINA Consulting Corp.

Ian Robertson director, RIM

Bobby Singh director, information security, Rogers Communications

Illena Armstrong editor-in-chief, SC Magazine

Visit the exhibitors and learn about new products Access controls, anti-malware software, mobile endpoint security, firewalls/perimeter security, intrusion detection/prevention, digital forensics, wireless LAN security – the list can go on and on...and it does. While visiting the vendors in the exhibit hall, you will find the products, technologies and services you need to secure your information assets.


CANADA 2011 To register, visit www.sccongresscanada.com

twitter.com/scmagazine

facebook.com/SCMag

Agenda (subject to change; for detailed descriptions of sessions, please visit www.sccongresscanada.com) Tuesday, June 14

Emerging threats

Technical

Editor’s choice

9:00 a.m. – 9:50 a.m.

Threat of the hour

App madness

A solid vetting process

10:00 a.m. – 10:50 a.m.

Going mobile

Security in the virtual world

Your PCI-DSS stance

11:05 a.m. – 11:55 a.m.

Assessing your IT security performance

The Wiki leak: What happened and how to prevent it

Whose cloud is it anyway?

12:05 p.m. – 12:50 p.m.

Stuxnet: When will it end?

Build versus buy: How not to architect your enterprise

Continuous controls monitoring (CCM)

1:00 p.m. – 2:00 p.m.

Lunch keynote: Securing the cyber commons?

2:00 p.m.

Exhibit floor opens & coffee served

3:15 p.m. – 4:05 p.m.

Social media: Have fun working that one out

4:15 p.m. – 5:15 p.m.

Keynote panel: Information sharing: A government perspective

5:15 p.m. – 7:00 p.m.

Exhibit floor: Opening day cocktail party

Wednesday, June 15

Emerging threats

Technical

Editor’s choice

9:00 a.m. – 9:50 a.m.

Selling security to management

Dealing with the advanced persistent threat

It’s all about the risk

10:00 a.m. – 10:50 a.m.

Sponsored keynote

10:50 a.m.

Exhibit floor opens & coffee served

11:40 a.m. – 12:30 p.m.

HBGary: A lesson in self-regulation

Preparing the leaders of tomorrow

The Anti-Counterfeiting Trade Agreement

12:40 p.m. – 1:30 p.m.

Sponsored keynote

1:30 p.m.

Exhibit floor break

2:35 p.m. – 3:25 p.m.

Inside the insider threat

Where’s the data?

A word from SC Magazine’s editor-in-chief

3:35 p.m. – 4:25 p.m.

How auditors certify computer systems

Human resources and the CISO

The RSA security debacle

4:35 p.m. – 6:00 p.m.

Exhibition floor closes Keynote: 2½ hours to network meltdown

6:00 p.m.

Closing remarks and conference closes

Real security: Is the future looking like the past?

Where are all the security pros?


KEYNOTES

Tues., June 14 1:00 – 2:00 p.m.

SECURING THE CYBER COMMONS? Hear about the major driving forces that are shaping cyberspace today, and why incidents of cyberespionage and warfare are becoming more prevalent worldwide. Professors from the Munk School of Global Affairs will discuss how hopes of preserving cyberspace as an open public commons are threatened by these major driving forces, leading to a kind of "perfect storm" in cyberspace. How to secure the cyber commons, and whether cyberspace can be considered a commons at all, will be analyzed. Ron Deibert, professor of political science and director of the Canada Centre for Global Security Studies, and the Citizen Lab at the Munk School of Global Affairs, University of Toronto Rafal Rohozinski, senior fellow, Munk School of Global Affairs, and CEO, SecDev Group

Tues., June 14 4:15 – 5:15 p.m.

INFORMATION SHARING: A GOVERNMENT PERSPECTIVE The topic of information sharing has been played over and over again, and yet it remains of paramount importance until we have policies and processes in place to make this ‘behavior’ efficient and effective. This panel features professionals from a diverse group of agencies discussing how each shares information – both within the government and with the private sector.

Wed., June 15 4:35 – 6:00 p.m.

2½ HOURS TO NETWORK MELTDOWN An interactive session and live demo of a network being compromised as a result of both mobile devices and social networking. A fictitious company allows both personal smartphones and social networking on its corporate network. Observe on large screens as a number of attacks compromise these devices and some of the sites employees visit – resulting in corporate data leakage of company and customer information. View how and where these attacks are occurring and hear how network monitoring centers start sending warnings and respond. Throughout the exercise, a panel of CISOs will be present to discuss their experiences with such attacks, the relevant issues that concern them and, most importantly, summarize events to create a report for the fictitious company’s senior management as to what policies, technologies and practices are necessary to avoid such a scenario actually happening to their organization. Forensics follow-up for criminal prosecution and future remediation will also be discussed. Peter Stephenson, CISO, Norwich University; technology editor, SC Magazine

JOIN US Conference pricing Registration options

Early bird

Regular

(Canadian dollars, including 13% HST)

(on or before 5/14)

(after 5/14)

Two-day pass

$763

$1,017

One-day only

$424

$565

Expo-plus pass – one session of your choice

$57

$57

Expo hall pass

FREE

$30

Register today at www.sccongresscanada.com.

Hotel reservations InterContinental Toronto Centre 225 Front Street West, Toronto ON M5V 2X3 Reservations Guest room rate: $199/CAD for single or double accommodations, plus applicable HST Reserve your room Call 1 (800) 235-4670 for reservations and ask for group code XAA or for SC World Congress Canada 2011. (The cut-off date for the group rate is May 23. Reservations received after May 23 will be honored on a space-available basis.)


Helping YOU

Secure YOUR Business

Designed to help Canadian businesses secure their facilities, staff, networks, data and assets, Security Matters is the ultimate source of security-related information for corporate, IT and security executives.

Protect your business. Subscribe to To subscribe to Security Matters Magazine for free, visit www.securitymattersmag.com


THE CLOUD

CONUNDRUM

16 SECURITY MATTERS • SUMMER 2011


B y

T

I a n

H a r v e y

he thing about cloud computing for many people is that it’s so damned ethereal. You can’t physically protect it like your standard server farm, you can’t touch it and you can’t go down to visit it and reassure yourself it is still there and safe. For those IT professionals raised in a world of the “buck stops here,” where control and command are the very bywords of security, handing over the reigns to an outside provider just sounds like major heresy. As Mike Rothman, analyst and president at security service providers Securiosis, points out: “When we’re talking cloud today, we’re not just talking about moving some applications over and that’s what cloud is to many people, Salesforce, or Software as a Service (SaaS). That’s not it. We’re now talking about architecture and platforms. Everything is changing.” What’s driving the cloud, of course, are the huge cost savings of offloading and outsourcing IT expenses and headaches. What’s holding it back though is the underlying concern that letting go means IT managers, who will inherit the blame if things go wrong, have almost no control of what can go wrong and no way to fix it when it does. But are those real concerns? Or are they legacy issues of a cloud concept that has grown so quickly in the last couple of years, it has leapfrogged over some of the sticky security issues and already addressed them? In the latter case, perhaps, could cloud proponents do a better job of reaching out to the end-user community and more succinctly explain how they’ve addressed those security issues and identify the more current challenges they are tackling? Rothman says businesses must start getting their heads around what cloud really is, since being in the dark only prolongs that fear of change. He notes that the cloud is more than just how data is stored and where it’s stored. “It’s a change in architecture,” he says, “which needs to happen as organizations start moving some of their critical applications into the cloud. In

WWW.SECURITYMATTERSMAG.COM

general, most folks don’t know what they don’t know.” A big part, he adds, is understanding security and the Cloud Security Alliance’s Certificate of Cloud Security Knowledge, which identifies 13 different domain risk issues to be managed, from identity to data protection and other aspects. “It really helps people understand how they have to start thinking differently relative to moving and managing data,” he says, referring to the 13 risk issues. “Often the push back is because the lack of control and the lack of knowledge, but given the right control set you can build a cloud in the public cloud that is as secure as it is in a private data centre.” Indeed, convincing themselves the cloud was the right place to be, wasn’t so much of an issue internally at Credenza, whose lead product, Amicus Attorney, is distributed through subsidiary, Gavel and Gown, and targets small law firms across North America. Its newest version, a cloud-based SaaS, was launched last September. Credenza’s CIO Chris Cardinal knew it was going to need some evangelizing because security is such a sensitive subject with its market base. “We tried a similar product 10 years ago as an ASP and it flopped,” he says “The market just wasn’t ready.” This time, he says, many lawyers didn’t even realize they were already working in a cloud environment. “A lot of the solos and ones and twos (lawyers in a firm),” he adds, “are using gmail and that means unless they delete it, Google keeps it forever and indexes it. These law firms have a couple of traits. First they are conservative and secondly, they’re not technology savvy and are really naïve, with almost no IT infrastructure or personnel. They really have no data safety at all. The fact that no one knows they’re there is their best offence.” He believes reports that some of the biggest law firms in Canada have been hacked, show that no system is unassailable. That said, however, his clients wanted to know five things about the

FOLLOW US ON

AND

• SECURITY MATTERS 17


“GIVEN THE RIGHT CONTROL SET YOU CAN BUILD A CLOUD IN THE PUBLIC CLOUD THAT IS AS SECURE AS IT IS IN A PRIVATE DATA CENTRE.” cloud-based service: how safe is my data, how safe is my connection, my identity, how do I get my data back and what does government, and more importantly, the bar associations, have to say about this? Microsoft’s Azure’s structure goes a long way to assuaging clients’ fears, he says. The data centres have robust physical security along with strong firewalls and multilevel, multilayer network security. “While Azure doesn’t encrypt the data, we do that for the client using their tools,” explains Cardinal, noting the platform is SOX, PCIDSS compliant and meets ISO 2100 and 2105 standards. Bar associations have also got on board by saying it meets “ethical” standards for practices. The only wrinkle is that the databases are in the U.S., which makes them subject to search and seizure under the Patriot Act, but that doesn’t seem to create concerns for clients. That macro-level layer of approval in Amicus Attorney’s case by bar associations and the adoption of international standards are exactly what’s being pursued in the global stage across all sectors. Still, nothing is foolproof, warns Rothman, echoing Cardinal. “The secret is any ID can be compromised whether data is held inside or outside,” he said. “You can never assume there will be total security.” And truth be told, we’re still in the early stage of the cloud, even though the adop-

18 SECURITY MATTERS • SUMMER 2011

tion and growth seems rapid, he notes, so it’s also unrealistic to expect all things will be resolved for all people instantly. “Growth has been astounding and fantastic and we do believe cloud-based architecture will at first be a minor segment, then major and the defacto over a couple of decades.” The time line may seem extreme in this age of lightning-paced digital change, but there’s a revolution in design and thinking, which has to happen first. “The reality is that these are very early days in cloud and we have to keep that context in mind,” says Rothman. “The good news is that we’re starting to think about security early, and often security is happening in lockstep with design.” In the past, security has been an add on, or something layered after the fact. Integrating security from the getgo with established protocols and standards will go a long way to resolving end-user concerns. Cloud Security Alliance’s Marlin Pohlman, also chief governance officer at EMC, says a global security standard for cloud, which will satisfy the health care, financial services, legal and national security interest sectors is “about 85 per cent there.” It’s no easy task; to satisfy all these key stakeholders from such diverse sectors across national and geographic boundaries has meant intense and high-level discussions over many months.

One of the remaining hurdles is risk and how to treat it to not just satisfy sectors like financial services, but to satisfy jurisdictions covering those areas in North America, Europe and Asia. Pohlman likens it to the creation of the uniform commercial code in the early 1950s, which saw a similar shift in thinking. “It saw the creation of the concept of virtual property superseding real problems in interstate commerce,” says Pohlman. But gaining acceptance of the code was a state by state, country by country negotiation, he says, and the same process will hold true with a global cloud security protocol standard. The last stumbling block in this stage is determining how data is treated as it crosses jurisdictions. In Canada, for example, data is not subject to the Patriot Act. But it is when it crosses into the U.S. Similarly, India has different rules about what is private, as witnessed by its battle with Research In Motion over data flowing through BlackBerry devices. Once those standards are nailed down it will be a matter of going state by state, country by country to get the legislation written, enshrining the treatment of data and the passed by the legislative authorities. “Each will be the same but different in that they will all have their own version based on those standards,” says Pohlman.

Ian Harvey is a freelance writer in Toronto, Ont.


WHERE BUSINESSES GO SECURITY SHOPPING LOOKING FOR A FIREWALL? WHAT ABOUT A DATA LOSS PROTECTION SOLUTION? HOW ABOUT A STATE-OF-THE-ART VIDEO SURVEILLANCE SYSTEM?

FIND IT ALL AND MORE AT SECURITYPAGES.CA - YOUR ONLINE SECURITY MARKETPLACE FOR PRODUCTS, SOLUTIONS AND SERVICE PROVIDERS


THE MAGICAL

MOVING ENDPOINT

By Lynn Greiner

20 SECURITY MATTERS • SUMMER 2011

P

rotecting a company’s intellectual assets, whether you’re a 50-person company or a Fortune 500 conglomerate, is a challenge that extends from the edge of the network right to the most humble user device, aka an endpoint. It used to be relatively easy to secure endpoints. They sat on desks, securely tethered by their network and power cables. But now the definition of endpoint has changed, according to Gary Mullen, vice president of corporate marketing at security vendor Kaspersky Lab Americas. “We define an endpoint as any enduser device where data resides,” he said. “As technology becomes increasingly mobile and ‘consumerized,’ businesses have to account for smartphones, tablets and personal technology in the workplace.”

The trouble with all of these new devices is they don’t sit still. They’re in pockets and purses and briefcases. They’re used on trains and buses, in cars, living rooms and client boardrooms. And unlike even five years ago, there’s really no perimeter surrounding many of them much of the time. In fact, said Cam Johnston, president of White Hat Inc., even within the perimeter you can no longer assume you’re safe. “In SMBs, it’s not,” he noted. “The reality is behind the perimeter people are usually the biggest and most voracious threat.” Mullen agrees. “For small businesses, the endpoint is often the frontline as no true perimeter security has been put in place. Medium-sized businesses often put perimeter security in place but open up the firewall to allow their users to surf the


web at will and use social media sites, such as Facebook and LinkedIn,” he says. “This practice makes the endpoint a target for cybercriminals.” The statistics are frightening. In its latest Internet Security Threat Report, Symantec found that the number of mobile vulnerabilities grew by 42 per cent in 2010. The company noted that mobile is an increasingly popular attack vector, and it expects these numbers to continue to climb, making it even more important to secure the non-traditional endpoints like smartphones. “While the new security architectures employed in today’s mobile devices are at least as effective as their desktop and server predecessors, attackers can often bypass these protections by attacking inherent vulnerabilities in the mobile platforms’ implementations,” Symantec reports. Unfortunately, such flaws are relatively commonplace for Symantec documented 163 vulnerabilities during 2010 that could be used by attackers to gain partial or complete control over devices running popular mobile platforms. It doesn’t stop there. The volume of web-based attacks per day also skyrocketed by 93 per cent. And to further complicate matters, 65 per cent of the malicious links distributed via social networking status updates used shortened URLs, such as those created by bit.ly and tinyurl.com, so users couldn’t see where they were directed until it was too late. Of these, Symantec said that 73 per cent were clicked 11 times or more. Given statistics like these, it’s no wonder Johnston advises: “Do assume that everything outside the perimeter is hostile. Do assume that the endpoint is sitting in a hostile environment and may already be compromised and needs to be protected accordingly.” “Cybercriminals,” adds Mullen, “can attack through many vectors and are constantly looking for a new vector to steal data. And data today rarely stays within the confines of the secured perimeter, making protection for mobile devices a must.” Both Mullen and Johnston recommend the same strategy: layered protection. Secure the perimeter, yes, but also secure the desktop, the file server and the mail

WWW.SECURITYMATTERSMAG.COM

“IT IS IMPORTANT FOR COMPANIES TO CREATE A STRONG SECURITY POLICY, PARTICULARLY AROUND EMPLOYEE USAGE, AND THEN APPLY THE RIGHT TOOLS TO ENFORCE THAT POLICY.” server. Then, advises Mullen, put tough policies, enforced by protective technology, in place for every mobile device. “Laptops need a stronger protection policy for unsecured networks like the home, hotel or airport,” he says. “Smartphones, iPads and tablets need the ability to lock or delete information in case that device is lost or stolen.” That may be easier said than done, if the devices are not corporately owned. Employees, regardless of the device they use (or who owns it), must understand corporate policies around data access and mobile device usage and, more importantly, understand why those policies have been established. “Encourage an open dialogue,” Mullen says. “If an employee wants to access company information on his smartphone, you’d much rather have him talk to your IT department, rather than secretly doing it on his own.” However, that may not be enough to mitigate the risk, Johnston insists. “Restrict access to users with corporately owned mobile devices that can be centrally managed and monitored. Do not allow any access from personal devices.”

WHEN POLICY MEETS TECHNOLOGY Employee education and training is key, whether it’s about online security in the office, safe surfing while on the road, or physical security anywhere. “The main risk with mobile devices is physical security,” Johnston points out. “When they get lost or stolen and they contain corporate information or give the person that possesses them access to the corporate network. There are few if any realistic malware threats for the various mobile platforms in the wild.” There are, however, malicious apps that can compromise the security of a smartphone by exploiting user activity. Recently, the Android market removed more than 50 smartphone apps that

contained code that would do mischief. These were not weaknesses in the operating system, they simply relied on oldfashioned social engineering to con the user into installing programs that could do bad things. And that’s another good reason to establish a comprehensive security education program. “Employees need to understand that in most situations, they are the weak link in a security breach,” says Mullen. The few vulnerabilities that are known of in mobile platforms are still inflicting significant damage, according to Symantec. It noted, “In the first few months of 2011 attackers have already leveraged these flaws to infect hundreds of thousands of unique devices.” And according to findings from mobile security vendor Mocana, published in its Spring 2011 Device Security Report, 47 per cent of organizations do not believe they can adequately manage the risks introduced by mobile devices, and more than 45 per cent of organizations say security concerns are one of the biggest obstacles to rolling out more smart devices. There are ways to mitigate the risks, and they depend as much on people as on technology. “A strong security posture always starts with policy,” Mullen notes. “It is important for companies to create a strong security policy, particularly around employee usage, and then apply the right tools to enforce that policy.” “Training makes your users aware of both the threat and the consequences of breaking policy,” he goes on to suggest. “Usage policies for mobile devices are critical as well, along with the technology to properly protect those devices in an unsecured world. Technology only enforces policy.”

Lynn Greiner is a freelance writer in Newmarket, Ont.

FOLLOW US ON

AND

• SECURITY MATTERS 21


DUAL PROTECTION By Angela Rotundo

E

very day, millions of Canadians use their credit cards and debit cards, whether it’s to pay for gas, buy concert tickets or pick up the tab for dinner with friends. And most Canadians hardly think twice about the few seconds it takes to enter their PIN or provide a signature when asked — simple security steps designed to protect both retailer and consumer. Yet, as credit card fraud continues to impact the retail industry, it seems that PIN numbers and matching signatures are simply not enough. As a result, a new and distinct set of standards has been designed, developed, implemented and maintained to promote customer data privacy and increase security and retail compliance. The Payment Card Industry Data Security Standards (PCI DSS) are the future of credit card security and for retailers, it means following a set of security standards, developed in order to protect information before and after a financial transaction. In today’s technology-driven business world, PCI DSS is an adherence required

22 SECURITY MATTERS • SUMMER 2011

AT FIRST GLANCE, PAYMENT CARD INDUSTRY COMPLIANCE SEEMS LIKE A DAUNTING TASK FOR MOST RETAILERS, BUT IN THE END, ENSURING THE SECURITY OF COLLECTED CREDIT CARD NUMBERS NOT ONLY PROTECTS THE BUSINESS FROM POTENTIAL DATA BREACHES, BUT ALSO ITS LOYAL CUSTOMERS

by all credit card companies, including Visa, MasterCard and American Express, primarily due to an increasing number of data breaches and fraudulent acts by sophisticated criminals looking to steal data and money. These companies decided a unified approach was needed and formed the PCI Council, to then address the business rules regarding electronic funds, and the issues related to them. As one of Canada’s major retailers, the LCBO (Liquor Control Board of Ontario) must be compliant with the new standards, and part of that compliance includes an upgrade to the security of their passwords used to access financial applications. Vern Shapiro, manager of User Acceptance Testing, Point of Sale (POS) Services & Support for the LCBO, says that his department does all of the testing on behalf of the users so that security measures, like chip readers and system hardware and software, ensure compliance is achieved. “It’s critical to stay on top of security matters like PCI,” stresses Shapiro. “We

have departments that monitor that type of activity all the time, so as soon as we recognize there is an issue we act upon it. Because of PCI [and its standards] I now have a different awareness of the importance of this type of protection.” Shapiro is responsible for testing security aspects like password strings (the way passwords are set up by vendors), confirming the proper amount of digits in a password, and ensuring that personal information isn't in any file for someone to access. The LCBO will be fully compliant by the end of this year, and their POS systems are already compliant. These are just a few of the many ways the LCBO maintains PCI standards. To help retailers with PCI compliance, TELUS offers services that help merchants achieve PCI compliance. Its PCI action plan, for example, identifies the steps an organization must take to help them become compliant quickly and cost effectively. As Rafael Etges, director of security at TELUS, states, becoming PCI compliant is much more than another form of security.


6 MAIN PCI DSS REQUIREMENTS 1. Build and maintain a secure network • Install and maintain a firewall configuration to protect cardholder data. • Do not use vendor-supplied defaults for system passwords and other. 2. Protect cardholder data • Encrypt transmission of cardholder data across open, public networks. 3. Maintain a vulnerability management program • Use and regularly update anti-virus software. • Develop and maintain secure systems and applications. 4. Implement strong access control measures • Restrict access to cardholder data by business need-to-know. • Assign a unique ID to each person with computer access. • Restrict physical access to cardholder data. 5. Regularly monitor and test networks • Track and monitor all access to network resources and cardholder data. • Regularly test security systems and processes. 6. Maintain an information security policy • Maintain a policy that addresses information security. Source: SEARCHCOMPLIANCE.COM

WWW.SECURITYMATTERSMAG.COM

“We take PCI compliance very seriously because it affects our brand and our relationship that we have with clients,” he says. “It’s critical for us to show a high degree of compliance for those businesses and consumers.” Etges suggests that technologies, such as encryption, database and network access control and identity management, are key to ensure that cardholder environments are managed, monitored and constantly under control. By doing so, Etges believes that maintaining PCI compliance will be less like a short-term project and more of a long-term program. “The three most important things for retailers to know about PCI compliance is: work with your Qualified Security Assessor (QSA) to make sure that your scope is managed; educate the business to operate in a compliant and secure manner; and monitor compliance on an ongoing basis,” stresses Etges. According to Simon Tang, national leader of vulnerability management and PCI services for Deloitte Canada, retailers must understand their responsibility when it comes to PCI compliance. “For a retailer, the most important as-

pect of PCI compliance is to understand the scope of compliance, as well as identifying where they are storing, processing and transmitting card data,” he says. “It’s important to ensure that these points are covered within PCI compliance.” Tang suggests the reason retailers need to maintain a high level of security to meet PCI compliance is because they are organizations that process a large number of credit card transactions on a regular basis. “Retailers can protect cardholder data by not collecting it or storing it; by not keeping that information there is only a limited amount of data that a hacker can collect,” he adds. Some industry experts also believe maintaining PCI compliance is another way to ward off hackers and other computer threats that can cause major data breaches, and thus major business disruption and costs. In 2008, according to an article in The Toronto Star, Canadians spent almost $267 billion on their credit and debit cards. That number has surely grown since, and as Etges reminds us, “It is the data from our clients on the line, so we have to protect them.”

FOLLOW US ON

AND

• SECURITY MATTERS 23


PRODUCT FOCUS

VIDEO SURVEILLANCE

Network Video Recorder MAXPRO® NVR SE

HONEYWELL SECURITY GROUP 2700 Blankenbaker Pkwy, Suite 150 Louisville, KY 40299 Tel: 502-297-5760 www.honeywellsystems.com

Honeywell’s new MAXPRO® NVR SE is a network video recorder that simplifies the transition from traditional analog video surveillance to the latest digital, IP-based technology. It includes preconfigured hardware, software, storage and all required licences in one box, allowing for easier setup than conventional NVRs. Pre-configured hardware allows users to install the system without purchasing additional software or IP licences. MAXPRO NVR SE offers Honeywell’s patent-pending Video Surround feature, which allows operators to improve security by easily tracking and monitoring an individual moving through a building in real time or post event.

HD Video PTZ High-Speed Dome

PELCO BY SCHNEIDER ELECTRIC 3500 Pelco Way Clovis, CA 93612-5699 Tel: 800-289-9100 www.pelco.com

Spectra HD delivers crystal-clear images via IP for live streaming to a standard web browser, Endura, Digital Sentry or other HD video management systems. Spectra HD features open architecture connectivity for third-party software recording solutions, allowing integration into virtually any IP-based HD system. Incorporating the award-winning Sarix technology platform, Spectra HD delivers 960p resolution, built-in analytics, 18x optical zoom, USB expansion slots and 360° continuous pan rotation for the precision and control you demand.

Video Management System

GENETEC 2280 Alfred Nobel Blvd., Ste. 400 Montreal, QC H4S 2A4 Tel: 514-332-4000 www.genetec.com

Security Center 5.0. allows users to configure and manage IP cameras and encoders, recording schedules, camera settings and much more. It supports an embedded video recording and streaming engine, and feature: an enhanced architecture that facilitates the installation and maintenance of the platform, third-party intrusion integration of alarm panels and perimeter detection devices, a new plug-in architecture for adding third-party integrations, standby and redundant archiving capabilities.

Storage & Computer Stack

PIVOT3 6605 Cypresswood Drive Spring, TX 77379 Tel: 281-516-6000 www.pivot3.com

24 SECURITY MATTERS • SUMMER 2011

The vBank Appliance addresses the growing influence of IT in video surveillance environments. It adds compute resources to support more virtual servers, and solid state disk drives to extend storage performance across general business applications. The vBank provides both local VMware vSphere environments and scale-out storage resources across appliances. Individual vBank appliances can be stacked in a Pivot3 storage and compute STAC to create, protect and load-balance storage across vBank appliances as a highly reliable, high-performance IP SAN.



C O O L S T U F F SECURITY AND MANAGEMENT SOLUTION BitDefender’s Business Solution Version 3.5 delivers additional layers of proactive detection while reducing the cost and complexity of securing SMB networks against viruses and other malware. It integrates anti-malware protection with remote network audit and system management using WMI (Windows Management Instrumentation) technology, allowing administrators to gain an additional layer of visibility and protection to help them identify and eliminate gaps caused by rogue applications. New features address the lack of IT resources by streamlining business operations and helping SMBs use these resources more effectively. These include simplifying policy implementation and system management with wizarddriven security policy creation, network tools to remotely manage devices, and integration into Active Directory to leverage the organizational structure already embedded in the network. www.bitdefender.com

MOBILE SECURITY PLATFORM The Sophos Mobile Control safeguards data on a broad range of popular smartphones and handheld devices, including Apple iPhones and iPads, Google Android, and Windows Mobile devices. It secures mobile devices by centrally configuring security settings; enabling lockdown of unwanted features; providing remote over-the-air lock or wipe if device is lost or stolen; enabling consistent security policy enforcement, strong password policy and lock period, control and installation of applications; blocking use of cameras, browsers and the likes of YouTube; eliminating administrative burden with a self-service portal that allows end users to register new devices and lock or wipe lost phones; and controlling access to corporate e-mail via a secure gate, thus allowing only properly secured and registered devices to access e-mail. www.sophos.com

26 SECURITY MATTERS • SUMMER 2011

UNIFIED CONTENT SECURITY The Websense TRITON solution removes threats and risks while enabling organizations to take advantage of Internet applications, SaaS, social media and mobility. It uses Websense TruEmail DLP to identify confidential data, virtually eliminating false positives and negatives and delivering full workflow and reporting. It also uses TruHybrid deployment capabilities so that spam is filtered in the cloud before it hits a customer’s network. www.websense.com

CLOUD SERVER SECURITY CloudPassage is a server security and compliance product solely built for use in elastic cloud environments. It offers companies the ability to manage their own cloud security by leveraging a single solution that delivers multiple layers of defence for cloud servers. CloudPassage technology is built from the ground up to provide elastic security by automatically securing cloud servers when they burst or are cloned. Once security is set up on one server, all copies of that server, created later, will automatically adopt those security controls. www.cloudpassage.com

UNIFIED SECURITY ENGINE C o m m t o u c h ’s unified Internet security solution brings together messaging security, web security and anti-virus into a single engine. The unified engine can be integrated into the products of security and networking vendors and into service providers’ infrastructure. Typical applications that would benefit from the unified engine are software or hardware solutions or services that combine multiple security technologies, such as unified threat management (UTM), secure content filtering gateways and SaaS security solutions. The three security technologies cross-enhance each other by sharing intelligence about Internet threats. www.commtouch.com


C O O L S T U F F enterprises that require a solution to prevent unauthorized data loss from Microsoft Windows 7 endpoints. Its core component exerts contextual control over local data channels on protected computers. These include all peripheral devices and ports, connected smart phones, and even document printing locally or to the network. www.devicelock.com

USB SECURITY

Kingston Technologies’ DataTraveler 4000 (DT4000) USB flash drive offers military-grade encryption to corporations that require high-level protection for sensitive information. The DT4000 is FIPS 140-2 Level 2 validated for the entire cryptographic module — not just the security processor. Also, the DataTraveler Vault — Privacy Managed (DTVPM) offers corporate customers centralized control of all USB activity. Leveraging SafeConsole server software from BlockMaster, the DTVPM solution offers advanced features including password control, device state management, file audit log and file restrictor options to control what file types may be saved to the drive. www.kingston.com

DATA LOSS PROTECTION DeviceLock’s DeviceLock 7 offers content filtering features for endpoint security. It addresses the needs of medium to large

HARD DRIVE PUNCH MBM Corporation’s 0101 HDP hard drive punch provides drive destruction at the push of a button. No bigger than a standard centralized office shredder, the unit punches a hole completely through a hard drive rendering it unreadable. The destroyed drive then drops down into a storage bin to await proper disposal. It can be used on standard-size hard drives (2-1/2¨ or 31/2¨) from personal computers, laptops, notebooks, printers, copiers, PDAs and cell phones. www.mbmcorp.com

The Canadian Society for Industrial Security Inc. National Conference Privacy and Security–A Matter to Know May 29-31, 2011 The Delta Chelsea Hotel-33 Gerrard Street, Toronto, ON Nearest intersection: Gerrard/Yonge (easily accessed from Union Station, by subway, by street car, etc.)

Conference registration form, agenda and information about accomodations available at:

www.csis-scsi.org WWW.SECURITYMATTERSMAG.COM

FOLLOW US ON

AND

• SECURITY MATTERS 27


A S K A W AY

COMPUTER VIRUSES WITH IT BEING THE 40TH ANNIVERSARY OF THE FIRST COMPUTER VIRUS, HERE IS A LOOK BACK AT THE ONES THAT HAVE HAD THE BIGGEST GLOBAL IMPACT. In my research, I have learned that over the past 40 years, malware instances have grow from 1,300 in 1990, to 50,000 in 2000, to more than 200 million in 2010. Besides sheer quantity, viruses, which were originally used as academic proof of concepts, quickly turned into geek pranks, then evolved into cybercriminal tools. By 2005, the virus scene had been monetized, and virtually all viruses were developed with the sole purpose of making money via more or less complex business models. STUXNET (2010) According to most threat researchers today, only governments have the necessary resources to design and implement a virus of such complexity. To spread, Stuxnet exploited several critical vulnerabilities in Windows, which, until then, were unknown, including one guaranteeing its execution when inserting an infected USB key into the target system, even if a system’s autorun capabilities were disabled. From the infected system, Stuxnet was then able to spread into an internal network, until it reached its target: a management system of an industrial process edited by Siemens. In this particular instance, Stuxnet knew the weak point with a specific controller — perhaps a cooling system — and most likely intended to destroy or neutralize the industrial system. Intriguing feature: For the first time, the target of a virus was the destruction of an industrial system (very probably a nuclear power plant in Iran). It was also the most complicated piece of malware ever discovered. CONFICKER (2009) A particularly sophisticated virus, it’s both a worm, much like Sasser, and an ultra-resilient botnet, which implements bleeding-edge defensive techniques. Curiously, it seems that its propagation algorithm is poorly calibrated, causing it to be discovered more frequently. Some networks were so saturated by Conficker that it caused planes to be grounded, including a number of French fighter planes. In addition, hospitals and military bases were impacted. In total, approximately seven million systems were infected worldwide. Intriguing feature: Conficker did not infect Ukrainian IPs, nor machines configured with a Ukrainian keyboard. This suggests the authors were playing by the cybercriminal golden rule, which implicitly states, “Don’t target anything in your own country, and the arm of justice won’t be long enough to reach you.” STORM BOTNET (2007) By this time cybercriminals already had lucrative business models in place. They were thinking about protecting their money spinners (infected computers). Before 2007, botnets showed a cruel lack of robustness. In neutralizing its unique Control Centre, a botnet could be completely neutralized, because Zombies didn’t have anyone to report to (and take commands from) anymore. Intriguing feature: By implementing a peer-to-peer architecture, Storm became the first botnet with decentralized command. At the peak of the epidemic, Storm had infected between one and 50 million systems and accounted for eight per cent of all malware running in the world. I LOVE YOU (2000) At the dawn of the 21st century, I Love You worm infected tens of millions of computers. As a fairly simple worm, I Love You presented itself as an incoming e-mail with “I love you” in its subject line and infected the machines of users who opened the attachment. It then mailed itself to all of the contacts found on the infected user’s system. Intriguing feature: While the author’s motivation clearly wasn’t about money, the damages were, when the dust settled, I Love You had cost companies around the world between $5 to $10 billion. Much of that cost can be attributed to the time spent “cleaning” infected machines. According to the trends FortiGuard Labs is seeing, it suggests the next target for cybercriminals could be smart phones. Their widespread use and the fact that they incorporate a payment system (premium rate phone numbers) make them easy money-generating targets. Furthermore, they have a localization system, a microphone, embedded GPS and one (or several) cameras, which potentially allow a particularly invasive method of spying on their owners. Graham Bushkes is the vice president of sales, Canada for Fortinet, a worldwide provider of network security appliances and unified threat management solutions.

28 SECURITY MATTERS • SUMMER 2011

DATA BREACHES WITH ALL THE RECENT HIGH PROFILE BREACHES LEADING TO THEFT OF CONSUMER DATA, STATE SECRETS AND INTELLECTUAL PROPERTY, WHAT SHOULD MY ORGANIZATION FOCUS ON TO STAY OUT OF THE NEWS? The recent high profile Epsilon, Wikileaks and RSA breaches are a sombre reminder that security is everyone’s responsibility. All employees have to understand they play a critical role in keeping a company’s private information and intellectual property safe. For those organizations that invest in easy-to-understand, scenario-based, self-paced security education, the results can lead to an increase in employee vigilance. While the payoff may be difficult to measure when the organization’s intellectual property and sensitive assets are not compromised, there is no mistaking that good education cannot hurt. In addition to education, enforcement technologies such as those that control access to data, systems and applications can help. Structured access management can not only provide an important authorization function, but also can bring ancillary benefits of backtracking on auditable events, and potentially administrative cost savings. Is it time for companies to also start investing in stronger means of validating a user, credentials, in more user interactions? Most likely, the answer is yes! Attempted breaches are going to continue to rise, and there are many strong authentication options that provide a seamless user experience. At present, many organizations continue to focus on streamlining the granting of access and more access along the way. Perhaps the focus should really be on removing access as soon as it is no longer needed, especially when employees leave the organization. In our world of increased technology dependency in our everyday lives, security vigilance is everyone’s business! Tarun Khandelwal is a senior solution strategist for security solutions with CA Technologies in Canada.


marketplace

Respectful Workplace Education: “Because Going to work shouldn’t hurt!� Awakening Wave Organizational Evolution

!" #$# "$"$ % & www.awakeningwave.ca.

AD INDEX

SUMMER 2011

For more information on any of our advertisers, visit them on the web

www.adt.com

www.fortinet.com

www.avigilon.com

www.hidglobal.com

www.avonsecurityproducts.com

www.honeywellsystems.com

www.awakeningwave.ca

www.iscsolutions.com

www.bitdefender.com

www.saintcorporation.com

www.csis-scsi.org

www.sccongresscanada.com

www.digital-identification.com

www.verisign.com

WWW.SECURITYMATTERSMAG.COM

FOLLOW US ON

AND

• SECURITY MATTERS 29


I N M Y W O R D S

by Gene McLean

WHEN ENOUGH IS

ENOUGH O

ne must be fully aware of the downside, or should I say the risk mitigation, every security initiative he or she either considers or wishes to roll out. Take the closed-circuit television (CCTV) phenomenon for instance. In today’s marketing lingo, CCTV (aka, video surveillance) has gone viral. This little item that in years past performed poorly on many occasions is now the global saviour to many. Many people think that video surveillance is the be-all and end-all to crime.

Policing authorities around the world will tell you this. Just take a look at the United Kingdom; you have no escape from video surveillance. As to statistics on how much crime is detected, diverted and/or prevented by the deployment of video cameras, I will leave that to my social science colleagues. My point here is that saturation

30 SECURITY MATTERS • SUMMER 2011

IS SOCIETY RELYING TOO MUCH ON VIDEO SURVEILLANCE CAMERAS TO PROTECT ITSELF?

has shown not to be the cure it was originally thought to be, but rather an over-used tool. Here in Canada the use of CCTV has certainly increased over the last five years. One does not have to be in the security industry to observe its increased use; merely being observant about your surroundings, which is what everyone should be, and you will see CCTV in stores, in malls, in parking lots, attached to private properties and in doorways of private homes, just to name a few places. In large corporations, CCTV has continued to be rolled out in quite an aggressive manner. Does it increase the actual security of the premises, the physical assets, the safety of the working personnel? Does it reduce insurance claims and insurance costs to the business? Does it protect or violate the privacy of the employees as well? Does it violate and target union membership? For answers, I suggest you ask these questions to the director of security in these organizations. For me, the question to ask is if anyone in authority within the organization has spoken with the Federal Privacy Commissioner about its use of video surveillance technology. If the organization is federally regulated or within the appropriate provincial privacy officials, has a Privacy Impact Assessment been completed? If unionized workers are part of the employee base, has a discussion

with union representation occurred? Has human resources expertise been involved in the decision making process? What is the purpose of the CCTV program? If it is for ‘security’ reasons, then it must not be utilized for time management purposes, such as tracking employees who may arrive for work late, leave early, etc. If security personnel are approached by other business units within the organization requesting access to the video feeds, then the answer would be no. These cameras may be placed at entry/exit doors for security reasons, but they are not used for time management, nor are they near desks, or other areas where persons could be identified. For compliance purposes and to ensure the corporation does not sway from its legal and ethical use of CCTV, clear policy and direction must be agreed to and published so everyone knows the use and application of the surveillance product. If security departments follows this protocol then it will reflect a professional and integrity-centred security approach that all employees, from entry level to executive, will clearly understand and respect. The use of CCTV to protect Canadians and Canadian businesses is not going to fade way. For me, however, its use is only going to get more complicated.

Gene McLean is the president of the Canadian Society for Industrial Security (CSIS) and principal in McLean Security Advisory + Associates Inc.


Shouldn’t you be demanding more from your SSL solution than just encryption?

The world’s leading SSL now gives you even more protection. VeriSign® SSL, now from Symantec, includes more than just industry-leading authentication and encryption. You can add a daily website malware scan for increased protection. You can make your customers feel more protected and generate more site traffic by displaying the VeriSign seal in search results. All at no extra cost. Chosen by over 93 percent of the Fortune 500®, VeriSign SSL is setting a whole new standard for online security and trust. See for yourself with a 30-day free trial at verisign.com/ssl/free-30day-trial

Copyright © 2011 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. VeriSign, VeriSign Trust, and other related marks are the trademarks or registered trademarks of VeriSign, Inc. or its affiliates or subsidiaries in the U.S. and other countries and licensed to Symantec Corporation. Other names may be trademarks of their respective owners.


iDEAL: COST-EFFECTIVE MIGRATION Enhanced Security Easy Installation Multiple Applications Flexible Technology iCLASS®

iCLASS

®

Choose iCLASS® migration solutions from HID Global. HID iCLASS® smart technology has a lot going for it, now and into the future. You’ll get enhanced security through mutual authentication and encryption, and can add multiple layers of card-to-reader security using the iCLASS Elite program. The platform’s read/write technology opens the way to new functionality, while supporting legacy systems for an easy migration. Plus, it’s easy to install and afford. The security and new applications you want with the flexibility and economy you need — that’s what makes iCLASS migration solutions from HID the ideal deal. To explore access control technology migration, download your FREE whitepaper today at hidglobal.com/ideal-SecMat