Simon Heron – SecureNet

Many organisations are replacing desktop PCs with laptop computers and rolling out tablet computers and smart phones to teams working outside of the office. These mobile devices are contributing to improved efficiency and are undoubtedly popular with employees, but they are also inherently vulnerable. To minimise the risks, organisations must develop specific mobile device management policies – and then enforce them.

The figures make interesting reading. In 2012, Gartner predicts that PC sales will reach about 400 million units worldwide. This sounds a lot, but Gartner also forecasts that over 600 million smart phones and 100 million tablets will be sold in the same period, indicating that mobile devices are now significantly outpacing traditional PCs in popularity.

An increasing number of these mobile devices is likely to be employed in corporate environments. Organisations, large and small, are now using tablets and other portable computing equipment to realise significant improvements efficiency. Indeed, in a survey of 6,275 global organisations, conducted by Symantec (2012), 70% of respondents said they expected smart phones and tablets to increase employee productivity.

Whatever their potential value, mobile devices nevertheless pose an enormous security risk. They are, after all, easy to accidentally misplace and highly lucrative prizes for opportunistic thieves. If lost or stolen, smart phones and tablets could be used to gain unauthorised access to corporate systems, steal data and maliciously infect core business applications.

Given the risks, it is absolutely essential for organisations today to have a comprehensive mobile device management policy in place. This policy must cover security policy, application control, configuration control and a host of other precautions.

Ten important points to address in a company policy include:

1. Password protection across all mobile devices, enforced for all users
2. Encryption of all data on local memory and removable memory
3. Methods of installing, disabling, removing and controlling permitted applications
4. The use or prevented use of public WiFi networks and Bluetooth in some locations
5. Provision and maintenance of anti-malware software
6. Regular data back-ups
7. GPS and tracking mechanisms to detect the location of devices
8. Secure methods of connecting to the corporate network to exchange data (such as a virtual private network)
9. Effective management of assets: who has mobile devices, where, when and why
10. Access to IT support and maintenance for remote workers

Once a company policy has been developed, it is of course essential to enforce it. Employees must be educated on the importance and relevance of the policy and measures should be put in place to monitor their adherence.

With the proliferation of keyloggers, Trojans and other malware, it becomes progressively more difficult to ensure that data being used is safe.  In fact, it may not be possible to state that data in use is ever truly secure given that any company is also dependent on the end user and how trustworthy he or she is.  So perhaps the first precaution that can be taken is to ensure that those that have access to the data actually need to access it.  It is also important to consider if a person does have access to data where can they access it from and how.  If data is highly secure, then really it should never leave the secure location where it is stored, whether that is on-premise or in the cloud, no matter who might be asking or how convenient it might be.

This issue becomes more of a concern when employees are being encouraged to work from home or are tempted to do work from an unsecured machine.

So the first step is identifying the required privacy of data (data discovery and classification is a useful task in itself) and who is allowed access to that data.  Then the appropriate access rights can be set up and procedures created on how that data is to be accessed.

Once the policy is in place, then technical solutions can be used to help enforce those policies.  To that end, it is important that data protection is part of the work flow and that the user is largely unaware of it where possible.  It should be part of what they do.  Full disk encryption (FDE) is a good first step and increasingly ‘invisible’ to the end user.  Whilst this may be considered as data at rest, it should be noted that FDE encrypts swap space which is arguably data in use.  Furthermore, it has to include all media.  For instance, data copied to a USB must be just as encrypted as the hard disk of the desktop or laptop.

Another technical solution that provides protection for company data is the use of a virtual OS on USB sticks.  This allows employees to plug this USB into any machine, have their familiar environment and still be private.  This allows employees to use home machines that may also be used by their family and yet maintain complete separation from that platform.

Increasingly Data Leak Prevention (DLP) is being used to ensure that a foolish action is prevented from publicising sensitive data but this is a whole subject in itself, please see here for more information on DLP.

Good gateway protection implementing defence in depth continues to be good policy for the company infrastructure.  Locking down the user’s OS and keeping it and all applications patched with the latest and greatest releases is also key.  However, this frequently runs into issues where the danger of manufacturers introducing errors and hence vulnerabilities is contrasted with the vulnerabilities that are being patched.  It requires an understanding of what is being patched, a process to test before production and a way to roll back if an error is discovered that cannot be accepted.

Another way of controlling the desktop environment is the application whitelisting where only known applications are permitted to run.  This can impede productivity but if possible can go a long way to reduce the chance of malware and of inadvertent disclosure.  As ever, the deployment of defence in depth is best practice and some control at the gateway of a network is an extra precaution that is easy to deploy, manage and monitor.  There also remains little alternative to good desktop security.

In the end, the security of data in use is to do about risk mitigation.  However, with the current targeted attacks and the proliferation of zero day threats, the risk level is high.  It is necessary that action is taken to implement the required precautions that reduce the risk to an acceptable level.

Network Box has revealed details of its new software platform called NBRS-5.0, which will be available in increments from the second quarter of 2012.  This new technology will be available free of charge to existing users of the Network Box device.  Redscan will be contacting customers that use Network Box later this year to arrange the upgrade.

NBRS-5.0 is both a platform and a product. Made up of a large number of security modules, building upon a base platform, NBRS-5.0 provides comprehensive protection, without sacrificing the functionality of the individual security modules.  There are four main design goals of that are to be anchor for NBRS-5.0:

NBRS-5.0 is transparent
NBRS-5.0 applies transparency as a philosophical goal. The product is designed to have little impact on existing networks and to require as few changes as possible. Like a water filter, it filters the dirt (viruses, spam etc) from the water (network traffic) without affecting other flows.  The connection between the box and Network Operation Centre (NOC) is also simplified.  NBRS-5.0 boxes connect back to their management NOCs (or other Network Boxes in a cluster) using a single SSL-encrypted connection. The NOCs (and management boxes) then communicate with the box using these individual management links.

NBRS-5.0 is holistic
Most UTM systems today reduce the complex problem of network security down to its fundamental parts (such as anti-virus, anti-spam and firewall etc) and deliver these as individual solutions. Although named ‘Unified’, in practice this approach does not lead to unification – other than that they are all running and maintained on the same appliance. To put it simply, the administrative interfaces are still broken apart by module.  NBRS-5.0 is designed, from the ground up, to provide a Holistic Security Management platform, and to extend that platform with security modules that both fit and work together in a holistic manner.  Several key technologies (including an entity model, unified logging and configuration) contribute to a single Holistic User Interface.

NBRS-5.0 is scalable
Capacity planning is a continuing problem for computer systems, as traffic and usage patterns continue to increase. Scalability is the key to meeting this goal. NBRS-5.0 addresses scalability in two ways: in-the-box by supporting multi-core and multi-cpu appliances and out-of-the-box with fundamental support for clustering of boxes into a single seamless solution.

With both high-availability and load-balanced approaches, the cluster can be centrally managed, and traffic will be balanced both within the box (across CPU cores) and within available cluster devices. Unified logging and configuration systems make configuration seamless – a single change to a parameter is replicated and deployed across the cluster (either within an office, or across a globally dispersed organisation). Cluster configuration and log replication are automatic and can be flexibly deployed in a variety of configurations.

NBRS-5.0 is modular
NBRS-5.0 is designed as a base platform, with security service components that can easily be installed and removed. The base platform consists of a kernel, a user space tool chain, a logging system and a configuration system.  Essentially it is like an extremely sophisticated router; it is the security service components that provide the UTM+ functionality.

The advantages of this base platform approach are a reduction in firmware size (both in memory and on disk), no requirement for installation of services not required, simplification of deployment and, most importantly, a clarity of thinking in what is being provided.  Individually, the components of NBRS-5.0 aim to be best in class and, working together, they will combine to provide an effective, affordable and comprehensive network security system.

Redscan will make NBRS-5.0 available to all of its Network Box customers and will contact customers later this year to discuss the upgrade.  NBRS-5.0 will be supported on all current hardware (the S- M- and E- class boxes that have been released for five years now) and should not require any hardware upgrades. However, if extra functionality is enabled and used, customers may require extra hardware capacity.

Redscan proactively monitors and maintains Network Box security solutions on behalf of its customers in Europe and is part of a network of similar operations centres Worldwide. These products generate extensive statistics that provide a unique view into what is happening in the real world. This article examines the statistics collected in 2011 and explains what they reveal.

There is a great deal that can be gleaned from customer systems. When statistics from many different organisations, of different sizes, from different industries, in different countries are amalgamated and analysed, they provide a useful insight into the true nature of security threats. These trends are not only interesting to observe, but are also invaluable in helping companies to determine future security policies. The statistics gathered in 2011 reveal:

• A new security signature was released every 8.1 seconds
• Malware attacks escalated by 68.1% in 2011, as compared to 2010
• Attacks using firewall technology increased by 13.1% on the previous year
• Small businesses – not just large organisations – were targeted with denial of service (DoS) and distributed denial of service (DDoS) attacks
• A larger proportion of IT managers are imposing restrictions on web site usage

In 2011, Network Box Security Response PUSHed out 7,125 updates which was down 39.2% on 2010. However the number of signatures grew 25.9% to 3,880,267. This strange statistic reflected the continued move to cloud-based signature systems (such as the Network Box’s Z-Scan and NBCP content categorisation systems). So the number of signatures per update fell, while the number of signatures released increased. This is a trend that is destined to continue, as traditional signatures continue to be the most effective against the depth and breadth of malware, whilst cloud-based signatures are emerging as the most effective solution for zero-day outbreaks. The result is that there was approximately one new signature every 8.1 seconds in 2011.

During the year, the average Network Box blocked 208,081 spams which is down 55.8% from 2010, but malware is up 68.1% on 2010 to 8,008. The reduction in overall spam volume is due to the large-scale takedown operations against botnets and their owners that have occurred, as botnets are the single biggest source of spam. However, the reduction in spam volume is somewhat masked by the increased use of pre-scan filtering such as RBL blocks at the envelope stage and recipient address verification (for an explanation of envelopes, click here). Such envelope-stage blocks are effective against a huge amount of spam (currently estimated at around 35%, globally). Messages, both spam and malware, blocked at the envelope stage do not appear in our reported figures for ‘messages blocked as spam and malware’.

The 2011 statistics reveal that the average Network Box blocked 9,191,536 attacks during the year using firewall technology. Such attacks were up 13.1% on 2010, which could indicate that hackers believe that firewalls can be badly configured and are worth probing for vulnerabilities, either in the firewall itself or just as a way of accessing the network behind. Intrusions were down 18.3%. It should be noted, however, that such network-level attacks are an unavoidable consequence of being connected to the global Internet.

The trend away from attacks composed of mass-mailed spam and malware towards attacks of targeted/mass vulnerability exploit continued during 2011. One worrying new pattern was the increase in relatively low-impact denial of service (DoS) and distributed denial of service (DDoS) attacks. In the past, DoS and DDoS have used hundreds of megabits of bandwidth, but 2011 saw a large number of such attacks in the tens of megabit category targeting small organisations. Whilst larger enterprises have deployed protection against this form of attack, many smaller companies haven’t and are therefore vulnerable.

In 2011, the average Network Box blocked 1,663,284 websites due to company content filtering policy, which is up a massive 45.5% on 2010. When this is compared with the 45,838,221 website URLs visited on average over the year (which is only up 12.8% compared with 2010) this indicates that IT managers are imposing more controls to implement their company’s policy. The growth in bandwidth usage – and web usage, in particular – continues, driven by the increase in web-based applications, social networking, cloud-based solutions and smart mobile devices.

January is a good time of the year to look ahead and consider how emerging new technologies and solutions might impact your business.  Redscan’s Simon Heron describes eight key trends that could have serious implications for IT security.

As always, the pace of technological innovation is fast and getting faster.  Yet, at the same time, the work place is changing significantly, driven by organisations’ need to become more competitive and efficient.  These two factors together mean that there is a lot of change on the horizon for 2012.

As the New Year progresses, IT professionals will need to be prepared for the following emerging trends and technologies:

Bring Your Own

The increase of Bring You Own (BYO) devices, where employees are allowed to use their tablets, smart phones and laptops on the company network, is not going to stop.  The need to smear the boundary between work and leisure is compelling, not just from the new generation Y coming into the work place, but as a way for companies to maximise the use of their workforce in the light of international competition from the Far East.  This will create a problem for IT departments, as they work out how to protect their organisations.

IPv6 Uptake

The last of the IPv4 addresses have been handed out to local authorities and, in some areas, these have already been allocated.  Microsoft has bought 666,624 IP addresses belonging to Nortel at the liquidation sale for US$7.5 million, which put the cost at US$11.25 per IP address.  This suggests that the price of IPv4 addresses is set to rise.

In 2012, this issue will affect websites that host their content on IPv4-only servers, and smart businesses will want to get an IPv6 address in addition to an IPv4 address, so that when the transition to IPv6 does come, they will be prepared.  IPv6 isn’t backward-compatible with IPv4, but companies could “dual stack” their servers.  However, a more cost effective approach will be to install firewalls that can be configured to offer IPv6 on the external, internet-facing side, and IPv4 on the LAN or Demilitarised Zone (DMZ) side, hence not disturbing the company network and minimising costs, as organisations can leave legacy systems in place that only deal with IPv4.

Web-Based Attacks

As more and more systems move “into the cloud”, web-based attacks (such as XSS, SQL injection and DDOS etc) will continue to gain ground.  Companies increasingly depend on their websites, and these ‘shop windows’ allow prospective customers to browse and hopefully, buy their products or services.  If this web site becomes infected or unavailable, the company suffers not just from the immediate loss of business, but from a much longer term loss of trust.  Will customers ever want to buy from a site that has been infected or leave their credit or debit card details on a site where they might be abused or buy with the fear that the products or services might not be delivered?  In 2012, the focus will be on more testing and stronger defences.

Facebook and Twitter Accounts

It seems that more and more sites are presenting the option of logging in through Facebook or Twitter accounts.  In some cases, it is becoming exclusive.  If you want a Spotify account, you need to get a Facebook account first.  Turntable.fm is another music-sharing service that requires a Facebook account, but even sites that are not exclusive make it difficult to find out how to login without using either Facebook or Twitter.  If this trend continues, then one username/password pair will access multiple accounts – and this is something that has traditionally been considered a bad policy.  However, perhaps more of a concern is that Twitter and Facebook have been hacked in the past and it is likely that they will be targeted again in the future.  Just how much fun a hacker will have with this is something that is a worry.

Near Field Communication

Near field communication (NFC) technology for mobile payments or peer-to-peer networking makes it easier to do everything from paying for your burger to exchanging data.  But there have been a number of vulnerabilities, including poor algorithms and bad implementations, and thieves have been able to use services they have not paid for or take money from unsuspecting users.

Currently, you can buy the Google Nexus S phone, which carries an NFC chip and the Google Wallet companion app for syncing your credit cards to your phone and making mobile payments at participating vendors.  Meanwhile, RIM is putting NFC chips into newer phones such as the BlackBerry 9900, and recently it introduced Tag, a RIM-specific feature that allows BlackBerry users to transfer contact information and documents.  Will this allow data leakage or IP theft?

The latest version of Android, Ice Cream Sandwich, is built to let app developers take advantage of the many uses for NFC, such as setting up peer-to peer connections between phones simply by tapping the phones’ backs to each other. So without a doubt, in 2012 you’ll see more phones with these chips built into them, as well as more apps that employ the technology.

Processing in the Cloud

Some devices such as smartphones, tablets and even cameras have the ability to process complex information on remote servers.  Apple’s Siri is a good example where this virtual assistant sends the voice request input from an iPhone 4S to Apple’s data centres which then process the audio, identify what is required and send the answer back to the phone.  Google does this with pictures taken by the user.  A picture of a book or landmark taken by a user is sent to and analysed at a Google data centre, which returns a search page relevant to the image.

This way of enhancing the processing power of the smart device is only going to increase with more information being ‘invisibly’ sent to the cloud for processing.  The boundaries of where data is allowed to reside will, as a result, expand without the explicit knowledge of the data owner, and this could mean that a company becomes non-compliant with industry regulations.

HTML 5

Hopefully the take up of HTML 5 will mark an improvement in website security.  It will remove the need for using Adobe Flash with all the vulnerabilities that this application has introduced over the years.  In November 2011, Adobe announced it would no longer develop its mobile Flash Player, because HTML 5 has been better received.  In some cases, HTML 5 will replace the need for apps, and this can only improve the security landscape.  Furthermore, this technology should make it easier and cheaper for developers to introduce interactivity into browsers as they no longer need to buy and install proprietary plug-ins to create click-responsive graphics or to embed video.

Reduction in the Use of Optical-Disc Drives

How often are optical discs used these days, given that a movie can be downloaded in two minutes at any airport or coffee shop?  The answer is: not often.  What is more, when optical discs are used, these tasks frequently could have been done in a number of alternative ways.  So in 2012, there will be fewer laptops with optical drives, which means that at least one way of infecting the network is going to be removed.  This is not a huge benefit, but something positive in light of the usual glum predictions!

Fewer Tablet Manufacturers

Another bit of good news, given the trend towards BYO, is that the number of tablet manufacturers is likely to reduce.  Whilst there is a good market for tablets, there is currently a huge number of companies trying to get into the space with tablets that are no match for Apple’s iPad.  However, a few will get it right and will be able to compete in the long term; the others will fall by the wayside, simplifying the network landscape.

Generally, data is considered to be either ‘at rest’, ‘in transit’ or ‘in use.’ When putting data security measures in place, it is important to consider data in all three of these states and address the particular risks associated with each. This article examines data at rest and proposes strategies to minimise the dangers inherent to data in this state.

The Information Commissioner’s Office (ICO) has been given the ability to fine organisations up to £500,000 if it deems that they are not taking data security seriously. Consequently, IT managers must ensure that they don’t overlook the potential risks associated with data at rest.

The first precaution is to simply not collect data that is not required. This seems obvious but it is surprising how much data is stored needlessly increasing the risk profile for a company.

Another is to actually locate data. It is common place for companies to discover data that had been totally forgotten about when they carry out data discovery. By ‘shredding’ data that is not required, the task is simplified from an infrastructure point of view, as well as security and compliance.

Data classification is a good step in understanding data, but it can be a difficult task to determine what is confidential and what is not. Frequently, what appears harmless can give a hacker or social engineer an advantage. The basic defence here is full disk encryption (FDE) and embedding the process in the company procedures. FDE will go a long way to protect against data going missing. It is not a panacea; users will forget their password, will use the same password everywhere, will choose a simple password or write down a complex one and stick it on their monitor. However, as evidenced in many news stories this year, this simple precaution would have saved so many companies to date from data loss when laptops and digital media go missing.

There are a number of other strategies to make data at rest safer. A classic approach is to split the data across a number of servers (called secret sharing) so that a hacker would have to hack all the relevant servers before accessing the data. Another way of improving security is split-key cryptography. In this situation, instead of reassembling the key to use it, part of the cryptographic calculation gets run on one computer with part of the key, then the document gets moved to a second computer where the second half of the calculation is carried out with the second part of the key. The challenge with split-key cryptography is making it part of the work flow, so that administrators and users find it transparent.

A novel solution against both insider and outsider attacks is to inflate all data to many times its actual size, so a database that would have normally occupied 10 gigabytes of storage would then use 10 to 20 terabytes. Any thief would immediately run into problems of scale copying or downloading this data. Even if attackers just try to access a small portion of the data, they will still have issues, as the real data is probably stored across a number of shares, effectively implementing secret sharing. This approach does mean that the owner has to have a large infrastructure, but for companies considering this strategy, the cost of hard drives is not going to be significant against the value of the data.

One strongly recommended precaution is to keep the encryption appliances separate from the database server. This again ensures that a hacker has to compromise two machines rather than just one. There is not much point in encrypting data if the key to decrypt it is easily at hand.

It is also important to consider the security of any backups taken and make sure that they are fully encrypted. Frequently, backups are kept off site and with a third party whose security may not match the company’s, so whilst off-site backup is very important, it provides another way to access that data. However, with encrypted backup, the trustworthiness of the individuals at the remote site is a lesser concern than with unencrypted backups. Obviously, the desired position is that the third party shares the same security posture as its customer.

Finally, organisations should review the security at their data centres and take into account the full lifecycle of their hardware. Hard discs eventually leave data centres, can be stolen, lost, retired, repurposed or broken. In all these cases, they will have data on them that may be sensitive. Company policies must be written and enforced to ensure that data cannot fall into the wrong hands in this way.

Redscan engineers recently carried out a test.  They installed a Sipera UC-Sec 100 appliance behind a firewall on our test network and left the SIP ports, TCP 5060 and 5061, open to the internet.

The aim was to see how long it would take for the system to be attacked.  Over a series of tests it was found that it took from 24 to 48 hours for the Sipera system to come under attack.  The usual approach was a “Registration” attack where the hacker or ‘bot’ attempts to authenticate itself with the PBX.  These attempts are reported as “Routing Failures” and can be seen below.

Log of Registration Attack

The Sipera UC-Sec 100 device is designed to withstand such attacks but many IP-PBX’s are not.  If these attacks had been launched against an undefended and vulnerable system, it would have been possible for the hacker  to register as an authorised user of the system.

Why is this a concern?  Toll Fraud is the primary threat.  A hacker who can register as a legitimate user can make telephone calls at the owner’s expense.  A typical scenario is a hacker in a remote country, say Azabaijan, registers with a PBX in the UK.  He or She then calls a primary rate number in a third country, Ethiopia, for instance.  The hacker owns this primary rate number and so every call they make to it, makes them money at the expense of the company under attack.  Over a weekend or a few evening, this can really mount up; £50,000 is not unusual.

This attack is very hard for a company to combat, first it is responsible for all calls made from an unsecured PBX, so they must pay their provider.  Second, if they want to prosecute, they have to identify where the hacker came from.  The source might be in Azabaijan but that could be a proxy for the hacker, they might well live in another country.  As for retrieving the money from the primary rate number provider, the calls were handled in good faith, it is unlikely any money will be returned!  The moral of this tale is “Buyer Beware”.

Despite federal prosecutors recent success against the infrastructure of DNS Changer and the prosecution of seven Eastern Europeans, it appears that the malware itself still survives.  With its ability to infect and change systems’ DNS so that users were then redirected to websites of the scammers choosing, DNS Changer allows criminals to make money through a series of ploys.  The method of choice of the seven accused being to exploit click ads.  It affects both Macs and Windows systems, it has been around for over five years and so it is a pretty serious threat.

So how do you find out if you are infected?  Check your DNS server settings.  On Windows open a command prompt and type “ipconfig /all”.  This returns a plethora of information but just look for the “DNS Server” entry.  On a Mac, in “System Preferences” select “Network”, and from there select “Advanced”.

Infected systems will show IP addresses in the following ranges (from the FBI):

• 85.255.112.0 – 85.255.127.255
• 67.210.0.0 – 67.210.15.255
• 93.188.160.0 – 93.188.167.255
• 77.67.83.0 – 77.67.83.255
• 213.109.64.0 – 213.109.79.255
• 64.28.176.0 – 64.28.191.255

Companies will need to check their servers and their routers to ensure they have not been compromised.

The data revolution gains pace and data is massively more accessible and transferable than ever before.  Not all data is equal, some data is more sensitive than others but the vast majority of data is sensitive in one way or another.  It might be regulations that require data to be held securely, or data that holds the company’s intellectual property or just communications between individuals that are not for public consumption.  The downside can range from embarrassment to increasingly large fines but they all threaten the viability of an institution.

The issue is that with so many applications able to transmit data, it is increasingly easy to make an irretrievable error.  Not that it necessarily has to be an unfortunate typo, it can just be ignorance of the risk an individual is taking, as highlighted recently by a medical student, presumably intelligent, copying encrypted data to an unencrypted USB memory stick and then losing that memory stick.  In addition, there is also the increased expectation of working from home and the loss of data that occurs whilst in transit and at home.

So technology has been created to try and prevent unintentional data leaks which implements an automated corporate policy that will help catch protected data before it leaves an organization, the increasingly ubiquitous Data Loss Prevention (DLP).   There are numerous technologies that can be used:

• Deep content inspection: looking at the payload in the packet to see if key data is present.  Regular expressions are used to provide some flexibility in what is searched for.
• Contextual Analysis: looking at more general aspects of the data, who is the originator, who is the recipient, is this communication allowed at this time and similar attributes.
• Data Dictionaries: providing standard algorithms (catching credit card and Social Security numbers for instance) or standard phrases and lists of words and their synonyms.
• Centralised management framework to allow company policy to be set.

The trouble is that the technology is just one element of the solution.  There is little doubt that whilst DLP software and devices can help, there is no single software solution that can encompass all aspects of DLP, as different types of data have different threats and hence need different controls.  As with so much security, the answer is not just the tin, it is the people and the processes put in place which count as much if not more so.  So before you invest in a system, make sure you are ready for it and it is appropriate to your organisation.

So what needs to be done?

The first step is a Risk Assessment: this should have already been done but if it hasn’t, then use this opportunity to carry one out.  It will define what your risks are and it may be that DLP is not the most urgent requirement.  If DLP is required, and it probably is, then this assessment should identify:

• The different types of data inside the company
• The value of the data
• The threats and vulnerabilities relating to that data
• What losses cannot be tolerated

The other important issue to consider is Regulatory Requirements.  Identify what regulations govern your industry with regard to data loss.  This may drive the requirement for DLP.  In the UK, the OFT has been given the power to fine companies significant amounts of money if it can be shown that the security of data was not taken seriously, though it has rarely done so.  However, it does take a dim view if there is no attempt to adhere to those regulations and it is wise to put in place the expected practices.  So consider what controls have to be put in place in light of these regulations.

If from this, you conclude that DLP is required, the next step is to identify the scope of the DLP project and define goals for each stage.  Most organisations have a lot of data and multiple avenues for leakage so DLP can be a large undertaking and may require a staged approach or targeting the most value or most frequent data loss first.

As part of this exercise, it is important to carry out data discovery and classification:

• Identify where the sensitive data is
• Where it should be
• Where it is allowed to be
• Classify your data – structured, unstructured, confidential, secret etc

This important step will enable you to define the rules for any application that you install.  It may sound obvious but many systems have rules that do not match requirements and when implemented produce major issues with the business.

Whilst you might hope that the people, procedures and technology you put in place will save you from data loss, it is important to plan for the worst.  The creation of an Incident Response plan is vital to define the strategy if data does go missing is essential.  It should be well defined and must be carried out swiftly should an incident occur.  It is also important to ensure that the workforce know their part in the plan.  People speaking out of turn can turn a manageable incident into a crisis.

Unfortunately, all these activities take time so you need to ensure that someone has the tiem to carry out these initial duties along with the on-going requirements to manage a DLP Program? Do you have the required expertise in house or will you need to out-source it go for training.  Be aware that if you bring this in house, your resource must have time to keep aware of issues and keep the policies up to date.

Finally, an ongoing budget will need to be allocated to this project.  This is very important if the decision is made in light of this work that one or more applications are required.  This budget will be required to cover not just the cost of the application(s) you identify as relevant but also for the training and on-going management that will be associated closely with them.

If you cannot commit to these steps then the purchase of DLP software may not be a wise option.  You supplier should be able to help you work through this but only you or your management will be able to say if DLP is going to produce a beneficial result.

Unified Communications (UC) if it doesn’t increase your company’s productivity and connectivity, it isn’t being used right.  So, let’s be clear, it is a good thing and the productivity element is something that is hard to really evaluate but once you use it, you don’t want to be without it.  However, UC can open up the possibility that you could be victim to an expensive scam: Toll Fraud. An unsecured PBX is an invitation for a hacker to re-route hundreds of premium-rate calls through your exchange, leaving you footing a bill that can easily run into tens of thousands before you even know it’s happened.

This is one threat that does not care how big or small your company is, it is just automated to find systems that are unsecured.  It means that you need to check that the system is not only working right but is also secured.  The problem is that technically you have been hacked but under current legislation the owner of an improperly secured PBX is responsible for any charges incurred by it.

We are seeing companies that have gone ahead without considering the security implications falling victim to this scam so in conjunction with Sipera we are giving a webinar.  It will obviously focus on Sipera’s solution which we believe is the best in class when it comes to security and total cost of ownership, however, it will provide information on the risks of Tool Fraud, discuss the threat of toll fraud and the devastation it can cause, and talk about how you can prevent it happening to your company.  If you want to join us on Wednesday 28th September at 3pm then please sign up here.