Beware of the local cloud

straps-c

A new wearable device is currently being crowdsourced called the ReVault. On the face of it, it looks like a fairly standard smartwatch – but its secret weapon is invisible – your own local cloud.

The Revault watch comes in both 32GB and 128GB variants and can connect to your phone, tablet or even PC as a wireless hard drive.  The pitch is that you can have one copy of your data on your watch and can then access it across all your devices without the need of syncing each to a PC or a cloud in advance. You can even access this data when you have no internet connection as it connects locally via either Bluetooth or WiFi so this local cloud will work in places where you can’t connect to your regular cloud services.

The idea of separating physical storage from your device is not a new one, although the idea has faded away in recent years due to Cloud storage offerings and manufacturers being able to charge more for high capacity flash storage models. Having a memory card in your phone is seen by some as an advantage as you could get additional storage (including capacity far outreaching the device manufacturers options for a lot less), plus the flexibility to move your content to your next device, again without the additional cost on a pricier high capacity model.

Portable wireless storage could be the replacement for memory cards as it has distinct advantages and doesn’t require the device manufacturers to physically include compatibility – which is something they have little incentive to do.

A real concern is when these devices, personally owned by employees, are taking into the work space. Many companies will block the use of USB storage and block public cloud networks, however as the Revault is neither reliant on a physical or internet connection these devices is unlikely to be blocked by a standard company security policy.

The Revault will probably be a niche product and the chances of copycat devices or functionality remains uncertain at this point.  However, the strength of this crowdsourcing campaign could play a vital role in its success if personal clouds become relevant to a larger market.  One thing is certain though, new devices will always test your security practices and you will need to be vigilant to safeguard your corporate data from the ever evolving and unmonitored consumer device and services market.

 

Week’s Technology News – 27th February 2015

Boards acknowledge cyber risk on their 2015 agenda

Back in 2013, following a KPMG report that cyber leaks at FTSE 350 firms were putting the UK’s economic growth and national security at risk, the heads of UK intelligence agencies MI5 and GCHQ then asked leading businesses to take part in a Cyber Governance Health Check.  The results were a stark wake up call.

As we reported in our blog on 19th December, Board engagement is pivotal to the success of any cyber security plan and thwarting the eye popping 80% of preventable attacks in 2014.

The 2015 Cyber Governance Health Check has just been published and reveals that 88% of companies are including cyber risk on their Risk Register with 58%+ anticipating an increased risk over the next 12 months.  However, only 21% say their boards get comprehensive information and only 17% regard themselves as having a full understanding of the risks. This is clearly insufficient in the light of the continuing squeeze on data security and compliance measures.

You do not have to be a FTSE 350 to want continued trust from clients and the comfort of having up to date data security measures.   So wake up and smell the budding roses of 2015 and do your own health check review now:

  • Re-evaluate what the unique crown jewels of your organisation are (key information and data assets) as they may have changed in in the 12 months.
  • Review risk from any 3rd party suppliers and avoid contractual complacency – get into active compliance.
  • Be pro-active about risk and create a competitive advantage of rivals.
  • Arrange for a ‘pen test’ and get in shape to be security fit for purpose in 2015.

GCHQ


Windows Server 2003 is dying – but Windows Server 2012 will offer an elixir

With the forthcoming end of life for Windows Server 2003 and cessation of support from Microsoft on 15th July 2015, the effect will be severe for the many business still running this server in their data centre with exposure to cyber attack, unless considered steps are taken now to plan for upgrade.

Microsoft’s own survey recently confirmed that there were 22 million ‘instances’ (database environments) with WS2003 still running.

Organisations clearly need to plan their migration strategy – and quickly – if they are going to protect their infrastructure. End of support means no patches, no safe haven and no compliance.  Any company continuing to run WS2003 beyond July will fail regulatory compliance audits which could result in losing commercial contracts. So delays are not only expensive but highly risky.

The advances in the data centre with Windows Server 2012 RT offer integrated virtualisiation of compute, storage and networking along with enterprise class scalability and security.  The Cloud options of Microsoft Azure and Office 365 will deliver applications faster and increase productivity and flexibility – and take away risk.

Security implications

  • Software and Hardware compatibility – If you are running a mixture of physical and virtualised servers, then priority should go to addressing physical assets, as most WS2003 licences are tied to the physical hardware.
  • Compliance against many industry requirements has moved from a best practice ‘good to have’, to a mandatory requirement, so no option.
  • Payment Card Industry Data Security Standard (PCI DSS) v2, v3 – providing adequate assurance levels to meet the requirements of PCI will fail.
  • UK Government – connecting to the Public Services Network (PSN), whether through an assured connection or via an Inter Provider Encryption Domain (IPED) will be a headache if updates cannot be supported securely.
  • Industry standards Industry standards such as ISO 27001:2013 and the Cloud Security Alliance all require you ensure your systems and applications are up to date.
  • Disaster Recovery and Resilience  How do you re-start servers that are no longer supported? If DR is key to you business then migrating is a necessity will be fairly expensive.

Planning to move

  • Integrate your servers and their lifecycle into your strategy and risk management process.
  • Check what the servers do for you and do data mapping, flow and services exercise.
  • Identify your core assets and check them against confidentiality, integrity, availability and likelihood of compromise to help future design and investment decisions.
  • Create fit-for-purpose security architecture within your Cloud (ie should you need to retain legacy data which is rarely used – create security zones using layered firewalls, ingress and egress controls, file integrity and protective monitoring.
  • Test – lots – and then get a 3rd party certified security professional to conduct an ethical hack.
  • Failure to plan is planning to fail – do not let your business suffer by putting your head in the sand.

885284

This week’s technology news – 5th September 2014

No need to be a Hollywood A-lister before you get concerned about security 
The emergence of intimate images of Hollywood celebs published on a website last week following hacking of their iPhones, was not, Apple confirmed, through weaknesses in Apple’s security.  A group of hackers led a very targeted attack on a select group of celebs to ascertain user names, passwords and easily guessed security questions, in order to change passwords, or use phishing techniques to fool those involved into giving up their Apple IDs and passwords.

This has led Apple CEO Tim Cook to announce this week that they will commence using two-factor authentication as a security measure for accessing iCloud accounts from its mobile devices, coupled with email alerts and push notifications to the user, should someone try to change a password or log in from a new device.  The two factor authentication could involve the user having to type in a short code sent via text message to their phone number as an extra security step before they are given access to their uploads.

Where human weakness is often the way that gives hackers the simplest route to compromising accounts, organisations must ensure they do their utmost to protect data and privacy at all times in the Cloud. Good governance and security policies will create the controls to thwart attempts at penetration. Equally though, educating staff about security measures and increasing understanding about why they are so critical, will increase uptake, confidence and trust, as our reliance on, and expectations around technology, increase as it becomes our closest aide in life and at work.

Amicus ITS has been delivering safe and effective Cloud solutions and Security & Governance consultancy for many years to its customers.  Our latest offering for enterprise is Amicus CSF

Click here to see our security video on Amicus CSF

 

Move over fingerprints – finger vein sign-in is here
Biometric sign-in technology has been around for a while – in theory at least. Despite the technology being available, there has been a distinct lack of biometric sign-in options beyond certain laptops and smart phones. Barclays is taking the lead however in bringing finger vein scanners to business users, letting them verify accounts by a finger scanner, attached to a PC via a USB.

Finger vein technology differs from fingerprint technology in a few key areas: it requires a live finger and cannot be fooled by high quality 2D or 3D print. The device itself is about the size of a tennis ball so although it is fine for plugging in to a laptop, we will not see this incorporated into tablets without a major re-design.

With information and ID more valuable than ever, finding the best way to secure it is a must and making the authentication process user friendly vs current multiple code inputs in banking is likely to win friends.  Further adaptations of biometric sensors for two step authentication in future are anticipated as this rolls out.

As biometric logins become more adopted, universal standards for storing biometric data and sharing between authentication sources will need to be properly governed and utilised. Until then, expect a different device and application to sign in to different services.

 
High priority for cyber security in UK business survey
The latest Information Security Breaches Survey conducted by PwC for the Department for Business Innovation & Skills for 2014 has been published.  The survey spanned 1,125 respondents across all industry sectors in the UK, where one third were IT professionals and the balance being business managers and executives.

The results revealed that whilst cyber threats had affected 81% of businesses, this was a reduction from 2013. Interestingly, the number of individual breaches had risen and the ensuing cost to business had risen.  Indeed 10% of those who had suffered a breach in the last year were so badly damaged by the attack that they had had to change the nature of their business.

Financially, the average cost to a large organisation (250+ employees) from its worst security breach of the year was reported to be £600k -£1.15m and the average cost to a small business (less than 50+ employees) for the same such breach was £65k -£115k.

Malicious software is increasingly the means for such attacks and the focus has shifted back towards large organisations.  With 73% of large organisations having suffered from infection by viruses or malicious software in the past year (up from 59% in 2013), there is a need for intelligent investment in effective solutions and preventative measures.   With large organisations now spending around 11% of their IT budget on security and small businesses spending about 15% of their IT budget, IT Managers and CISO’s need to question what is the best use of spend to maximize protection and to receive guidance.  Only though fresh objective analysis of an organisation’s existing IT infrastructure and defences, can correct assessments, recommendations and the appropriate solutions be put forward for Board approval.

The top four drivers for security expenditure remain the same as in 2013:
•        Protecting customer information
•        Compliance with laws and regulations
•        Protecting reputation
•        Preventing downtime

It should be added that whilst not in the top four across the board, protecting intellectual property is especially important in the technology, consultancy and professional services sectors.

Companies in 2014 are increasingly using remotely hosted services (ie. Cloud computing) as an affordable and easily accessible alternative to internal IT services, with 83% now using Cloud computing services.  Externally hosted websites and email are the most popular services for small businesses at 82% and 70% respectively.  Whilst only 13% of large organisations were using an externally hosted email service, they are more likely to use externally hosted payment, payroll processing, and data storage solutions. The use of Cloud services for data storage has been the biggest growth area for large organisations with a 7% increase from 2013 and an adoption rate for Cloud of around 15%.  Of interest to Managed Service Providers, 52% of organisations with externally hosted services believe these are critical to their business.

As more companies start providing the funds needed for better protection, effective information security and risk management depends on the whole organization buying in to this at every level and through every department, with the support of the Board and/or Executive Team.  However, it is not just about chucking money at IT that will return dividends, for without guidance on where to spend new funds, organisations may find themselves overspending on ineffective solutions, or underspending and making themselves vulnerable for the next year.

 

Working with multiple devices
Having a PC, Tablet and smartphone for work is now the norm for many.  Each device has its strengths and weaknesses, but using the right device for the right time and place, can not only make you more efficient, but work smarter. With their different use-cases you may find you have an App or messaging service on one device but not across all. When you at your desk and you need to fire a message back from an alert on your Tablet, picking it up to tap away your message may seem counter-intuitive with a full-size PC keyboard on your desk.

However, a new device announced this week by Logitech could make the workload for those juggling devices that little bit easier.  Logitech’s new wireless keyboard can connect to all three types of device at the same time, with a simple turndial determining which device you’re typing appears on. Of course you could pick this up and take it into a meeting also.

If the juggling of devices is getting too much, maybe it is worth considering combining two of them. Microsoft’s Surface Pro range combine both PC and tablet into the one device means that not only do you have one less device to charge, but also it is easier in device setup and app maintenance.

How many devices you need and their sizes will vary greatly depending on the type of work you need to get done, when and where. Before your next purchase, businesses should consider how it will help the workforce get the job done and hopefully increase productivity.

Logitech_K480

This week’s technology news – 22nd August 2014

Cloud savings for all

Cloud storage has always had its advantages over traditional options but price was often a premium. Thanks to heavy competition from providers both big and small, the cost per GB has been falling steadily over the last few years with some sharper drops being made recently. With price options now a relatively non-issue, the balance of pros and cons to cloud storage now sit very comfortably on the pro side of the scale.  Non-cloud setups now have one less obstacle to worry about when moving to Cloud, whether completely replacing their existing solution or as a hybrid.

With less focus on cost therefore, it is now much easier to have a clear discussion on the true flexibility and benefits Cloud can offer over traditional storage solutions. As adoption increases, so will employee expectations of having their data available via the web and mobile, but most importantly, securely. With a lower bar of entry, cloud adoption is likely to be boosted. Gartner predicts half of large enterprises will be using hybrid cloud deployments by 2017.

So the question that needs to be asked is – if you are not on cloud yet, why not?

US healthcare data hacking on vast scale revealed

Community Health Systems (CHS), the second largest hospital chain in the US running 206 hospitals in 29 states,  confirmed this week it had been hacked with a systems breach and the theft of personal data for 4.5 million people as a result of the Heartbleed flaw.  The open SSL code run by Jupiter for CHS which would normally scramble sensitive data proved ineffective against Heartbleed and despite fixes being issued, proved too late to stop what appears to be one of the largest known worldwide data breaches.

Back in April, UK’s Mumsnet had 1.5 million members details exposed whilst the Canadian tax authority, The Canada Revenue Agency, had 900 people’s social insurance numbers stolen and these two incidents were the previous “world record holders”.  The Heartbleed bug allowed names, phone numbers, addresses, and social security numbers to be stolen.

It is understood that the same malicious players have been targeting companies in the healthcare and medical device industry to gather intellectual property data.  A new report by Gartner has shown that worldwide spending on information security is estimated to reach US$71.1 billion in 2014, an increase of 7.9% over 2013 as organizations adapt to the growing threat of cybercrime. This is expected to rise further to 8.2% in 2015 and reach $76.9 billion, with a greater reliance on mobile, cloud and social platforms with greater reliance on mobile, cloud and social platforms. Gartner estimates that more than 30% of security controls used by small or mid size organisations will be Cloud based by 2015 and drive the use of security technology through 2016 and beyond.

Fixing this healthcare breach (believed to have originated in China) is one thing, fixing the trust with the patients involved is another and whilst neither medical nor financial data is believed to have been accessed, it once again highlights the imperatives for organisations to ensure their data is secured and protected as the sheer volume of bits of data to be managed, wherever it is held, increases exponentially year on year.

Met Police want lock down on phones

The Met in London are seeking pre-set pin locks from manufacturers to secure mobile phones, installed pre-sale at the factory, as a deterrent to the high numbers of mobile thefts.   Their research reveals that three in five people do not set a pin code lock of any kind on their phone. This leaves a user exposed to the theft of personal (or corporate data depending on the use of the device), plus the potential for expensive bills to be run up from web downloads without them knowing.  If factory set, it would also ensure that devices bought online vs from high street retailers would similarly benefit from the security layer.  Apple’s Activation Lock has produced results which show direct falls in crime as a result of its activation.  Whilst hopefully a factory code would be randomised already, the UK Mobile Phone Crime Unit (NMPCU) comment that they would encourage users to set their own memorable personal code thereafter (though not a generic ie. 1234 or 1111).   Previously, such lazy security enabled journalists from the News of the World to hack data of celeb mobiles as well as listen to their voicemails.  Opting-out vs opting-in is always going to be a better route to maintaining adoption for security measures – and anything that thwarts unauthorised use exposing consumers and companies to risk is to be lauded.

Don’t just miniaturize for mobile

When creating content for smart phones it can be easy to think; “Let’s take what we have on PC and shrink it down to fit on Smartphones” but this approach is rarely the best. Whether it is a website or an app, taking a step back to re-think how to best display content is key.   True, smartphones have a lot smaller displays than PCs but they also pack their own tricks often not seen on their bigger brothers such as GPS location, cameras, touch screen, accelerometers and more.

Mobile users often have lots of frequently used Apps installed on their device so breaking this behaviour to add your own app into their stable can be challenging. The key is not to replicate, but to create something unique for the platform, redesign your user interface (so all vital info can be seen once the app is launched) – and don’t be afraid to use sensors such as GPS to detect a device’s location and deliver relevant information (this can also be combined with a QR code scanner in-app to quickly load relevant information of a product or service).

As smart as you can make your app by taking advantage of the devices smart features, it can also be too easy to go overboard.  One area in particular where having restraint will be appreciated by your users is push-notifications. Don’t bombard your users with pop-up messages – or they are likely to delete your app, no matter how smart, instead of turning the feature off.

Google Glass gets The Minority Report feel

One of the main obstacles to wider adoption of Google Glass has been the awkward control methods, however that may be in the past with the introduction by US Thalmic Labs of muscle sensor armbands to the technology. The new enterprise has integrated its clever wearable sensors with Google Glass, Epson Moverio and Recon Jet. The net effect is that users can quickly flick through documents, contacts and apps with subtle hand and finger gestures vs tapping the Glasses at the side of the head and fiddling with a tiny trackpad.  With this practical physical change, wider adoption by industry could be faster than anticipated and could make wearable technologies a relied on technology vs a curiosity at present.

This week’s technology news – 18th July 2014

IBM, Apple and exclusive Apps

In the consumer market the war for a dominant victor has been decided, at least for now, Google comfortably holds the biggest share worldwide but for the workplace it is very much up for grabs. IBM and Apple have announced a new partnership to help each other tackle corporate mobility. IBM will be focusing on the software, creating new iOS apps, porting more than 100 of its existing applications over. IBM will also be selling iPads and iPhones direct, and teaming with apple to provide AppleCare for enterprises. 

 

This all makes for a strong business case, albeit a pricey one. The investment to work on so many end-to-end mobile solutions is impressive, however with such a partnership you must wonder if this is IBM taking a stand and making the bulk of these exclusive to Apple’s ecosystem, for mobiles at least. Application support has definitely helped sway the battle for phone manufacturers before, so why not use that same approach for businesses?

 

This could potentially be dangerous territory, an iPhone doesn’t make the most sense from a cost or support perspective to all. Of course this is not the first case of platform specific exclusive apps but with the size of the players involved, it could spur similar deals with others. This highlights an important consideration when deciding or reviewing your device standard of choice. Beyond what come pre-installed, are the necessary apps you need available? And are they implemented in away employees will be able to best benefit on the go? And how will they incorporate into your own existing infrastructure?

FBI on catch up with driverless car technology

An internal report by the FBI disclosed by the Guardian reveals their fear that the evolution of driverless cars such as those being developed by Google (and Volvo as reported in our 9 May 2014 blog), could create lethal weapons.   For law enforcers, their fear is that the automated cars present a perfect opportunity for criminals to focus their attention on shooting at officers, rather than having to keep their eyes on the road as well during a chase.   One counter to this is the advantage to the emergency services whose paths could be automatically cleared ahead of them as traffic moves aside.

 

With Google’s potential to have an approved car on the road in five to seven years and the British government already clearing the way for the legality of driverless cars on UK roads with the highway code being re-written, there is clearly a split in the debate.  Nonetheless the producers themselves are keen to promote that the anticipated increased safety will ultimately result in driver error becoming eradicated.  Whether this will also stem the traditional derisory comments between passengers and their driver about the skills on display may take a little longer to change.

A case of helpful hacking

Finding out a hacker has breached your network security is a major headache for companies. In the case of Sony, who infamously were hacked back in April 2011 had to close down their public facing media network for 24 days as it was rebuilt, admitting personal and credit card information was possibly compromised for up to 77 million users account. This instance can stand as a good case study on network and infrastructure security.

 

Google is taking a more direct approach and hiring the same hacker; George Hotz to assist with their new Project Zero initiative to identify problems with software. Controversial? Sure but the above does read as an impressive resume in the aim of finding flaws in large systems and applications. The Google project is not just self-beneficial. The new Team will also investigate other company’s software. Vulnerabilities found will be placed into a public database, with information on how long companies took to plug these after being alerted.

 

Google are not the only ones in the vulnerability finding game, Both Microsoft and Facebook have ‘bug bounty’ programmes, paying hackers for find system vulnerabilities. No matter how big or small, you may be surprised what someone outside your company walls could see in, if they really wanted too. Make sure your own system has had an additional teams eyes review the security, beyond the team that implemented it. Sometimes a fresh pair of eyes is all that’s needed to find that overlooked flaw.

Google’s diabetes smart lens looks good

The future of wearable technology and advances in digital health have taken what appears to be a solid step forward, following the deal struck between pharmco giant Novartis and Google to produce Google’s diabetes ‘smart’ contact lens.  With 1 in 10 people in the world forecast to have diabetes by 2035, this is canny commercial advance in healthcare.  The lens, utilising a tiny wireless chip with miniaturised glucose senses embedded in the lens, will help diabetics monitor their glucose levels through the tears in the sufferer’s eyes.  The results are then communicated to a mobile phone or computer.

 

With the prototype revealed in January, Novartis believe the technology had “the potential to transform eye care”.  The enthusiasm of Google’s co-founder Sergey Brin to use technology “to help improve the quality of life for millions of people”, may still be some way off.  However, with the increase in incidence of the disease, such innovative technologies would likely prove popular to consumers, whilst enabling healthcare experts to continue their monitoring role and make a difference to the management of the disease.

google smart lens

Plans for CIO spend look set to hot up this year

CIOs for midmarket and large companies in Europe and the US (where annual revenue is between $500m and $20 bn+), are expected to spend 4.5% more on IT products and services this year than in 2013. A recent survey identified these companies would focus budget priorities on cloud computing, Enterprise Resource Planning (ERP) and analytics software. Application workloads currently held in on-premise servers are expected to shrink by 15%, with vendor data centres mopping up the gap. Application workloads in managed hosting services is conversely expected to increase from 7% to 9%. With chief executives looking keenly over the shoulders of CIOs, areas where IT leaders deem least likely to face cuts from financial pressures include: essential mission critical systems, security products and ERP. Cloud computing, consulting, outsourcing and new initiatives remain in the basket as managing and governing ever more complex data continues to mature.

This week’s technology news from Amicus ITS – Friday 12th July 2013

GCHQ Monitoring Increased Infrastructure Cyber Threats
GCHQ has thrown up a warning flag to highlight the potential threats from cyber attack to the UK’s national infrastructure. A suspected incident relating to the electrical grid prior to the Olympic Games in 2012, triggered the research. The report has revealed that technical reconnaissances have occurred across the UK’s infrastructure. An increased reliance on the internet by utilities makes security a national priority. In March 2013, the Government set up a Cyber Security Information Sharing Partnership to help businesses and Government share information in real time. However, when 80% of utility organisations in the UK are run by the private sector, enforcing security governance around data requires a pro-active approach and is a wake up call for all businesses to review their data policies.

Google’s slapped wrist
The UK’s privacy watchdog the ICO has joined data protection authorities in several European countries in criticising Google after the internet giant’s privacy policy failed to comply with the UK Data Protection Act. UK users of Google’s services do not currently have a clear definition of how their data is collected and used across their products. Google bundled 60 privacy policies into one agreement and hoped this would absolve them from criticism. However, the lack of response from Google as to what it is using personal data for, and how long it is held, has led to various actions against them. Google faces penalties from the CIO if it does not rewrite its policy by 20 September 2013. It is important for business that this is resolved satisfactorily given the number of employees using the internet.

Huge Android security-hole discovered
Last week Bluebox Security uncovered a security flaw with Android phones and tablets, potentially affecting up to 900 million devices. An App downloaded outside the official Google Play store, could modify a pre-existing system App on devices. The flaw uses the special permissions for malicious purposes. Google stated this week that the bug has been caught and they are urgently working with their partners to push out correct patches. The key lessons for information security governance are to stick to official App stores and keep devices up to date with the latest software updates to keep information protected.

Nokia’s 41 megapixel monster
On Thursday Nokia held their ‘Zoom Reinvented’ event where they announced the arrival of the Lumia 1020, a smartphone with a whopping 41 megapixel (MP) camera, powered by Windows Phone 8. In comparison the iPhone 5 has a camera of 8 MP and the Galaxy S4 is 13MP. In addition to staggering image quality the advantage of such a high megapixel is the ability to zoom in to a picture even after the moment is captured. Such a leap over the competition in this field, makes choice simple for anyone whose top priority is the camera in a smartphone. Microsoft must be happy about the partnership they have built with Nokia, as it is exclusive flagship phones such as the Lumia 1020 that will build Windows Phone market share worldwide.

Nokia-Lumia-1020