Social Icons

Saturday, June 7, 2014

Dyman & Associates Risk Management Projects: 75% of mobile security breaches will result from misuse

With use of smartphones and tablets on the rise and sales of traditional PCs on the decline, attacks on mobile devices are maturing, says IT research and advisory firm Gartner Inc.

By 2017, the focus of endpoint breaches will shift to tablets and smartphones. And, according to Gartner, 75 percent of mobile security breaches will be the result of mobile application misconfiguration and misuse.

Common examples of misuse are “jailbreaking” on iOS devices and “rooting” on Android devices. These procedures allow users to access certain device resources that are normally unavailable — and remove app-specific protections and the safe "sandbox" provided by the operating system, putting data at risk.

Jailbreaking and rooting can also allow malware to be downloaded to the device, enabling malicious exploits that include extraction of enterprise data. These mobile devices also become prone to brute force attacks on passcodes.

According to Dionisio Zumerle, principal research analyst at Gartner, a classic example of misconfiguration is improper use of personal cloud services through apps residing on smartphones and tablets. “When used to convey enterprise data, these apps lead to data leaks that the organization remains unaware of for the majority of devices," he said.

The best defense for an enterprise is to keep mobile devices fixed in a safe configuration by means of a mobile device management policy, supplemented by app shielding and "containers" that protect important data.

Gartner recommends that IT security leaders follow an MDM/enterprise mobility management baseline for Android and Apple devices as follows: ask users to opt in to basic enterprise policies, and be prepared to revoke access controls in the event of changes.
Users who are not able to bring their devices into basic compliance must be denied (or given extremely limited) access; require that device passcodes include length and complexity as well as strict retry and timeout standards; specify minimum and maximum versions of platforms and operating systems. Disallow models that cannot be updated or supported; enforce a "no jailbreaking/no rooting" rule, and restrict the use of unapproved third-party app stores.

Devices in violation should be disconnected from sources of business data, and potentially wiped, depending on policy choices; and require signed apps and certificates for access to business email, virtual private networks, Wi-Fi and shielded apps.
IT security leaders also need to use network access control methods to deny enterprise connections for devices that exhibit potentially suspicious activity.

"We also recommend that they favor mobile app reputation services and establish external malware control on content before it is delivered to the mobile device," said Zumerle.

Mobile security trends will be discussed at the Gartner IT Infrastructure & Operations Management Summit 2014, June 9–11 in Orlando, Fla.

Friday, June 6, 2014

Dyman & Associates Risk Management Projects Malware: How to Prioritize the Alerts

In late May, online security firm Trusteer, an IBM company, raised alarms about a new online banking Trojan it calls Zberp. According to Trusteer, more than 450 global banking institutions in the U.S., the United Kingdom and Australia have been targeted by this malware strain, which combines features from Zeus and Carberp, two well-documented banking Trojans.

Just days earlier, global cyber-intelligence firm IntelCrawler warned of new point-of-sale malware known as Nemanja, which had reportedly infected retailers in nearly 40 countries.

And news about recent evolutions in the mobile malware strain known as Svpeng also has caused concern. In May, Svpeng was found to have evolved from merely a banking Trojan to a malware strain equipped with a dual ransomware feature (see New Ransomware Targets Mobile).

But with so many alerts about new and emerging malware strains and attacks, how should banking institutions respond? It's a growing challenge for information and security risk officers because one of the keys to mitigating cyber-risks is differentiating new threats from older ones.

What's Real?

While banking institutions have to take all emerging threats seriously, they should take most alerts issued by security vendors in stride, says financial fraud expert Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovations.

"It's mostly hype," he says. "Every time a new threat shows up in the media, this is the first filter I run. More often than not, there's a vendor or two behind all the excitement."

The influx of warnings from security firms about new malware strains has bred unnecessary concern for some banking institutions, says Andreas Baumhof, chief technology officer at malware research firm ThreatMetrix. In most cases, existing detection systems will raise flags, even when new variants of malware are detected on a network or believed to have infected an end-user's device, he says.

Pointing to the most recent announcement about Zberp, Baumhof says banks and credit unions should not rush out to invest in new detection and defensive technologies.

"There is nothing new for this Trojan," he says. Most banks' and credit unions' existing online defenses are equipped to detect Zberp and other Zeus variants, he contends.

Advice for Banking Institutions

Analysts recommend banking institutions maintain ongoing dialogues with their core service providers and vendors about the latest threats, and ensure they adequately vet new providers and vendors before signing on for service.

Among their other top recommendations:

Understand how existing detection and threat-mitigation solutions are equipped to defend the network. "There is no 100 percent solution, but banks need to understand their exposure and current capabilities before they rush to react," to alerts about new attacks, says Al Pascual, who heads up the fraud and security practice for consultancy Javelin Strategy & Research.

Put the onus on service providers and security vendors to send out notifications of possible risks, says Shirley Inscoe, a financial fraud expert and analyst for consultancy Aite.

Always get second and third opinions before revamping a system or solution. "Always get multiple bids, research the suppliers with independent parties, such as industry analysts and vendor-neutral consultants, and check with peers," Ontrack's Wills says.

Ensure the IT and security teams have strategies in place for comprehensive risk assessments. "Refresh it [the risk assessment] at least once or twice a year to keep it current - the more often, the better," Wills says. "That way, you can make sure that any solution you buy makes sense in the context of your own company's unique threat and vulnerability landscape, and not some generic landscape. It's quite easy to buy security products that you don't really need."

Thursday, June 5, 2014

Dyman & Associates Risk Management Projects on Threat intelligence versus risk

Security officers who view threat intelligence and risk management as the cornerstone of their security programs may have advantages over peers who face constraints when it comes to taking advantage of the available data.

CISOs are generally tasked with evaluating security controls and assessing their adequacy relative to potential threats to the organization, and its business objectives. Their role in cybersecurity risk management -- the conscious decisions about what the organization is going to do and what it is not going to do to protect assets beyond compliance -- is still hotly debated.

The transition towards risk management is more likely for the 42% enterprises whose security officers report to executives (the board of directors or chief risk officers) outside of the IT organization, according to Gartner. The firm's analysts advise security officers to achieve compliance as a result of a risk-based strategy, but admit that "organizations have not kept pace."

Equinix started to build a customized threat intelligence program about five years ago. The International Business Exchange data center provider uses threat intelligence along with risk assessment to do its "homework" before the company invests its resources in information security or agrees to IT requests from departments with different priorities.

"It doesn't make sense to go and buy a piece of [security] equipment because somebody in sales and marketing says, 'This is a big deal for the company,'" said George Do, global information security director of Equinix, which operates colocation centers in 15 countries. "We have to vet it, and we have to understand: Is this really a threat? What are the threat vectors?

"Sometimes, there is this black orbit, and we are just there for the ride," said Do. "I am always very conscious of that, and I want to make sure that whatever we are spending resources on is truly managing risk."

Metrics that Do reports up the chain of command, starting with the CIO, include data from the last quarter and year on the number of critical instances -- compromised data or critical servers, for example. Because Equinix employees frequently travel all over the world, security incidents, such as malware or backdoors, involving employees' mobile endpoints (laptops and mobile devices) are tracked, as well as employee acceptable-use policy violations.

In addition to capturing incident data, the security team tracks metrics around any attempted cyberattacks against the organization, especially around the perimeter from firewalls, VPN servers and mobile device gateways. "We have a Palo Alto firewall where I can see that [data] very clearly," said Do. "I can present a very simple dashboard to any executive that shows: Hey, at any given second of the day we are being attacked by literally thousands of threats and the firewall is doing its job so it's not like we invested in this for nothing."

While threat intelligence is the foundational piece of risk assessment at Equinix, the use of intelligence data in the security industry is often ad hoc. "It has either plateaued or actually decreased," said Do.

"There are always two sides of the spectrum," he continued. "The companies that are very good at doing SIEM [security information and event management] and all of these intelligence pieces so that the more intelligence or data points that they've added to their infrastructure, the smarter they become."

But the majority of the security teams don't do that. "They are either mired in compliance checkboxes or chasing down shadow IT services. Or there are so many things going on in their universe that there are no resources, or time, left to focus on threat intelligence."

Wednesday, June 4, 2014

Dyman & Associates Risk Management Projects on Top 20 mSecurity Companies 2014

Leaders in Software as a Service (SaaS), Mobile Device Management (MDM) & Bring Your Own Device (BYOD) Security

Mobile devices have become an intrinsic part of everyday life, for individual consumers and large organizations alike. Consequently, the popularity of smart devices is an increasingly attractive target for cybercriminals with regards the potential value of personal data found on a device.

The increasing demand for mobile security software is seeing the emergence of security specialists offering solutions aimed at mobile as well as PC.

Established market players in internet security are adapting their services to mobile, while a number of new companies are specializing specifically in smartphone and tablet security. Solutions including software, device management and security as a service are looking to answer this nascent security demand.

The complex nature of the mobile ecosystem and the close affinity to the broader cyber security market has made the mobile security sector a relatively fragmented market, with overlaps between the different submarkets. .

 As a result, vision gain has determined that the top 20 companies in the global mobile security market account for $2.06 billion, or 58.9% of annual market revenue which illustrates a highly competitive and fragmented market.

Why you should buy Top 20 Mobile Security (mSecurity) Companies 2014: Leaders in Software as a Service (SaaS), Mobile Device Management (MDM) & Bring Your Own Device (BYOD) Security

Who are the leading players in the mobile security market? Vision gain’s comprehensive analysis contains highly quantitative content delivering solid conclusions benefiting your analysis and illustrates new opportunities and potential revenue streams helping you to remain competitive. This definitive report will benefit your decision making and help to direct your future business strategy.

Avoid falling behind your competitors, missing critical business opportunities or losing industry influence. The report assesses technologies, competitive forces and expected product pipeline developments.

Discover key Information in this 139 page report:

• Explore the top 20 mobile security (mSecurity) companies to keep your knowledge ahead of your competition and ensure you exploit key business opportunities
- The report provides detailed market shares along with revenues for the leading mSecurity companies, including original critical analysis, revealing insight into commercial drivers and restraints allowing you to more effectively compete in the market.

- Find 70 tables, charts, and graphs
- Let our analysts guide you with a thorough assessment of the leading players in the mSecurity market. This analysis will achieve quicker, easier understanding. Also you will gain from our analyst's industry expertise allowing you to demonstrate your authority on the mSecurity sector.

• Read exclusive interviews from 3 market leading companies
- By reading the exclusive expert interviews contained in the report you will keep up to speed with what is really happening in the industry. Don't' fall behind. You will gain a thorough knowledge on the mSecurity sector finding strategic advantages for your work and will learn how your organization can benefit and allowing you to assess prospects for investments and sales
- Bullguard
- AVG Technologies
- Kaspersky

Dyman & Associates Projects: A New Graduate’s Survival Guide Against Identity Hackers

As fresh graduates descend from the ivory tower (bearing their unstained diplomas), many will eventually encounter “real world” interactions for the very first time, and they run the risk of being eaten alive out there. Identity-connected scams, dark schemes and credit status traps litter the way to financial success. And for many of those new graduates who confidently say, “It will never to me,” get ready for you bubble to burst.

Information violations and the identity-theft crimes that arise from them have become realities in life, next only to death and taxes. But there are a few things you can undertake to improve your protection against them, identify the problems and reduce the effects in case the inevitable happens. However, if you believe a compromise to your identity or credit will never cause you to incur a good amount of money, you will be surprised to realize the emotional turmoil and endless moments of annoyance spent regretting things which are non-refundable.

New grads must bear this in mind: Your personal identity and credit are significantly precious assets. And whereas it might be quite early in the game to seriously consider your investment portfolio, you now have a built-in two investment-grade portfolios that you ought to manage well: your identity portfolio and your credit portfolio.

Take a look at a few general rules in the game that will aid you to protect your identity that, if you observe them, could make it easier for you to succeed.

1. Credit Cards

If you are newbie to the world of credit cards, you tend to make some beginner’s errors that may lead to identity risk.

First, be wary as to where you divulge your credit card data. Consider yourself as your worst enemy when it concerns credit card scams if you fail to observe proper security steps when sharing your credit card information over the websites, to companies and even to friends. And while scammers have a way of stealing your account numbers, taking extra care if you live with roommates will protect you in a big way.

Make sure to check your account statements as often as you can, even daily, for unauthorized withdrawals or purchases. If anyone steals your debit or credit card number and goes out to spend like a king, and you fail to discover it early enough to prevent more damage, you could find yourself back to zero.

Keep track of your credit report and note how your credit standing moves. This will allow you ascertain that all the accounts listed there belong to you. Usually, the first sign that says you have fallen victim to a new account fraud arises from these reports. Being aware lets you face and deal with the issue way before a collection firm asks for money you did not spent. Check your credit reports without being charged yearly from all three credit reporting agencies through this site: Likewise, you can check two of your credit scores for free with a account  –  in case you observe an unexpected reduction in your credit scores, check your reports for any issues, including fraudulent accounts.

2. Utilities

What about utilities? You phone a customer service agent who gets your name, address and phone number, and when your bill comes on the last day of the month, you pay accordingly. Sounds so simple, even a child could do it — which is exactly the problem. Identity thieves are so good at stealing electricity in your name, and since it is that easy for anyone to set up an account using your name, you may not be aware of it until you receive a notice from a collection agency for unpaid utilities bills and your credit status falls.

Here is what you need to do: Take extra time assessing your bills and immediately check on any doubtful items, pay your bills on time always, (think of enrolling in a direct debit plan), safeguard your personally identifiable data (which means protecting your Social Security number from everyone except the select few who have to know it), and keep in mind that monitoring your scores and your reports often can warn you of any issue soon enough. One could never be too paranoid when it comes to monitoring nowadays.

3. Applying for Jobs

Many fresh graduates are not aware that a significant number of firms and institutions will check credit reports (not credit scores) prior to offering anyone a job. They are required to obtain a permission from you (often in writing) before looking at your reports and most of them will ask for your Social Security number, a primary asset in your identity portfolio, for them to do so.

Obviously, you have to be sure the employer is authorized, and if you feel uneasy about divulging your Social Security number to a potential employer, conduct a little research before you give it. Many job scammers will take your SSN upfront, before they even interview you.

4. Filing Your Taxes

For a few new graduates, taxes have never entered their vocabulary or their limited world. It may be that their parents filed taxes for them, or they have never worked at a job to make it necessary.

If you are new at dealing with taxes, be aware of this: Not every person who offers to assist you will be trustworthy. Thieves abound everywhere, so take a careful look before getting an accountant or a tax-preparation service provider. Tax-connection identitytheft is one more reason why you must check who has access to your personally identifiable data. If a scammer files a tax return in your name before you do, you will spend six months or more waiting for the IRS to rectify the error and give you a refund.

Last Word on Identity Protection

In the realm of personal finance, many kinds of fraudulent people will try to take advantage of you, snatch your personally identifiable data and possibly decimate your credit. They revel in feasting over fresh-graduate meat. Not surprising as most new graduates still have a clean credit record and may not know the possible harm that identity thieves waiting at a dark corner can do. But if you carefully manage and attentively check your identity portfolio, it will be a real asset and not a liability.

Monday, June 2, 2014

Q&A on Dyman & Associates Risk Management Projects’ Involvement in Project Management

One of the main involvements of Dyman & Associates is in the field of Project Management. Here is a brief Q&A that will provide essential information about this service:

Q: What particular aspects of Project Management does Dyman & Associates engage in?

A: Here is a list of Dyman’s involvement in project management:

Remediation Project Management – Dyman assists companies comply with audit-process requirements to make them stay viable.

Data Center Transfer – Dyman reduces downtime risks on clients’ systems and unmet goals during data-center relocation within one site.

Business Continuity – Dyman assures clients of unhampered delivery of their methods and materials during disruptions in vital operations.

Business Impact Analysis – By measuring the viability of each application through extensive interviews within the organization and analyzing the internal and external Service Level Agreements, Dyman can determine the overall health of a company and provide ways for improvement.

Big-scale Technology Resets – Dyman helps clients avoid non-delivery of committed materials by improving cable plant, routers, switches, desktops, Wide Area Network, and others.

Q: Do Dyman & Associates’ consultants have enough experience?

A: Dyman & Associates Risk Management Projects senior-leaders have started from very humble beginnings; however, through the years, they have undergone sacrifice and applied diligence to succeed in both private and public sectors. With all their successes, however, they have maintained their focus on doing well and right, not just for their clients but also for the community at-large, and have continued to possess this attitude in their business and personal profession.

Q: Why do we need Project Management?

A: Unpredictability is at the root of Project Management. Many people simply muddle through from crisis to crisis without resolving the root causes of problems that constantly arise to disrupt operations. Project Management allows organizations to predict with greater precision when and how such potential obstacles occur and to implement the necessary solutions or adaptive measures to minimize or remove all threats to the targeted results and achieve sustainability and viable development.

If efficient Project Management is the main ingredient missing in your organization’s operations, call Dyman & Associates Risk Management Projects for assistance.