of 34
7/29/2019 ISM July-August Final
1/34
JULY/AUGUST 2013
VOL. 15 | NO. 06I N F O R M A T I O N
SECURITY
Unlock NewPathways toNetwork SecurityArchitectureConsolidation and newplatforms hold promisefor security teams.
THIRD-PARTY
RISK HORRORSTORIES?!!
IS BIG DATASECURITYEDUCATIONA BIG FAILURE?
SECURE NETWORKACCESS ANDENTERPRISEMOBILITY
THE LEGACYOF SB 1386
MOBILE SECURITYBY THE NUMBERS
7/29/2019 ISM July-August Final
2/34
2 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
throughout the day. In our cover story this month,virtual-
ization inrastructure guru Dave Shackleord looks at how
some organizations are starting to control trafc at dier-
ent layers o their networks and use emerging technolo-
gies that acilitate trafc capture, analysis and control.
In addition to new isolation techniques, organizations
today are looking to collapse their inrastructure through
virtualization and unifed platorms, outside o UTM,writes Shackleord. In his day job as principal consul-
tant o Voodoo Security, Shackleord already sees Fortune
100 companies replacing traditional Layer 3/4 frewalls
and IDS/IPS with next-generation frewalls and virtual
appliances.
As we look ahead at emerging technologies designed
to acilitate network security architecture in the new
world o mobility and cloud services, we also decided to
Secure Network Accessand Enterprise MobilityWe polled readers on enterprise mobile device securityand the results are in. BY KATHLEEN RICHARDS
EDITORS DESK
WE CRUNCHED THE numbers in
this months issue to get your
take on mobile device secu-
rity and noticed some tell-
ing trends. Access control has
moved to the top o many organizations security lists in
2013 as device control continues to give way to bring your
own device.The data rom our annual Enterprise Mobile Security
Survey, felded in Q2 2013, is presented in Mobile Secu-
rity by the Numbers. Thanks to the 768 IT and security
proessionals that participated in the SearchSecurity.com
survey.
Enterprise mobile securityand data loss preven-
tiongets even more un when you add the host o ser-
vices and networks that mobile devices access regularly
http://searchservervirtualization.techtarget.com/feature/Keeping-up-with-virtualization-and-mobile-technology-securityhttp://searchservervirtualization.techtarget.com/feature/Keeping-up-with-virtualization-and-mobile-technology-securityhttp://searchservervirtualization.techtarget.com/feature/Keeping-up-with-virtualization-and-mobile-technology-securityhttp://searchservervirtualization.techtarget.com/feature/Keeping-up-with-virtualization-and-mobile-technology-security7/29/2019 ISM July-August Final
3/34
3 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
to Information Security magazine. Now CEO and chie
analyst at ZeroPoint Risk Research, Don authored thismonths eature on third-party vendor risk management
and whats required in top notch service-level agree-
ments. He tackled this timely topic as U.S. service provid-
ers, among others, worry about the global allout o Eric
Snowdens allegations against the NSA and its eects on
selling data storage and related services.
Finally, our education columnists, Doug Jacobson and
Julie A. Rursch, instructors in the electrical and computer
engineering department o Iowa State University, tell uswhybig data education is so hard. Given the void in big
data education, it should come as no surprise that the se-
curity o big data is not covered in most curriculums,
they write. Could industry partnerships help?
Enjoy the issue and let us know what you think. n
KATHLEEN RICHARDS is the features editor ofInormationSecuritymagazine. Follow her on Twitter@RichardsKath. Send
comments on this column to [email protected].
EDITORS DESK
take a look back. Ten years ago, Randy Sabett, CISSP (and
now counsel at ZwillGen), examined how to achieve com-pliance with the then-new Caliornia SB 1386 privacy law.
As Sabett explained in Information Security magazine in
June 2003:
Californias new privacy law (SB 1386), which goes into
effect July 1, requires any company that conducts busi-
ness in California and owns or licenses computerized per-
sonal data to notify California residents of any actual or
suspected security breach that compromises the security,condentiality or integrity of that information.
This issue, we invited him back to tell us whats
changed (i anything) in the last 10 years; how the Cali-
ornia privacy laws inuenced uture legislation that
requires proactive security measures to prevent data
breaches and why some states still dont oer these
protections.
Wed also like towelcome backMacDonnell Ulsch
http://searchsecurity.techtarget.com/feature/Big-data-analytics-New-patterns-emerge-for-securityhttps://twitter.com/RichardsKathmailto:[email protected]://searchsecurity.techtarget.com/feature/Achieving-compliance-with-the-California-SB-1386-privacy-lawhttp://searchsecurity.techtarget.com/news/2240187604/California-data-breach-report-25M-residents-at-risk-of-identity-thefthttp://searchsecurity.techtarget.com/news/2240187604/California-data-breach-report-25M-residents-at-risk-of-identity-thefthttp://searchsecurity.techtarget.com/feature/PING-with-Don-Ulschhttp://searchsecurity.techtarget.com/feature/PING-with-Don-Ulschhttp://searchsecurity.techtarget.com/news/2240187604/California-data-breach-report-25M-residents-at-risk-of-identity-thefthttp://searchsecurity.techtarget.com/news/2240187604/California-data-breach-report-25M-residents-at-risk-of-identity-thefthttp://searchsecurity.techtarget.com/feature/Achieving-compliance-with-the-California-SB-1386-privacy-lawmailto:[email protected]://twitter.com/RichardsKathhttp://searchsecurity.techtarget.com/feature/Big-data-analytics-New-patterns-emerge-for-security7/29/2019 ISM July-August Final
4/34
4 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
DATA BREACH NOTIFICATION LAW
The Legacy of SB 1386A decade after becoming law, the ripple effects of Californias SB 1386have surfaced in a new breed of proactive, granular state data privacy laws. BY RANDY SABETT
WETHER OR NOTyou view the
passage o Caliornias SB 1386
data privacy lawin 2003 as a
watershed moment in the in-
ormation security world, ew
can argue that its enactment signifcantly changed the in-
osec playing feld.
Although ederal legislation had covered certain in-dustry verticals (e.g., GLBA and HIPAA/HITECH), most
activity involving broadly applicable privacy and inorma-
tion security laws has occurred at the state level. SB 1386
initiated much o this activity.
Over time, a defnite trend has emerged: reactive state
laws dealing with cybercrime have given way to proac-
tive laws requiring afrmative steps to secure inormation
systems.
REACTIVE STATE DATA PRIVACY LAWSEarly state data privacy laws criminalized various ac-
tivities that today would collectively be reerred to as
hacking. These reactive laws ocus primarily on the
hackeran elusive entity that even i apprehended could
not, in most cases, make a victim whole again. These laws
oten came into play onlyaftera breach event had oc-
curred involving the data o a particular states residents.Other than the slight deterrent eect that they might
have, the antihacking laws have done little to prevent cy-
bercrime rom occurring. Because o this, state legisla-
tures began to realize the need to ocus on other parties in
the chain o liability.
By passing SB 1386 in 2003, Caliornia became the
frst state with a data breach notifcation law. With it, not
only would the actual wrongdoer be criminally liable, but
http://searchsecurity.techtarget.com/feature/Achieving-compliance-with-the-California-SB-1386-privacy-lawhttp://searchsecurity.techtarget.com/feature/Achieving-compliance-with-the-California-SB-1386-privacy-lawhttp://searchsecurity.techtarget.com/feature/Achieving-compliance-with-the-California-SB-1386-privacy-lawhttp://searchsecurity.techtarget.com/feature/Achieving-compliance-with-the-California-SB-1386-privacy-lawhttp://searchsecurity.techtarget.com/video/Intersecting-state-and-federal-data-protection-acts-and-regulationshttp://searchsecurity.techtarget.com/magazineContent/HITECH-Act-increases-HIPAA-security-requirementshttp://searchfinancialsecurity.techtarget.com/tip/Understanding-the-impact-of-new-state-data-protection-lawshttp://searchsecurity.techtarget.com/ezine/Information-Security-magazine/Is-your-data-safe-from-next-generation-attackershttp://searchsecurity.techtarget.com/ezine/Information-Security-magazine/Is-your-data-safe-from-next-generation-attackershttp://searchsecurity.techtarget.com/ezine/Information-Security-magazine/Is-your-data-safe-from-next-generation-attackershttp://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.pdfhttp://www.leginfo.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.pdfhttp://searchsecurity.techtarget.com/ezine/Information-Security-magazine/Is-your-data-safe-from-next-generation-attackershttp://searchsecurity.techtarget.com/ezine/Information-Security-magazine/Is-your-data-safe-from-next-generation-attackershttp://searchfinancialsecurity.techtarget.com/tip/Understanding-the-impact-of-new-state-data-protection-lawshttp://searchsecurity.techtarget.com/magazineContent/HITECH-Act-increases-HIPAA-security-requirementshttp://searchsecurity.techtarget.com/video/Intersecting-state-and-federal-data-protection-acts-and-regulationshttp://searchsecurity.techtarget.com/feature/Achieving-compliance-with-the-California-SB-1386-privacy-lawhttp://searchsecurity.techtarget.com/feature/Achieving-compliance-with-the-California-SB-1386-privacy-law7/29/2019 ISM July-August Final
5/34
5 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
DATA BREACH NOTIFICATION LAW
notifcation laws as a second wave, and reasonable secu-
rity measures laws as a third wavea new ourth wave ostate inormation security laws is emerging. The laws in
this ourth wave represent an attempt by state legislatures
to pass much more granular provisions. To date, Oregon,
Massachusetts and Nevada have the most detailed re-
quirements, with Minnesota not ar behind.
In Oregon, SB 583 requires companies to implement
an inormation security program that includes adminis-
trative, physical and technical saeguards. It then speci-
fes measures or each class o saeguards deemed to be incompliance with the law.
Detailed data security regulations in Massachusetts,
201 CMR 17, took eect in March 2010 and require com-
panies to implement a comprehensive inormation secu-
rity program along with certain administrative, technical
and physical controls to protect sensitive personal inor-
mation. Highlights include retaining third-party service
providers that can implement appropriate security mea-
sures and contractually requiring such measures.The most compelling trend besides granularity is the
incorporation o commercial standards (in particular,
elements o the Payment Card Industry Data Security
Standard or PCI DSS) into state law. Two states, Ne-
vada and Minnesota, have codifed or partially codifed
the PCI DSS. In Nevada, a business that accepts payment
cards must comply with the PCI DSS. This creates a type
o sae harbor. I the entity is PCI-compliant and the
entities that allow a breach to occur also might bear some
liability. Other states soon ollowed, some with brightline legal tests or determining breach occurrence while
others have a subjective risk-based standard. Some laws
have GLBA or HIPAA sae harbors; others do not. All,
however, are still reactive, because they dont kick in un-
til a breach has already occurred. At a minimum, they
have created a negative incentive and increased the vis-
ibility o inormation security.
PROACTIVE STATE DATA PRIVACY LAWSCaliornia continued its lead role by passingAB 1950
in 2004. Unlike data breach laws, AB 1950 ocuses on
whether an entity has in place reasonable security pro-
cedures and practices. This was one o the frst o its
kind: a broad-reaching proactive data securitystatute that
places obligations on parties before a breach event has oc-
curred. (Although both HIPAA and GLBA have a similar
structure, they are limited to specifc industry verticalsand are not broadly applicable to all businesses that col-
lect or maintain sensitive personal inormation.) Many
states have now ollowed suit with similar proactive laws
that require reasonable security measures.
GRANULAR INFORMATION SECURITY LAWSI we view antihacking laws as a frst wave, data breach
http://www.leg.state.or.us/ors/646a.htmlhttp://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdfhttp://searchsecurity.techtarget.com/tutorial/Mass-201-CMR-17-Basics-for-security-practitionershttp://searchsecurity.techtarget.com/ebook/Technical-guide-on-PCI-Global-compliance-trendshttp://searchsecurity.techtarget.com/magazineContent/State-Data-Breach-Notification-Laws-Have-They-Helpedhttp://www.leginfo.ca.gov/pub/03-04/bill/asm/ab_1901-1950/ab_1950_bill_20040929_chaptered.htmlhttp://searchsecurity.techtarget.com/tip/Leveraging-database-security-investmentshttp://searchsecurity.techtarget.com/tip/Leveraging-database-security-investmentshttp://www.leginfo.ca.gov/pub/03-04/bill/asm/ab_1901-1950/ab_1950_bill_20040929_chaptered.htmlhttp://searchsecurity.techtarget.com/magazineContent/State-Data-Breach-Notification-Laws-Have-They-Helpedhttp://searchsecurity.techtarget.com/ebook/Technical-guide-on-PCI-Global-compliance-trendshttp://searchsecurity.techtarget.com/tutorial/Mass-201-CMR-17-Basics-for-security-practitionershttp://www.mass.gov/ocabr/docs/idtheft/201cmr1700reg.pdfhttp://www.leg.state.or.us/ors/646a.html7/29/2019 ISM July-August Final
6/34
6 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
DATA BREACH NOTIFICATION LAW
common ramework-based approach to compliance, us-
ing a single set o controls that cover the existing patch-work o laws. Those companies that select one o the
most stringent laws and meet its requirements may fnd
the need to update their security posture in response to
the legislative leaprogging that could occur.
Second, I believe that we will eventually see data pri-
vacy legislation become law at the ederal level, though
the broad nature o some o the bills over the past ew
years makes passage difcult. For now though, it seems
that there are too many stakeholders with varied inter-ests to get an omnibus-style bill on the books. That may
change quickly, however, should some type o drastic
event occur that gets everyone aligned. Hopeully, that
wont be the case. n
RANDY V. SABETT, J.D., CISSP, is counsel in the Washington, DCofce of ZwillGen PLLC and has more than 20 years of infosecexperience, including as an NSA cryptography engineer. He counsels
clients on information security, IT licensing and intellectualproperty. He served on the Commission on Cybersecurity for the44th Presidency and he has been recognized as a leader in privacy& data security in the 2007-2013 editions of Chambers USA. Sabettis an adjunct professor, a frequent lecturer and author, and hasappeared on or been quoted in a variety of national media sources.
breach is not caused by the gross negligence or inten-
tional misconduct o the entity, it will not be liable un-der the law or damages or a security breach.
The Minnesota law reects only one part o the PCI
DSS and, in many respects, codifes obligations already
contained in merchants contracts with the card brands.
The law orbids entities that handle credit card inor-
mation rom retaining the card security code, PIN or
contents o any track o magnetic stripe data ater the
transaction is authorized. Companies not in compliance
with the statute are liable or any raudulent transactionsthat result rom such noncompliance, as well as the costs
o replacing compromised cards.
DATA PRIVACY LAWS: WHATS NEXT?I am certainly not a prognosticator and I dont play one
on TV. Having said that, I do believe the trend o increas-
ingly proactive and granular state data privacy laws will
continue to evolve in two ways.First, states will press orward with innovative laws
that ocus on inormation security and urther refne
the obligations o the various stakeholders, specifcally
the enterprises that collect, process, and maintain data.
This may rustrate those entities that employ a somewhat
7/29/2019 ISM July-August Final
7/34
7 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
SECURITY EDUCATION
Is Big Data Security Education
a Big Failure?Big data presents big challenges for computer science programs fromclassification to cloud security. Are industry partnerships the answer?BY DOUG JACOBSON AND JULIE A. RURSCH
WHEN IT COMES to integrating in-
ormation technology trends
into the curriculums o many
universities and colleges, the
educational system has allen
behind the learning curve. This is true or big data educa-
tion, and unortunately, the IT security needed to protect
unstructured inormation.The concepts related to the handling o large amounts
o data are briey touched on in courses that ocus on
databases or algorithms. But when big data is addressed
in an algorithms class, its primarily as a justifcation or
teaching dierent sorting algorithms, essentially, order-
ing lists in big data projects.
I universities do oer classes on big data, it is o-
ten as graduate-level coursework. Despite ew computer
engineering or computer sciences classes that ocus spe-
cifcally on big data, we see the concept show up in other
courses; bio-inormatics, or example, where processing
big data is required to complete a task.
SECURITY OPTIONAL
Given the void in big data education, it should come asno surprise that the security o big data is not covered in
most curriculums. Even the newly proposed National Se-
curity Association and Department o Homeland Security
ocus areas or the National Centers o Academic Excel-
lence list big data security as an optional knowledge unit
in three content areas.
Security o big data is important, but it is difcult
to teach or many reasonsthe terminology, current
http://www.news.iastate.edu/news/2012/10/03/bigdatahttp://www.nsa.gov/ia/academic_outreach/nat_cae/http://www.nsa.gov/ia/academic_outreach/nat_cae/http://www.nsa.gov/academia/nat_cae_cyber_ops/nat_cae_co_requirements.shtmlhttp://www.nsa.gov/academia/nat_cae_cyber_ops/nat_cae_co_requirements.shtmlhttp://www.nsa.gov/academia/nat_cae_cyber_ops/nat_cae_co_requirements.shtmlhttp://www.nsa.gov/ia/academic_outreach/nat_cae/http://www.nsa.gov/ia/academic_outreach/nat_cae/http://www.news.iastate.edu/news/2012/10/03/bigdata7/29/2019 ISM July-August Final
8/34
8 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
SECURITY EDUCATION
attempted or have succeeded. In todays world, we hear
lamentations o how large log fles grow and how difcultit is to separate the useul data rom the noise, even with
the help o a vendors product. In the world o big data,
the complexity o security and monitoring systems only
grows exponentially.
Although, many actors complicate big data security,
one fnal issue we want to note is that big data oten lives
in the cloud. Thereore, the discussions about security
methods or big data include cloud security. Neither o
these topics is mature and organizations taking security
measures will need to consider how these measures will
work with cloud data.
From the educational prospective, we believe that
teaching big data security starts with the undamentals
o data security that are taught in all security programs.
There is no stronger oundation or big data security dis-
cussions than a deep and broad understanding o security
concepts; however, the additional complexities that big
security and monitoring systems, physical inrastruc-
tureand thats just or starters. First and oremost, it ishard to classiy what is meant by the term big data. It
implies incomplete knowledge o what data points may
be in the storage set and trying to secure that which is un-
known is difcult. Think about data loss prevention; its
difcult, i not impossible, to tell i sensitive data is leav-
ing the acility when the data isnt enumerated.
Were not teaching big data security. But in our de-
ense, how can we secure something that is hard to clas-
siy? Furthermore, how can we teach others how tosecure it? The new classifcation o big data presents a
basic problem that needs resolution beore we provide
solutions.
NEW SECURITY METHODSDoes the new classifcation o big datamean new security
methods are warranted or can we use methods that cur-
rently are deployed, only on a larger scale? In the case o
big data, we argue that the size and complexity requires
more than just scaling current data security methods.
I we can get beyond the terminology and lack o
knowledge, we need to rethink the implementation o
security and monitoring systems in big data situations.
In current security and monitoring systems, writing to
and reviewing log fles is the primary technique used to
capture events and indicate when security breaches are
Were not teaching big data security.But in our defense, how can wesecure something that is hard toclassify? How can we teach othersto secure it?
http://searchsecurity.techtarget.com/answer/What-is-big-data-Understanding-big-data-security-issueshttp://searchsecurity.techtarget.com/answer/What-is-big-data-Understanding-big-data-security-issues7/29/2019 ISM July-August Final
9/34
9 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
SECURITY EDUCATION
we, as educators, need to be innovative in combining
cloud and big data security concepts and encouraging ourstudents to think about these topics.
So, what can we realistically hope to accomplish in
the area o big data security education? We would hope
that as educators we can help our students learn the un-
damentals needed to adapt to ever changing threats and
technologies. While today the current topics are big data
and cloud security, tomorrows topics are unknown. As
educators we are bound to include the most current secu-
rity topics and issues such as big data and cloud securityor our students. However, we must also strive to educate
our students so they can adapt to changes once they leave
our hallowed halls. n
DOUG JACOBSON is a professor in the department of electricaland computer engineering at Iowa State University and director ofthe Information Assurance Center, which was one of the originalseven NSA-certied centers of academic excellence in information
assurance education.
JULIE A. RURSCH is a lecturer in the department of electrical andcomputer engineering at Iowa State University and director of theIowa State University Information Systems Security Laboratory,which provides security training, testing and outreach to supportbusiness and industry.
data adds to the problem o security need to be included
in the curriculum.While we believe the best way or students to learn
is through laboratory experiments or simulations, devel-
oping big data security exercises may prove more dif-
cult than traditional security exercises. I we argue that a
defnition o big data could be developed and universally
accepted, we still see obstacles to overcome. Currently,
students work with intrusion detection and data loss
prevention, but not in a big data environment. And, we
have ound, they really arent prepared to handle themassive amount o data that pours in rom security de-
vices, network monitoring and data loss monitors. Lab-
oratory experiments have to be careully crated to not
overwhelm students, but also provide the look and eel
o big data.
NO MEANINGFUL DATAUnortunately, access to realistic and meaningul data
is difcult in higher education. We cannot have access
to real big data because, in many cases, it is private. We
need to develop example data sets o big data in which
the data types match dierent industries. This is a perect
place or academia to partner with vertical industries or
industry trade groups to develop these data sources. And,
http://searchsecurity.techtarget.com/feature/Managing-big-data-privacy-concerns-Tactics-for-proactive-enterpriseshttp://searchsecurity.techtarget.com/feature/Managing-big-data-privacy-concerns-Tactics-for-proactive-enterprises7/29/2019 ISM July-August Final
10/34
10 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
COVER STORY: NETWORK SECURITY ARCHITECTURE
By Dave Shackleford
NEW PATHWAYSTO NETWORKSECURITYWant to shed appliances?Consolidation and new
platforms hold promisefor security teams.
IN AN INTERESTING paradox, enterprise networks have ex-
perienced unprecedented sprawl and signifcant consoli-
dation over the past 10 years. With new technology and
application use at an all-time high, security teams re-quire dierent ways to isolate, monitor and control trafc
within their data centers and extended networks.
What network isolation and segmentation techniques
are many companies now considering? How can consoli-
dation and collapse o eature sets into unifed platorms,
and more condensed network security architecture at the
perimeter secure sensitive data and corporate assets?
While security isnt the primary driver o major net-
work architecture overhauls, new threats are leading
more organizations to re-architect portions o their net-
works. For some large organizations, the continued rise o
devastating distributed denial-o-service (DDoS) attacks,
embedded HTTPS control channels, and sophisticated
malware may necessitate a redesign ocused on network
security architecture.
Business growth or operational changes can also in-
crease the need to reresh network security architecture.
7/29/2019 ISM July-August Final
11/34
11 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
COVER STORY: NETWORK SECURITY ARCHITECTURE
touted as a way to help security proessionals imple-
ment access controls and trafc fltering, packet cap-ture and monitoring, and isolation o trafc at Layers 2
and above. In March, Microsot Principal Network Ar-
chitect Rich Groves gave a talkdescribing the compa-
nys use o the OpenFlow specifcation and commodity
switch hardware to send large quantities o packet data
to network monitoring devices (Figure 1). This same
technique can easily be used to quarantine and isolate
packets with specifc attributes, potentially helping de-
eat DDoS and other attacks.
n Layer 2 isolation: While the use o virtual LANs
(VLANs) to segment broadcast domains in a network
is not new, more organizations are strategically using
VLANs and private VLANs as a segmentation strategy
or sensitive domains. Many newer switches, including
Cisco Systems Nexus series and Juniper Networks EX
devices, can also accommodate VLAN access control
lists that allow or fltering based on MAC addresses
and orwarding and capture o packets.
n Isolation at virtual network layers: The use o virtual
frewall appliances and newer virtual switches such as
the Cisco Nexus 1000v, Juniper vGW line, and Open
vSwitch is starting to emerge within converged inra-
structure clusters as a sound isolation and segmenta-
tion practice. While most organizations arent replacing
These design changes are oten coupled with equipment
upgrades and replacement scenarios.For many enterprises, compliance is the major driver
or changes in both security and general IT operations.
Any technology or internal design change that can limit
or reduce the scope o the environment or compliance
can save money and time, in years to come. Isolation o
systems, applications and network segments that handle
payment card data, or example, can go a long way to lim-
iting the scope o PCI DSS audits.
ISOLATION AND SEGMENTATION TECHNIQUESRegardless o motivation, new considerations are driving
the way networks are designed. In the past, many orga-
nizations used a traditional single or dual-frewall archi-
tecture that divided networks into segments at Layers
3 and 4, limiting IP address ranges and TCP/UDP ports
that could traverse one segment or another. While this
network security architecture is still the most common,
more organizations are starting to control trafc at dier-
ent layers and use emerging technologies that acilitate
trafc capture, analysis and control.
n Software-defined networking for monitoring and
isolation: SDN is an emerging technology that imple-
ments network control through sotware and script-
ing in switches and centralized controllers. Its heavily
http://searchsdn.techtarget.com/news/2240181908/Microsoft-uses-OpenFlow-SDN-for-network-monitoring-and-analysishttps://www.opennetworking.org/sdn-resources/onf-specifications/openflowhttps://www.opennetworking.org/sdn-resources/onf-specifications/openflowhttp://searchsdn.techtarget.com/news/2240181908/Microsoft-uses-OpenFlow-SDN-for-network-monitoring-and-analysis7/29/2019 ISM July-August Final
12/34
12 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
COVER STORY: NETWORK SECURITY ARCHITECTURE
n Use of load balancers and content switches to
isolate traffic: A majority o the trafc in enterprisestoday is HTTP, HTTPS or other application trafc.
Load balancers and content switches are oten used to
provide availability and control or application trafc,
but security teams can beneft rom these technologies
existing hardware-based security platorms with vir-
tual systems, the use o virtual trafc control and moni-toring systems is growing as a new layer o deense.
Some o these systems oer capabilities that their
hardware-based counterparts cannot (see tip onvirtual
networking).
[FIGURE 1 ]
Microsoft is usingsoftware-defined networking
based on the OpenFlowprotocol for traffic isolation
and aggregation in itscloud.
(SOURCE: WWW.OPENFLOW.ORG)
http://searchsecurity.techtarget.com/tip/Evaluating-network-security-virtualization-productshttp://searchsecurity.techtarget.com/tip/Evaluating-network-security-virtualization-productshttp://searchsecurity.techtarget.com/tip/Evaluating-network-security-virtualization-productshttp://searchsecurity.techtarget.com/tip/Evaluating-network-security-virtualization-products7/29/2019 ISM July-August Final
13/34
13 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
COVER STORY: NETWORK SECURITY ARCHITECTURE
advantage o these eatures as application trafc grows.
Using application-layer packet attributes to direct andcontrol trafc can help organizations isolate more sen-
sitive or critical trafc, and identiy malware command
control channels using HTTP/HTTPS.
n Internal VPNs and private cloud gateways: Several
organizations have employed internal virtual private
network (VPN) platorms to segment their networks.
SSL VPNs can be easily set up and confgured to act as
a gateway to one or more segments o the environment,providing more robust authentication requirements,
endpoint inspection capabilities, and integration with
virtual desktop technologies. For organizations with
private cloud deployments, new cloud edge gateways
such as VMwares vShield Edge or Junipers vGW can
be installed to provide controlled access. Technologies
such as VMwares VXLAN allow migration and control
o Layer 2 trafc across Layer 3 data center and cluster
boundaries, which aords more exibility to distrib-
uted virtual and cloud environments.
UNIFIED PLATFORMS ANDCOLLAPSED ARCHITECTUREIn addition to new isolation techniques and controls, or-
ganizations today are generally looking to collapse their
inrastructure a bit more. The security community is
as well. While many leading manuacturers have o-
ered security options in these products or some time(including port mirroring, scripting capabilities and
DDoS deenses), security teams are starting to take
Sizing Up UnifiedSecurity PlatformsSMALL- AND MEDIUM-SIZED businesses have adopteduniversal threat management devices more than
enterprises. Trends that stuck for defense in
depth are prevalent in many large organizations
networks:
n Multiple tiers of security access control/
filtering devices
n Different vendors (in some cases)
n Separation of functionality
Today, organizations are looking to collapse func-
tionality into bigger, more capable platforms.
Next-generation firewalls are starting to replace
traditional Layer 3/4 firewalls and IDS/IPS at some
Fortune 100 companies. n
7/29/2019 ISM July-August Final
14/34
14 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
COVER STORY: NETWORK SECURITY ARCHITECTURE
applications. These segments oten include the primary
ingress points rom the Internet, segments where a VPNconnection terminates, and any exposed DMZ subnets,
along with internal zones that need protection.
So whats changing? Some Fortune 100 companies are
replacing frewalls with next-generation frewall (NGFW)
platorms. These systems oer more application and tra-
fc behavior inspection along with new capabilities, such
as user tracking rom internal directory services and
more robust protocol inspection. This strategy starts to
approach the UTM concept, but with more capable andhigh-perorming platorms.
Another major shit is the gradual consolidation o
IDS/IPS platorms with next-generation devices and tech-
nologies. While a good number o organizations are still
proponents o separate IDS/IPS, some companies are see-
ing benefts in using the NGFW platorms to handle both
frewall and IPS unctionality. As long as the perormance
o the network is not impacted with a s ingle device han-
dling so many security unctions, this approach may make
sense or some companies.
PLANNED UPGRADES AND SMALLER ZONESHow should security and network teams proceed? First,
align any network security architecture and monitoring
changes with planned upgrades or changes whenever pos-
sible. I new or updated technology is already slated or
actively using converged security appliances (oten called
universal threat management, or UTM systems) that oera combination o services like antimalware deense, an-
tispam and mail protection, content fltering, traditional
Layer 3 and 4 frewall rules and even VPN and proxy ca-
pabilities, in some cases.
While these systems have steadily become prevalent
and more mature, the technology is more viable or small
to mid-sized businesses. Many enterprises are not sold
on the technology, because it represents a single point o
ailure. It doesnt support the scalability or perormancerequired in large, ast (10 Gbps+) network environments.
While this still holds true, many companies are looking
to reduce the number o security layers within their net-
works and add enhanced unctionality that may prove
more eective at combating modern threats.
Over the last 10-15 years, many organizations ollowed
popular trends in network security architecture, start-
ing with the adoption o multiple layers o security trafc
control points, such as frewalls. Some enterprises have
even used technology rom dierent vendors at each layer
to prevent a single point o ailure. This strategy may o-
er a multi-layered approach to network security, but it
results in much higher implementation and operations
costs, as well as overhead to manage these platorms.
Many enterprises use dedicated intrusion detection
and prevention systems (IDS/IPS) to secure heavily used
network segments and those that house sensitive data and
http://searchsecurity.techtarget.com/magazineContent/Unified-threat-management-devices-for-the-enterprisehttp://searchsecurity.techtarget.com/magazineContent/Unified-threat-management-devices-for-the-enterprise7/29/2019 ISM July-August Final
15/34
15 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
COVER STORY: NETWORK SECURITY ARCHITECTURE
NGFWs can either augment or potentially replace ex-
isting frewalls and IPS platorms.
Another ocal area or network and security manag-
ers is built on the concept o compartmentalization o
network segments. With any redesign eorts, security
teams should attempt to segment sensitive data, trafc
and systems into more careully controlled areas. While
the concept o DMZs and network segmentation is not
new, building more, smaller zones may make sense with a
combination o VLANs, Layer 3 access controls and evenapplication-level trafc monitoring and control. With
advanced frewalls and new virtual platorms, this net-
work security architecture is much easier to accomplish.
NGFW systems and virtual appliances can help network
and security teams lower costs, i they are replacing mul-
tiple platorm types.
With new network technology and the availability o
advanced security platorms, the design and architecture
o many networks is likely to continue to change rapidly,
in some cases, collapsing inrastructure with virtualiza-
tion and cloud deployments. n
DAVE SHACKLEFORD is owner and principal consultant atVoodoo Security, senior vice president of research and CTO atIANS, and a SANS analyst, instructor and course author. He isa VMware vExpert and has extensive experience designing andconguring secure virtualized infrastructures.
purchase and implementation, investigate the access con-
trol, fltering and monitoring eatures built into these sys-tems, regardless o vendor. I vendor selection and design
phases have not been completed, suggest looking at tech-
nologies and designs that allow or the ollowing:
n Access controls and monitoring at Layers 2 and
above: Instead o a consolidated frewall design,
switches and other network devices may play more im-
portant roles in controlling and monitoring trafc, es-
pecially in widely distributed networks.
n Integration with SDN protocols such as OpenFlow
and sFlow: While many organizations may not be ready
to make the switch to SDN just yet, preparing or it by
purchasing equipment that allows or programmable
unctions and trafc control to be implemented is a
sound idea.
n Integration with virtualization and private cloud
technologies from VMware, Microsoft, Citrix and oth-
ers: Virtual appliance models with security technology
are becoming available rom numerous vendors. These
systems can complement existing capabilities and net-
work designs, especially in environments with virtual
systems or a private cloud.
n Application and protocol inspection: New types o
http://www.sflow.org/http://www.sflow.org/7/29/2019 ISM July-August Final
16/34
16 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
CYBERATTACKS LEAP FROM the headlines almost daily, yet
senior management at some companies still believe their
organizations are not potential targets: Nobody knows
who we are, why would anyone want to attack us?One consistent breach fnding may get their attention:
Almost without exception, a third-party vendor or afli-
ate is involved. It may be the client, or it may be the origi-
nation point o the breach.
The third party is oten a quasi-insider, enjoying some
degree o the trust aorded employees. Based on a rela-
tionships longevity and personal interactions, third-party
trust levels sometimes meet or exceed the level o insider
trust.
Unortunately, the conveyance o trust does not al-
ways end well. This is why third-party management and
service-level agreements (SLA) are so critical in the man-
agement o risk. SLAs are negotiable instruments that re-
ect the companys appetite or tolerance or risk; its size
and complexity, geographic distribution, type o inorma-
tion managed, as well as the ability to eectively monitor
the third-party management program.By MacDonnell Ulsch
THIRD-PARTYRISK HORRORSTORIES?!!The majority of breaches occuras the result of third parties.
MacDonnell Ulsch advisescompanies to safeguardthird-party agreements.
VENDOR RISK MANAGEMENT
http://www.computerweekly.com/news/2240178104/Bad-outsourcing-decisions-cause-63-of-data-breacheshttp://www.computerweekly.com/news/2240178104/Bad-outsourcing-decisions-cause-63-of-data-breaches7/29/2019 ISM July-August Final
17/34
17 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
insurance premiums and civil litigation rom investors,
shareholders, business partners and others (see Negative
Outcomes: Third-Party Risk ManagementFigure 1).
Heads may roll in the executive suite. Criminal prosecu-
tions oten result. (Immunity in a breach is as scarce as
hieroglyphics.)
The worst risk impact occurs when companies are
clearly not ready or a breach, which is too oten the case.
ALREADY MADE IN CHINA
When it comes to managing risk, no company is perect;usually, its ar rom it. In the well-known case o Nortel
Networks Inc., the optical networking companys com-
puter systems and senior managements emails includ-
ing the CEOswere compromised by Chinese hackers,
or nearly a decade. An employee said he alerted Nortels
executives that there was a breach in 2004, according
to The Wall Street Journal, but outside o changing pass-
words, his warnings were largely ignored. This ongoing
breach resulted in costly and complex litigation duringNortels asset sale ater it declared bankruptcy in 2009.
Companies that acquired Nortels intellectual property
Ciena Corp., Avaya Inc. and Ericsson Inc.ound out
that their organizations might not have exclusive rights
to the sensitive inormation.
Avoiding the oten substantial impact o legal, fnan-
cial, regulatory and reputation risk isnt trivial. In the best
scenario, managing risk is supposed to prevent bad things
rom happening. The next best outcome is to reduce the
impact when a collision o a threat and its intended tar-
get prove unavoidable. In the worst case, managing risk
is about recovering rom an event that proved to be, or
whatever reason, both unpreventable and highly eec-
tive, translation: expensive.
Risk impact can be defned by a variety o metrics: loss
o revenue, loss o company value, diminished market
share and brand equity, increased cost o capital, higher
VENDOR RISK MANAGEMENT
[ FIGURE 1 ]
Negative Outcomes: Third-Party Risk Management
(SOURCE: ZEROPOINT RISK RESEARCH LLC)
RISK
RegulatoryRisk
LegalRisk
FinancialRisk
ReputationRisk
CascadingRisk
IMPACT
Regulatory Impairment, Regulatory Fines,Increased Government Scrutiny,
Rigorous Remediation, Litigation Foundation
Civil Litigation, Criminal Prosecution,Class Actions, Jury Awards, Settlements
Value Loss, Investor Loss, Customer Loss,Capital Cost Increases
Press and Media Exposure, Market Drift,Competitor Positioning
Market Loss, Recovery Continuation,Sustainability Questions
http://online.wsj.com/article/SB10001424052970203363504577187502201577054.htmlhttp://online.wsj.com/article/SB10001424052970203363504577187502201577054.html7/29/2019 ISM July-August Final
18/34
18 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
VENDOR RISK MANAGEMENT
are also noted in the fnal rule, as well as enorcement
and penalty provisions. The Genetic Inormation Nondis-crimination Act prohibits health plans rom using genetic
inormation as an underwriting consideration. Multiple
privacy issues are also noted in the fnal rule, especially
on the use and disclosure o protected health inorma-
tion, including the uses associated with marketing and
undraising. (Similarly, recent changes in the European
Union Model Clause aect E.U. companies exporting
data overseas, as well as the third-party data importers.)
Contract negotiators, attorneys and others with expe-
rience managing the SLA process address certain issues
reasonably well: perormance-related requirements, and
even some regulatory requirements. Companies can ur-
ther protect their inormation assets by ensuring that the
ollowing components are included in the negotiation
o all third-party management agreements: inormation
security, inormation privacy, threat and risk analysis,
compliance obligation range, enorcement mechanisms,
internal audit access and disclosure requirements, and
The majority o breaches occur as the result o the actions
or deensive defciencies associated with a third-party ser-vice provider. One third-party vendors defcient antimal-
ware deployment resulted in a massive cyberattack. The
impact: extensive, costly regulatory reporting and uncom-
ortable discussions and negotiations with its corporate
customer base. The breach was detected when an em-
ployee noticed suspicious frewall log activity. The hack-
ers, however, had covered their infltration by erasing the
majority o their intrusive activities, making the breach
even worse and complicating the orensic analysis.
COMPLIANCE AND THIRD-PARTYMANAGEMENT AGREEMENTSThird-party management agreements are important in-
struments in managing legal, regulatory, fnancial and
reputation risk. These contracts, also known as Business
Associate Agreements (BAA), are neglected tools or de-
ending against inormation compromise.
Any company protecting health inormation, or ex-
ample, needs to pay particular attention to the changes
brought about by the HIPAA Omnibus Final Rule, which
was passed in January 2013 and went into eect in
March. A number o deadlines or compliance are set or
September 23, 2013. Changes include requirements or
business associates and subcontractors to comply with
the complex security rule. Breach notifcation changes
Business Associate Agreementsare neglected tools for defending
against information compromise.
http://www.genome.gov/24519851http://www.genome.gov/24519851http://ec.europa.eu/justice/data-protection/document/international-transfers/transfer/index_en.htmhttp://ec.europa.eu/justice/data-protection/document/international-transfers/transfer/index_en.htmhttp://ec.europa.eu/justice/data-protection/document/international-transfers/transfer/index_en.htmhttp://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdfhttp://www.gpo.gov/fdsys/pkg/FR-2013-01-25/pdf/2013-01073.pdfhttp://ec.europa.eu/justice/data-protection/document/international-transfers/transfer/index_en.htmhttp://ec.europa.eu/justice/data-protection/document/international-transfers/transfer/index_en.htmhttp://www.genome.gov/24519851http://www.genome.gov/245198517/29/2019 ISM July-August Final
19/34
19 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
VENDOR RISK MANAGEMENT
identities and acquired cell phone numbers, addresses,
social security numbers and so on. On paper, the em-ployees certainly seemed like real peopleeach one
passed a background inormation check. An address in
the background check orms seemed out o place, but
that didnt prevent them rom getting hired. Personally
identiying inormation (PII) was stolen in this scam and
sold to organized crime and narcotics trafckers in a or-
eign country, resulting in fnancial raud. The breach was
oreign corrupt practices management (Figure 2). Focus-
ing on these seven elements will increase the efciencyand eectiveness o third-party management agreements
while creating an eective risk management ramework.
Third-party management agreements may not be
enough to protect organizations rom elaborate cyber-
raud, however. In one occurrence, the third-party ven-
dor hired independent contractor employees who did not
exist. Well, one did. Ingeniously, this individual invented
[ FIGURE 2 ]
Successful negotiation of third-party management agreements is built around seven elements.
(SOURCE: ZEROPOINT RISK RESEARCH LLC)
Information Security
Agreement
Information Privacy
Agreement
Specific Threats and
Risks Defined
Foreign Corrupt
Practices Management
Audit and Monitoring
Terms AgreementEnforcement Mechanisms
Compliance Requirements
Range
7/29/2019 ISM July-August Final
20/34
20 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
VENDOR RISK MANAGEMENT
ASSETS AT RISK
It is not always discernible what inormation is at riskin a cyberbreach, especially right away. One third-party
vendor responded to a breach based on an assumption
that the organization did not possess any regulated data,
when in act, it did. What the company thought was just
a matter o tightening security in the initial stages o the
breach, evolved into a serious reportable event.
Every third-party provider should know what data
is in its possession. This is an absolutely critical deter-
minant o how that data must be protected. While ewmandates exist regarding the protection o intellectual
property and trade secret assetsthis is typically limited
to contractual obligations cited in customer contracts and
insurers policies personal inormation must be pro-
tected according to statute and regulation.
Many breaches o regulated data are never reported,
however. Sometimes, a decision is reached not to report
on the basis that the breach did not meet certain require-
mentsthe exact defnition o PII or protected health
inormation (PHI). A breach that isnt reportable in the
United States may be disclosed in other countries based
on dierent regulations.
Managing risk by regulation has signifcant draw-
backs, yet many companies continue to do just that.
Heres the problem. Many regulations are written upon
the back o mandatory minimum requirements. While its
detected due to suspicious behaviors exhibited by the in-
dependent contractor behind the elony crime.
RESPONSIBILITY AND REPORTINGIt is important to remember that the principal company
or covered entity that engages a third party is always re-
sponsible or ensuring the integrity o inormation. While
various regulations may also hold third-parties account-
able, never assume that the obligation o compliance is
assignable to another company. When negotiating anSLA, the company must require the third-party service
provider to both assume responsibility or compliance
with all applicable regulations, and to speciy the time-
rame in which to report a breach to the company. This
can get tricky, and the contract language is important. Al-
ways coner with corporate legal counsel on this issue.
First, be sure to defne what a breach is. An incident
or event is not necessarily a breach o regulation. Is the
event a breach o policy and procedure, security or regu-
lation? Some contracts require the third party to notiy
the principal company o a security policy breach within
24 hours o the incident. Maintaining tight control over
the reporting requirements o the third party under
agreement is vital. It is also recommended that the com-
pany pre-emptively engage the third party by asking, in
writing, about any security incidents at the third party,
and receive a response in writing. (Continued on page 22)
7/29/2019 ISM July-August Final
21/34
21 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
VENDOR RISK MANAGEMENT
Inside Jobs
INSIDER THREATS CAN take advantage of high trust levels to hatch elaborate schemes. A group of employees working
for a large U.S. technology company decided to use their employers technology assets for personal gain. They had
access to desktop and laptop computers that were coming off lease, being sold or otherwise recycled. These units
were stockpiled in unused offices, unsecured rooms and even in hallways.
The employees signed into the data center using these machines and built their own data management network,
underneath the raised floor of the corporate data center. They started competing for external business with their
employer. This crime went undetected for about a year.
It was eventually detected, but not because of all the technology companys monitoring hardware and software. A
security guard outside of the data center figured it out. The guard noticed that these workers consistently checked
into the data center when everyone else was logging outat the end of the day and on weekends. He became
suspicious.
Its worth noting that many employees who get caught committing fraud against the company are not criminally or
even civilly prosecuted. Prosecutions result in a public recordand negative publicity. Which brings up the issue of
background investigations: Many people who engage in illegal actions get terminated and soon apply for other jobs
in the industry. Meaningful background investigations are woefully absent, and $49 background checks are often
inadequate.
Theres a reason that a top secret security clearance can take two years to complete. In 2012, according to
The Washington Post, about 500,000 private contractors had federal clearance for handling top-secret materials
at some level. n
http://www.washingtonpost.com/blogs/wonkblog/wp/2013/06/11/about-500000-private-contractors-have-access-to-top-secret-information/http://www.washingtonpost.com/blogs/wonkblog/wp/2013/06/11/about-500000-private-contractors-have-access-to-top-secret-information/7/29/2019 ISM July-August Final
22/34
22 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
VENDOR RISK MANAGEMENT
and trade secrets o value, bearing in mind that this ap-
proach, while better than nothing, is a minimum basedupon regulatory requirements.
What do all o these breached companies have in
commonand especially third parties? It isnt the type
o inormation that was exposedPII, PHI, intellectual
property and trade secrets. Its that these organizations
didnt manage risk eectively, rom their defnitions o
risk management to communication gaps between IT and
executive management and the board. (The urther they
are rom the point o the breach, the less they understandthe breach and its impact.)
SPEND NOW OR LATERMany companies would rather spend on recovery and re-
mediation than on prevention through risk management
and optimization o SLAs. (That may not be what statis-
tics indicate, but thats what we see.) For one thing, ater
a breach, budget immediately materializes. The message
rom executive management is usually this: Fix this and
then do what you need to do to keep this rom happen-
ing again. Sometimes, the company embraces a more
strategic risk management solution in the atermath o a
breach. Other times, though, the ocus is very tactical and
concentrated on IT security fxes in the absence o a real
risk management approach.
better than nothing (and there are those companies thatail to meet even these basic requirements), its not where
the industry needs to be. This practice is unacceptable in
other industries. No one wants a pilot whos met only the
minimum regulatory threshold.
BASELINE FOR PROPRIETARY INFORMATIONO course, not all companies or third parties are in the
business o managing regulated inormation. Whatabout managing the risk associated with unregulated
dataproprietary inormation, intellectual property
and trade secrets? In a world where brand counts, pro-
tecting the brand is ensuring a companys uture. Brand
protection is critical because the mission o nation-state
espionage and commercial economic and technology
competitors is to steal valuable business inormation.
The fnancial loss is staggering, with some estimates sur-
passing a trillion dollars a year, and about a third o those
losses are in the United States (Figure 3).
One third-party management strategy is to borrow
rom the requirements used in regulated data manage-
ment deployments. Most companies, whether large or
small, are required to at least protect employee and cus-
tomer inormation in a manner consistent with U.S. ed-
eral and state requirements. Require third parties to use
that baseline to extend protection to intellectual property
(Continued from page 20)
(Continued on page 24)
http://www.economicespionage.com/StickyFingers.htmhttp://www.economicespionage.com/StickyFingers.htm7/29/2019 ISM July-August Final
23/34
23 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
VENDOR RISK MANAGEMENT
[ FIGURE 3 ]Financial losses caused by insider and third-party threats resulting in breaches of intellectual property
and trade secrets are estimated at more than $1 trillion worldwide.
(SOURCE: ZEROPOINT RISK RESEARCH LLC)
E
mployees
Partners
Vendors
Contractors
Regulation
Litigation
Technology
Culture
Economy
Climate
Malice
Information
Integrity
Mistake
Terrorists
FinancialRisk
Exposure
ReputationRisk
Exposure
U.S.: More than 500 Million PIIElectronic Records Compromised/
$1T+ Year IP/TS Stolen
LegalRisk
Exposure
RegulatoryRisk
Exposure
Drug Cartels
Organized Crime
Employees
Governments
ENVIRONMENTA
LCHANGE
INSIDER AND THIRD-PARTY THREAT
EXTERNALTHREAT
7/29/2019 ISM July-August Final
24/34
24 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
VENDOR RISK MANAGEMENT
One o our outside service providers employees had
some o our client data on an iPad that was stolen, andnow it looks like were going to have to report this event
to regulators in 40 countries. I hate to think what the im-
pact o this is going to be.
Board member: Tell me more about this.
Think about the relationship o security to the man-
agement o risk. Risk is a potential condition o concern
to many people in the organization. Many executives
that will be responsive to the language o risk are not re-
sponsive to the language o technology and inormationsecurity. Chie executives, chie risk ofcers (which are
oten chie fnancial ofcers), internal legal counsel, in-
ternal auditors, privacy ofcers and compliance ofcers
have an interest in managing risk and are usually respon-
sive. Also, employees with a vested interest in the compa-
nys reputation, including sales and marketing, are oten
responsive. Conveying the risk message appropriately,
though, is necessary to get anyones attention.
Speaking technology and security will secure the job.
Speaking risk will secure budget and your uture. n
MACDONNELL ULSCH is the CEO and chief analyst atZeroPointRisk Research LLC, in Boston, Mass., and advises commercialand government clients. He wrote THREAT! Managing Risk in aHostile World. The working title of his upcoming book is CYBERSABRES: Deending the Future Against Enemies Near and Far.
Regardless o whether the breach originated at a thirdparty or at the principal company, a key determinant in
the post-breach report is whos in charge o the breach
investigation. When executive management, especially
the general counsel and the board are involved, theres
a greater likelihood that a more eective risk manage-
ment program will result. But not always: by the time
many companies fnish paying the bills associated with a
breach, theyre sometimes seeking fscal restraint and re-
covering rom the fnancial cost o the breach. This otenleads to, Lets try and do the rest o this mitigation in-
house. Thats usually a mistake, depending on individ-
ual breach circumstances, and the cooperativeness o any
third-party vendor involved.
ENTERPRISE TOWERS OF BABELAs much as anything, managing risk is about eective
communication.
Take the CISO who happens to ride in an elevator
with a member o the board o directors: Weve got a
BYOD issue that led to a BAA inosec incident.
Board member thinks Why cant this elevator move
aster?
Speak the language o business and risk. This sounds
simplistic, but what i the CISO said:
(Continued from page 22)
http://www.zeropointrisk.com/http://www.zeropointrisk.com/http://www.zeropointrisk.com/http://www.amazon.com/THREAT-Managing-RISK-HOSTILE-World/dp/0894136208http://www.amazon.com/THREAT-Managing-RISK-HOSTILE-World/dp/0894136208http://www.amazon.com/THREAT-Managing-RISK-HOSTILE-World/dp/0894136208http://www.amazon.com/THREAT-Managing-RISK-HOSTILE-World/dp/0894136208http://www.zeropointrisk.com/http://www.zeropointrisk.com/7/29/2019 ISM July-August Final
25/34
25 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
MOBILESECURITY BYTHE NUMBERSAlmost 60% of securityprofessionals in our 2013
Enterprise Mobile Security Surveybelieve mobile devices presentmore risk now than in 2012.Whats changed?
By Kathleen Richards
ENTERPRISE MOBILITY SURVEY
SEARCHSECURITY.COM POLLED 768 IT and security proes-
sionals in April 2013 and the data clearly indicates that
the challenges o securing a multi-device environmentcontinue to mount. While shiting IT assets outside o the
frewall can help companies to lower costs, roughly 60%
o the Enterprise Mobile Security Survey 2013 respon-
dents believe mobile devices present more risk to their
organizations compared to Q2 2012.
About 30% o respondents do not see higher risk,
while 13% said they dont know.
The consumerization o IT isnt slowing down as more
employees use personally-owned devices to access corpo-
rate data and applications. But a surprising fnding in our
2013 survey was how many companies no longer even is-
sued mobile devices outside o traditional laptop comput-
ers, sliding rom 83% in our Enterprise Mobile Security
Survey 2012 to 65% (Figure 1).
Despite growing concerns over mobile security, only
60% o respondents indicated that their organization re-
quired security technologies on mobile devices. In the
http://searchsecurity.techtarget.com/guides/Survey-Enterprise-mobile-device-security-2012http://searchsecurity.techtarget.com/guides/Survey-Enterprise-mobile-device-security-2012http://searchsecurity.techtarget.com/guides/Survey-Enterprise-mobile-device-security-2012http://searchsecurity.techtarget.com/guides/Survey-Enterprise-mobile-device-security-2012http://searchsecurity.techtarget.com/guides/Survey-Enterprise-mobile-device-security-20127/29/2019 ISM July-August Final
26/34
26 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
capabilities (14%). Perhaps, more alarming is the 40% o
organizations, according to those surveyed that dont re-quire use o security technologies on mobile devices.
The challenges o taming multi-device environments
are quickly becoming the norm, however. About hal o
survey respondents (49%) indicated that their organiza-
tions applied unique security policies and controls or
each mobile platorm, with Apple iOS and Google An-
droid topping the list o mobile platorms supported on
non-company issued devices (Figure 2). Less than hal
group that did, the security initiatives ranked as ollows:
access control (67%), authentication (57%), encryption(53%), remote wipe (44%), antimalware (44%), PIN
enorcement (42%), remote lock (39%), Microsot
ActiveSync (38%), remote access VPN (37%), mobile
device management (36%), policy confguration and en-
orcement (34%), application control (30%), app store
restrictions (29%), remote sotware distribution (23%),
blacklist capabilities/data containment (23%), jail-
break detection (21%), GPS tracking (19%) and whitelist
ENTERPRISE MOBILITY SURVEY
6+3s
[ FIGURE 1 ]
Does your organization supply employeeswith mobile devices (excluding traditional
laptop computers)?
[ FIGURE 2 ]
For non-company-issued devices, whatmobile platforms does your company support?
(Check all that apply.)
79%
62%
54%
Apple iOS
Goodle Adroid
BlackBerry/RIM
Windows Mobile
35%No 65%Yes 84%
http://searchsecurity.techtarget.com/feature/MDM-solutions-More-calls-to-secure-a-mobile-workforcehttp://searchsecurity.techtarget.com/feature/MDM-solutions-More-calls-to-secure-a-mobile-workforcehttp://searchsecurity.techtarget.com/feature/MDM-solutions-More-calls-to-secure-a-mobile-workforcehttp://searchsecurity.techtarget.com/feature/MDM-solutions-More-calls-to-secure-a-mobile-workforcehttp://searchsecurity.techtarget.com/feature/MDM-solutions-More-calls-to-secure-a-mobile-workforce7/29/2019 ISM July-August Final
27/34
27 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
ENTERPRISE MOBILITY SURVEY
APP SECURITY BETTER THAN DESKTOP
What types o applications do employees access via per-sonally-owned mobile devices? According to survey re-
spondents, 79% use personal email, instant messaging
and chat applications; 68% use Web browser and produc-
tivity applications, such as Microsot Ofce; 59% access
social media; 49% access the corporate intranet and 41%
use corporate applications.
Securing the application layer has received a lot o at-
tention in 2013 as more mobile application management
systems and related technologies emerge. Problems per-sist with device data leakage, including apps that request
too many permissions (e.g., access to contacts) or hook
into other areas on the device. Hal o survey respondents
indicated that their company is putting more resources
money and sta hoursinto mobile application secu-
rity in 2013, compared to Q2 2012. But almost one-third
(29%) o organizations do not have plans to put more re-
sources towards mobile app security, and one-fth didnt
know. These developments coincided with the height-
ened ocus on mobile app security and operating systems
in April, as Facebook blurred the lines when it rolled out
its new apperating system, Facebook Home (built on
the Google Android OS).
So whats changed? In our 2012 survey, the top fve
mobile security concerns ranked as ollows: device loss,
application security, device data leakage, malware at-
tacks and device thet. This year device data leakage
(43%) o those surveyed did not have dierent security
policies based on mobile operating systems.At the same time, 43% o organizations required
employees to sign a consent document that grants the
employer at least limited control over any personally-
owned device that accesses corporate systems or data,
while 57% did not have any such policy. Hal o the re-
spondents said that their employers allow non-company
mobile devices to access the corporate network and data
(Figure 3).
5+48s[ FIGURE 3 ]Does your employer allow non-company-issuedmobile devices to access the corporatenetwork and data?
50%
Yes
42%
No8%
Dontknow
https://bg-bg.facebook.com/homehttps://bg-bg.facebook.com/home7/29/2019 ISM July-August Final
28/34
28 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
ENTERPRISE MOBILITY SURVEY
fthwhen respondents were asked to select their orga-
nizations top three mobile security concernsas shownin Figure 4.
ranked frst (45%), ollowed by unauthorized access
(41%), device loss/thet (40%), application security (38%)and compliance and malware attacks (28%) tied or
[ FIGURE 4 ]
What are the top three mobile security fears at your organization? (Select three.)
Device data leakage
Unauthorized access
Device loss/theft
Application security
Compliance
Malware attacks against devices
Liability over data on personal devices
Unauthorized or unmanaged mobile access to network resources
Vulnerable third-party applications
Platform-specific vulnerabilities
Unauthorized or unmanaged mobile app downloads
Location tracking
Other
45%
41%
40%
38%
28%
28%
17%
15%
11%
8%
6%
3%
4%
7/29/2019 ISM July-August Final
29/34
29 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
ENTERPRISE MOBILITY SURVEY
2% o the organizations, and 6% o respondents indicated
that they dont know. (See Figure 5 or types o data ac-cess on personally-owned devices).
Data loss continues to rank as the top threat in enter-
prise mobile security on all sides with device data leakage
and device loss and thet, among the common problems.
O particular concern or many companies is how data is
handled when users switch phones or leave the organi-
zation. Despite these security threats, backups on non-
company issued devices at the majority o organizations
Not surprisingly, mobile identity and access manage-
ment is high on the list o enterprise mobile security con-cerns, even though vendors o classic identity and access
management systems are attempting to extend the unc-
tionality. According to this years survey, all the employ-
ees at 28% o the organizations have access to corporate
network/data resources such as email, applications or
customer data; more than hal o the employees have ac-
cess at 29% o the organizations; and less than hal have
access at 35% o the organizations. None have access at
[ FIGURE 5 ]
What types of data do employees access and/or store via personally-owned mobile devices?(Check all that apply.)
90%
71%
61%
53%
31%
30%
Standard email attachments
Work-related contacts
Personally-owned non-work files (photos/music/movies)
Non-sensitive file shares/documents/presentations
Confidential/sensitive work-related data
Sensitive or encrypted email messages/attachments
7/29/2019 ISM July-August Final
30/34
30 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
ENTERPRISE MOBILITY SURVEY
MALWARE WATCH
By 2014, employee devices will be compromised by mal-ware at more than double the rate o corporate-driven de-
vices, according to Gartner. So ar that hasnt happened;
despite industry warnings that hackers go where the op-
portunity lies. From a sotware publishers standpoint,
its a lot easier to write secure code or modern mobile
platorms such as Apple iOS and Google Android than it
is to sandbox programs and data, or example, on legacy
desktops.
Historically, Apple iOS has been proven to have theright mix o policy, process and technology to make the
bad guys avoid it, said Brad Arkin, chie security ofcer,
Adobe Systems.
With Android, I think its weaknesses are also its
strengths, he said. Because its so open, bad guys can
use side-loading mechanisms and trick people into load-
ing something malicious, but at the same time that open-
ness allows [organizations] like the NSA to put together a
secure version o Android including a secure broadband
connection back to the mothership, he continued. An-
droid also allows you to do security monitoring sotware,
which is not possible on iOS. O course, Android secu-
rity depends on several actorsplatorm avor, hard-
ware, updates and what kind o app stores you are using,
noted Arkin.
I dont think the desktop attack vector o going a-
ter people through email and browsers is going to be a
(70%) are never required, according to survey respon-
dents. O the 30% that do demand backups on employee-owned devices, 12% required it daily, 11% weekly, 5%
monthly, 2% hourly, and 1% o organizations limited the
personal device backup requirements to quarterly.
At the same time, 44% o organizations allow users to
access app stores on company-issued mobile devices and
reely download apps; however, our survey data indicates
thats a considerable decline rom the 52% o companies
that ollowed this practice in 2012. One-fth o compa-
nies in 2013 permitted their employees to download ap-
proved app stores and applications. About one-third o
organizations (36%) do not sanction any app downloads
on company-issued devices.
With close to 30% o organizations posing app store
restrictions, according to our survey, its not surprising
that 16% o respondents indicated that their organiza-
tions planned to build their own app stores.
Historically, Apple iOS has beenproven to have the right mix of policy,process and technology to make the
bad guys avoid it.
Brad Arkin, chief security officer, Adobe Systems
7/29/2019 ISM July-August Final
31/34
31 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
ENTERPRISE MOBILITY SURVEY
because it exposes native APIs, but mobile platorm
breaches overall remain rare. Even so, 65% o securityproessionals in our Enterprise Mobile Security 2013 sur-
vey viewed the Android platorm as carrying some level o
near-term problem or mobile devices just because the at-
tack surace is very dierent, and its not as attractive orthe bad guys, he added.
Android is oten viewed as an easier malware target
[ FIGURE 6 ]
What mobile malware threats pose the greatest risk to your organization? (Select up to three.)
64%
47%
45%
29%
29%
23%
20%
15%
12%
10%
7%
Data-stealing malware
Malicious applications
Unauthorized network access using mobile device
Root exploits/rogue software
Spam, phishing over SMS/MMS
Eavesdropping malware
Man in the middle attacks
Self-replicating malware
Zero-days in third-party software
Dialer malware (calls made to premium numbers)
Supply-chain malware
7/29/2019 ISM July-August Final
32/34
32 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISK
HORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
ENTERPRISE MOBILITY SURVEY
more companies to ollow the college and university
models by enorcing mobile security policies that governnetwork access instead o controlling personally-owned
devices.
MOBILE DEVICE POLICY UPDATESIn organizations with mobile device policies, 26% have
updated these documents in the past year, 14% within the
past three months, 7% within the past 30 days, 6% within
the past two years and 4% in the past three years or more.
The biggest drivers o recent mobile security device
policy updates, according to the Enterprise Mobile Se-
curity 2013 Survey: to satisy internal corporate require-
ments (20%), address new threats (17%), manage new
devices (15%) and compliance (11%). However, 13% o re-
spondents indicated other, while 59% didnt know.
Despite indications o a mobile tipping point, execu-
tives remain more involved in general IT security deci-
sions and policies, according to those surveyed, as shown
in Figure 7.Finally, which top three mobile security technolo-
gies did security proessionals expect their organizations
to spend more on this year? One-third o respondents se-
lected access control; one-quarter said data loss preven-
tion and authentication, ollowed by antimalware (22%)
and encryption (20%). Mobile device management (18%)
fnished sixth. Other security initiatives identifed or
risk. According to those surveyed, 38% o respondents in-
dicated that the Android platorm presented some riskto enterprises; 23% considerable risk, 4% an unacceptable
level o risk, 16% no notable risk and 19% had no opinion.
Figure 6 details which mobile threats respondents elt
posed the greatest risk to their organizations.
While mobile malware has yet to cause signifcant
problems, mobile device security policies may not be
keeping pace with the rapid developments in enterprise
mobility. One-fth o respondents claimed that their or-
ganizations didnt have mobile device security policies.
What?!
O those that did, close to hal (44%) do not requireemployees to read and sign the documentation.
On a positive note, more than hal (56%) indicated
that their organization required employees to read and
sign the companys mobile device security policy, but
thats a signifcant drop rom the 81% that reported that
requirement in our Q2 2012 survey.
As BYOD continues to take hold, Gartner expects
Mobile device security policies maynot be keeping pace with the rapid
developments in enterprise mobility.
http://www.gartner.com/newsroom/id/2211115http://www.gartner.com/newsroom/id/2211115http://www.gartner.com/newsroom/id/2211115http://searchsecurity.techtarget.com/tip/How-to-write-an-effective-enterprise-mobile-device-security-policyhttp://searchsecurity.techtarget.com/tip/How-to-write-an-effective-enterprise-mobile-device-security-policyhttp://www.gartner.com/newsroom/id/2211115http://www.gartner.com/newsroom/id/22111157/29/2019 ISM July-August Final
33/34
33 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISKHORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
ENTERPRISE MOBILITY SURVEY
increased spending include: remote access VPN (15%),
application control (12%), remote wipe (12%), policyconfguration and enorcement (11%), ActiveSync (11%),
and data containment (11%).
In our 2012 survey, roughly hal o respondents honed
in on the top fve: authentication topped the list (53%),
[ FIGURE 7]
How involved is your organizations executive team in defining and implementingsecurity decisions and policy in 2013 compared to 2012?
19%
26%
23%
5%
Much moreinvolved
Somewhatless involved
No more orless involved
Somewhatless involved
Much lessinvolved
Dontknow
23%
27%
24%
5%6%
21%
6%
16%
nMOBILEDEVICESECURITY
nGENERAL ITSECURITY
ollowed by data loss prevention (51%), access control
(50%), encryption (45%) and remote wipe (41%). What adierence a year makes. n
KATHLEEN RICHARDS is the features editor ofInormationSecuritymagazine. Follow her on Twitter@RichardsKath.
https://twitter.com/RichardsKathhttps://twitter.com/RichardsKath7/29/2019 ISM July-August Final
34/34
34 INFORMATION SECURITY n JULY/AUGUST 2013
EDITORS NOTE
THE LEGACYOF SB 1386
SECURITYEDUCATION
NEW PATHWAYSTO NETWORK
SECURITY
THIRD-PARTY RISKHORROR STORIES?!!
MOBILE SECURITYBY THE NUMBERS
TechTarget Security Media Group
TechTarget
275 Grove Street,
Newton, MA 02466www.techtarget.com
EDITORIAL DIRECTOR Robert Richardson
FEATURES EDITOR Kathleen Richards
SENIOR MANAGING EDITOR Kara Gattine
SENIOR SITE EDITOR Eric Parizo
DIRECTOR OF ONLINE DESIGN Linda Koury
COLUMNISTS Marcus Ranum, Gary McGraw, Doug Jacobson,
Julie A. Rursch, Matthew Todd
CONTRIBUTING EDITORS Michael Cobb, Scott Crawford,
Peter Giannoulis, Ernest N. Hayden, Jennifer Jabbusch Minella,
David Jacobs, Nick Lewis, Kevin McDonald, Sandra Kay Miller,Ed Moyle,Lisa Phifer, Ben Rothke, Anand Sastry,
Dave Shackleford, Joel Snyder, Lenny Zeltser
USER ADVISORY BOARD
Phil Agcaoili, Cox Communications
Richard Bejtlich, Mandiant
Seth Bromberger, Energy Sector Consortium
Mike Chapple, Notre Dame
Brian Engle, Health and Human Services Commis