Do you know where your nudes are?

Samantha Perry
By Samantha Perry, co-founder of WomeninTechZA
Johannesburg, 09 Dec 2014
Julie Ferreira, RSA Southern Africa, says a shift in mindset towards security is required.
Julie Ferreira, RSA Southern Africa, says a shift in mindset towards security is required.

The recent hack of celebrity photos off cloud storage infrastructures has brought home the security issue in pointed fashion. And, unsurprisingly, fingers were pointed at service providers, rather than the criminals hacking into that infrastructure.

In an era of everything online and in the cloud, consumer data is increasingly at risk. With that risk, comes reputational risk to providers. Irrespective of where the fault lies, consumers will point fingers first (and not ask questions later).

"Awareness is critical when it comes to mitigating risk," says Marie Hattar, chief marketing officer at Check Point Technologies. "Data is often backed up and stored unencrypted in the cloud, which means a hacker can guess a password to gain access to that information."

"The key highlight from the recent iCloud hack is how reliance on only usernames and passwords is simply not enough to provide what used to be the minimum level of security," comments Julie Ferreira, district manager for RSA Southern Africa. "The recent Verizon Data Breach report for 2014 analysed 1 367 confirmed data breaches and over 63 000 security incidents in 95 countries. The use of stolen credentials was the top used action in successful attacks."

"Unfortunately, many consumers are careless about device security, don't read the terms and conditions related to using the service, and pay scant attention to choosing strong user names and passwords to secure these services," comments Jonas Thulin, security consultant at Fortinet. "It's vital that companies and consumers make sure device security is taken seriously; stronger user names and passwords might prevent a hack.

"What many companies may be overlooking in the iCloud hack is the fact that there can be vulnerabilities in consumer cloud and data syncing services. Also, enterprise employees use their personal mobile devices for work purposes, and there's a risk of data being leaked through those devices," Thulin adds.

Digital platforms

The trend to BYOD poses a risk to corporations, as careless end-users now have yet another platform to sign up to and not secure adequately.

Says BT customer business development director Steven Yates: "The Internet of things talks to a world where everything from technology objects, physical objects and biological objects are all connected. A SuperMonitoring study showed that, in 2013, 56%of the world's population had smartphones, and 80% of them planned to transact via mobile commerce in the next 12 months.

Security in the BYOD era

* Ensure BYOD devices only have access to required information. If steps are taken to ensure BYOD devices don't have access to sensitive data, risks are substantially reduced.
* Enforce company password policies on BYOD.
* Use encryption where sensitive data is stored, and don't underestimate the value of data in e-mail.
* Test wipe and erase functionally often to ensure it works on various platforms and OS versions.
* Review the BYOD policy often to ensure it remains relevant.
* Typically, mobile providers enable backup solutions (often in the cloud), so be mindful of what company information is able to be backed up.
* Be sensitive to the privacy of individuals' personal information on these devices. This can be achieved either through a policy where users accept that private data and information will be monitored for security reasons, or by creating a separate sandbox of company data.
* Be cautious around jail-broken and rooted devices; this can often undermine security controls in place
* When implementing BYOD, have an extensive small pilot phase where possible scenarios should be played out. Feedback from this will be valuable to refine technology and policy requirements.

"What these statistics don't show is the proliferation of connected devices as a whole, from PlayStations to motor vehicles to refrigerators. The world has changed to a place where both our corporate intellectual property and our customers' information exist not only in the heads of our people, but on our digital platforms," he comments.

And as long as it's digital, it's hackable.

Says Ferreira: "Organisations need to shift their mindset from purely relying on preventative controls to being able to react rapidly to security incidents to reduce and mitigate possible damages. Security teams require increased visibility and greater context into the business assets they are protecting. This allows them to make faster, more accurate decisions and then apply intelligent adaptive controls to ensure IT is still the business enabler it was originally intended to be."

However, cloud has changed the security game, as company data is now hosted on- and off-site in company, DR and cloud provider infrastructures.

"Ultimately, data stored in the cloud is in the hands of the service providers," says Fred Mitchell, software division manager, Drive Control Corporation, "and the likelihood of them being hacked depends entirely on the security they have in place.

"In order to ensure their data is safe, consumers and companies need to ascertain the security of their data, whether it is stored in the public cloud, a hybrid solution, or a private cloud.

"As the use of cloud services increases, data vulnerability will increase," he notes, "as evidenced by the increasing reports of compromised cloud services. Asking the right questions is key, like what measures are in place to back up data, what software is being used to access, stream and store the data, what level of security is applied, where is the data being stored and are the vaults secure."

Companies should not assume security is in place for their particular patch of a cloud service, comments Cloud on Demand CEO Jon Kropf.

"Companies should be asking service providers: who is responsible for security, and what is being done," states Richard Keymer, head of pre-sales for SecureData Africa. "It needs to be defined."

"When you sign up for a server, you need to consider who is responsible for that data, and who is responsible for backing it up and securing it. Most companies don't realise it's not the provider and don't back up," adds Kropf.

"Access management, backup and the way data is separated are still very much the user's responsibility," concurs Warren Olivier, Veeam Software regional manager for southern Africa. "Cloud service providers are increasingly offering security tools, but whether you choose to use them is entirely up to you. When things go wrong, everyone blames everyone else. In the middle of all the finger-pointing, the client is left standing.

"Cloud providers need to design and invest in their systems to ensure hosted data will always be available. Business needs to carefully look at the SLA terms in their contract to make sure what is covered, and where the buck will stop in case of a disaster," he notes.

Proliferating disaster

The problem is only going to get worse.

"Gartner predicts that by 2020, there will be 26 billion connected devices, excluding mobile phones and tablets, while Cisco puts this number closer to 50 billion. All of these devices are collecting information about our businesses and our clients," says BT's Yates. "What if it falls into the wrong hands?"

In 2013, 56% of the world's population had smartphones - 80% of them planned to transact via mobile commerce in the next year. (Source: SuperMonitoring)
Gartner predicts that by 2020, there will be 26 billion connected devices, excluding mobile phones and tablets, while Cisco puts this number closer to 50 billion.
Almost as harmful as drug trafficking: the current annual cost of cyber crime is between $450 billion and $575 billion, sidling up to the illegal narcotics trade. (Source: Center for Strategic and International Studies)

Says Nick Perkins, divisional director at Bytes Systems Integration's Identity Management division: "IT systems have a key role to play in helping compliance and other corporate officers discharge their obligation of certifying that a company's financial systems and transactions are secure. This is because financial processes are now wholly digital.

"A large company will have many people accessing its financial systems and literally thousands of transactions, making the task of the compliance officer potentially very difficult. Companies need to look at implementing a suitable solution that would provide for identity management, access control and logging, a solid foundation for compliance.

"A suitable solution should secure the corporate systems by requiring secure log-in using a variety of authentications - unsafe passwords are eliminated. Sensitive files and e-mails can be encrypted, thus adding further protection. Equally important, a full audit trail of log-in authentication and times is kept, ensuring that compliance officers can quickly and easily investigate any issues.

"This approach means that even if a laptop with saved passwords is compromised, corporate governance is not. A thief with just a password could not log onto the system, and every instance of a person accessing the financial systems is recorded," he states.

"The Washington-based think tank Center for Strategic and International Studies puts the current annual cost of cyber crime somewhere between $450 billion and $575 billion - almost causing as much harm as drug trafficking," says Yates. "The nature of digital security has also changed. No longer are we dealing with X-generation hackers trying to differentiate themselves. Cyber crime is organised, whether in the form of hactivism, organised crime, or terrorism. Organisations need to combat this threat at the highest level, or their customers and their brands will be irrevocably compromised to the point of possible closure."

First published in the December 2014 issue of ITWeb Brainstorm magazine.