A Sweet Addition in Your Arsenal of Protections

/

Perimeter security has made leaps and bounds for detecting and preventing attacks. However, rules and detection methods cannot catch everything. The big question is: What should you do once malware or an attacker is in an environment? Answer: Honeypots.

They work as an early-alerting system for complex attacks, and produce very few false positives, when tuned properly, compared to firewalls, IPS, and IDS. The sole purpose of a honeypot is to be probed, attacked, and compromised. This is accomplished by mimicking any resource, service, application, system, or network. All activity between the honeypot and malware/attacker is monitored, alerted on, and analyzed. Some examples of activity can be: scanning for activity of worms or bots, looking for internal threats, detecting compromised nodes, identifying new exploits and vulnerabilities, or capturing new malware.

Honeypots are one of the most underutilized ways to detect a threat once it has hopped the fence of perimeter security. However, the email security industry has relied heavily on the honeypot, or spamtrap, as one of their most widely used and effective ways to detect incoming phishing and spam. Perhaps this disparity exists because honeypots in a production environment are commonly viewed as an insecure holes that allows an attacker into the environment. This should not be the case. A honeypot can be deployed in a normal secured environment, or in an isolated DMZ. Obviously, once a threat has been detected by a honeypot the normal environment can no longer be referred to as secure. The moment that a honeypot has been compromised, a threat has found a way into your environment and all of your servers are exposed. It should be assumed that anything on the network with the honeypot is or will be compromised as well. In this scenario, you still get the benefit of early alerting regarding the compromise.

Deploying a properly isolated honeypot is also worth the effort. Based on the information that is produced through the alerting and reporting, we can gain insights into our operating systems and servers, host protections, and information protections. By monitoring a live infection or attack, we can learn how these areas of the security model are being comprised by threats.

With BYOD being more prevalent every day and attack vectors growing, a detection mechanism such as a honeypot could end up being invaluable.

Matt

Just as a precautionary note this approach must be implemented with the proper expert guidance and strategic planning otherwise it can introduce unwanted threats into an environment.

Blackberry Enterprise Service 10 - What This Means for You

/

Everyone knows RIM made the Blackberry. The Blackberry got its start in 1999 as a simple two way communication device, not unlike a pager. It rapidly became the device of choice for enterprise users and became a status symbol for executives and managers alike.

Blackberry’s success wouldn’t have been possible without their Blackberry Enterprise Server (BES) technology. A middleware platform that connected a company’s email system to Blackberry devices out in the field. The original BES platform launched in June 1999 and grew from version 1.6 to modern day version 5.x. It doesn’t sound like a lot of version growth for 14 years but the device software doesn’t undergo significant changes often enough to warrant frequent changes to the BES system.

In January 2013, RIM, now Blackberry, released the Z10. A full touch screen device aimed at competing with Google, Apple and Microsoft. The Z10 touted something brand new – the highly anticipated Blackberry OS 10. BBOS 10 is based upon brand new code acquired from QNX Software Systems. With this release, Blackberry felt it necessary to update their BES system to accommodate all the new functionality of the Z10, the newly released Q10, and future BBOS 10 and above devices.

Alongside the Z10, Blackberry launched Blackberry Enterprise Service 10 (aka BES10). BES10 incorporates Blackberry Fusion along with the redesigned Blackberry Device Service into a new BES platform. The underpinnings of BES10 are very similar to BES5. However, they were kind enough to say that BES5 platforms could not support BBOS 10 devices, and BES10 would not be backward-compatible with older devices. Furthermore, BES5 CALs cannot be used for BBOS 10 devices and BES10 CALs cannot be used for older devices.

Sounds like an awesome plan to milk corporate customers for more money doesn’t it? It was also viewed as possibly the biggest reason Blackberry wouldn't succeed at retaking the corporate world. Sensing this, Blackberry put a program in place until the end of 2013 to ease the transition period for companies. As a company, you can convert BES5 CALs one-for-one to BES10 CALs for free. It sounds wonderful. Now companies don’t have to fork over huge amounts of money to re-license users who want to move to the newer devices. There’s a catch, albeit a reasonable one, though. At the end of this conversion program, all converted BES10 CALs that are unused (that is, unassigned to BBOS 10 devices), will revert back to BES5 CALs. At this point, the company will be responsible for purchasing new CALs, creating duplication in the environment and unnecessarily adding to the expense of running a BES10 platform.

As an IT professional, am I happy about this? Do I enjoy running TWO BES platforms in my environment, adding to the maintenance required and creating another point of failure? No. I expected Blackberry to issue a new version, like Blackberry Enterprise Server 6, that would incorporate support for existing and new devices. I expected much more than what looks like a cash grab to bolster their bottom line. Instead, they’ve made me consider BYOD even further.

Chris

Security with the Django Web Framework

/

Lately, I was involved with Python Django web framework  (The Web framework for perfectionists with deadlines) and was shocked that still, in 2013, the official documentation (https://docs.djangoproject.com/en/dev/ref/settings/) and the "experts" on stackoverflow (http://stackoverflow.com/questions/3540339/is-it-okay-that-database-credentials-are-stored-in-plain-text) recommend storing database connection credentials in clear-text.

Python has a keyring library (https://pypi.python.org/pypi/keyring) that provides an easy way to access the system keyring service from python and can be used in an application to safely store passwords.

To install it on Ubuntu, make sure you have up-to-date pip Python package:

sudo apt-get install python-pip
sudo pip install pip -U

Then, using pip, install the keyring library:

sudo pip install keyring

Finally, update the settings.py with the following code to securely store authentication credentials:

import keyring
import getpass
database_name = 'schema_name'
username = 'administrator'
password = keyring.get_password(database_name, username)
while password == None :
    password = getpass.getpass(database_name + " Password:\n")
    # store the password
    keyring.set_password(database_name, username, password)
DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.mysql',
        'NAME': database_name,
        # Or path to database file if using sqlite3.
        'USER': username,
        # Not used with sqlite3.
        'PASSWORD': password,
        # Not used with sqlite3.
        'HOST': db.inteliident.com',
        # Set to empty string for localhost. Not used with sqlite3.
        'PORT': '3306', # Set to empty string for default. Not used with sqlite3.
    }
}

Simple, isn't it?

John Markh

Security Challenges and Strategies with the Use of Mobile Devices

/

Recently, I have been reading about the security challenges many organizations are facing with regards to the use of mobile devices in their networks, and the various security strategies they can implement.  

Use of mobile devices for business is growing at an exponential rate. This also increases the need for wirelessly-accessible peripherals, and exposure to new mobile applications. This is forcing IT departments to reassess their entire mobile security strategy and architecture. 

As more mobile devices access the corporate network, the risk of data loss, leakage of valuable intellectual property, and exposure to vulnerabilities (viruses/malware) increases significantly.

So how do you plan a successful mobile security strategy?  Below are some points to consider:

  1. Determine your mobility requirements. Who are the mobile employees and what IT resources do they need access to when they are mobile (i.e. corporate emails, calendars/contacts, corporate applications etc..)
  2. Establish corporate rules to give appropriate employees access to the necessary data and resources on their devices (crucial for productivity), and at the same  time to ensure that this data is restricted on the device and can be wiped when required (crucial for security).
  3. With the constant influx of new mobile devices and platforms in the market, it is very important to decide on what devices and operating systems should be supported based on the security capabilities of these platforms.
  4. Decide whether these devices will be owned by the company or if employees will pay for their own devices (BYOD), while taking privacy and legal implications into account.
  5. Define acceptable use policies and identify security control requirements (i.e. password complexities, encryption, application control).
  6. Identify additional technology requirements to enforce these security policies. (i.e. MDM, DLP, Encryption, Authentication)
  7. Create a training & awareness program for the employees, and ensure your support staff is prepared.

If you have any questions or require assistance in planning and designing your mobile security strategy, please contact your NCI rep today.

Ravish Shah

e-Health Ottawa 2013: Engaging Patients and Care Providers at both an Intellectual and Emotional Levels

/

The management style of many health care organizations in North America still fall in the traditional mold. And those organizations are quickly losing the favours of patients and public healthcare systems.

Traditional health care organizations manage by "directives", delegate by "position", and make decision following "line functions". If you are a manager in that kind of organization, you survive by keeping information to yourself and creating deep silos. The people in your organization that need information most—your front-line care providers—have to wait until vital information is pushed down to them at your discretion.

This is called "smart-push", because you have to be smart enough to know what information to push to whom in your organization. You have to know what your staffs need to know at any time in any situation.

Are you "that smart"? Nobody can be. Therefore, holding on to information and hoping to push it when needed may give you a sense of power, but it sure doesn't empower your knowledge workers. In fact, you become a productivity bottleneck. Your care providers are turned off. Your patients are frustrated and afraid.

On the other hand, your organization can exercise its authority not by directives but by establishing winning conditions. Instead of delegating, your people can take charge autonomously. And decision making, instead of following a chain of command, can become everyone's job.

Everyone in this environment can post information as they generate it. No one needs to be "smart" and try to find out who might need their information and when. No need to be information smart: if you have information, just post it. Other knowledge workers will pull the information they want when they want it.

That's what we call "Post-Pull" and that's why it is so much more productive and engaging: your front line knowledge workers and your patients don't have to wait for a manager to push information to them: they can just access it as needed.

In the age of Facebook and Twitter, your patients—rightfully—expect to be able to find all the information they want, when they want it; especially when it pertains to their care or the care of their loved ones. Ditto for your front-line care providers. They should have the right to pull any information they feel will help them serve better their patients.

That's the difference between "smart-push" and "post-pull". Smart-Push actually dumbs down and brutalizes your knowledge workers. But Post-Pull engages your patients and care providers at both an intellectual and emotional levels.

Where would you like your mother to receive healthcare from? An old-fashion facility where vital information trickles down through stovepipe monopolies? Or a 21th Century healthcare delivery organization where everyone involved with the care of your mother—including your mother and your family—can access all the information they need to make fully informed decisions? Which one is more trustworthy?

Come and visit us at e-Health Conference Ottawa 2013 on May 26-29. I will be presenting the highlights of the nine building blocks of an effective "Post-Pull" healthcare organization and show how they are currently being deployed throughout the Ontario's South East LHIN region.

eHealth 2013 Abstract

SEND YOUR QUESTIONS AHEAD OF TIME

Read the abstract of my talk and email me your questions right now. I will give your emailed questions special attention during the presentation.

Mario Morel

Chief Architect, NCI

mmorel@nci.ca, http://ca.linkedin.com/in/mariomorel