Thursday, July 29, 2010

Wireless Technology Risks and Enterprise Security interview S. Garrett

Introduction

I recently had the pleasure of interviewing W. Steven Garret, Chairman of SecurDigital©, who has over thirty-five years of exceptional business experience as a CEO and Chairman of both private and public companies.

Steven has been involved in directing leading-edge technology start-up companies by providing corporate strategic planning, systems organization, business continuity methods, designing incident management, orientation, executive marketing, and sales management, IT and physical security and efficiency development.

Steven also has a wide variety of knowledge and experience in developing franchising, manufacturing plants, marketing & sales organizations, internet solution providers, software developers, security, and e-business systems.

Steven's latest project, SecurDigital©, is a global leader in delivering system-level technology solutions to the advanced wireless markets, is focused on the globally accepted FIPS 140-2, level 2 validations, and will then begin the process for the NSA's Secret and Top Secret Certifications.

SecurDigital© produces SecurVoice© - the world's first totally secure and interoperable digital communication software only solution. It protects voice, data, and video from being intercepted or scanned - it is an unrecognizable digital transmission.

The interoperable capability of SecurVoice© allows global connection to all types of cell, satellite, walkie-talkie, and VOIP devices. SecurVoice© functions independently of operating systems, application platforms, devices, and is carrier independent, so it works with all existing legacy systems, and operates on top of the existing network carriers.
Analysis

Q: What do you feel is single greatest threat to enterprise mobility systems today?

Identity Theft, 75% of our world has their infrastructure built on Cellular Towers providing communications for receiving pay and paying utility bills and purchases from auction sites, clothes, music, appliances, and electronics. Most Federal Governments depend on private Corporations to deliver national communications without regulating security.

Q: Mobile communication innovations have rapidly been adopted by businesses in the last five years, what kinds of vulnerabilities are companies facing that they may of be aware of.

The largest vulnerabilities are because the Smart Phone manufactures do not build security, it is not their job; they leave that to the major Wireless carriers, which have not taken security as their responsibility.

That is the reason that a new industry has emerged over the last two years in the private sector. SecurDigital, along with 5 other "Secure Voice" providers met by invitation with DISA (Defense Information Systems Agency) in a closed Roundtable discussion lead by Peter J. Zarrella of DISA's CTO office.

It has been accepted as a new technology industry to secure all Communications, especially Digital Voice, Data, and Video. For $149.95, you can buy a software package from "Cell Spy" to enable your cell phone to listen to any other targeted smartphone. All forms of communications are vulnerable to theft and illegal miss-use.

Q: With such variety available for devices, integration software, and enterprise networks, how can a business ensure they are not leaving themselves exposed to data loss from their communications systems?

Every communications device is a target; Cellular, satellite phones, Radio walkie-talkies (Law Enforcement) and all office phones using VoIP (Voice over IP) You may have all your contacts copied to another phone, anything stored in a smart phone today can not, CAN NOT be deleted. You may not see it but there is a (Ghost) copy built into your phones PC board.

Q: How do SecurDigital©'s solutions work to mitigate communication systems risk?

I have been working with various types of security with my partner, Bruce Magown, within my group of leading edge security companies for 4-5 years.

The PGC Consortium was blueprinting one of the worlds hardest above ground buildings in 2008. We held a large meeting at an old Air Strip and came to understand that we needed things that did not exist at the time.

We needed to provide cell, satellite, and VoIP communications to each floor of a 20 story building that gave each floor a faraday cage (protection from eaves dropping or an EMP, Electromagnetic pulse attack).

We developed SecurVoice© to be Device, Operating System, and Carrier Independent while having extremely high and hard security during the operation of the smart phone. Much like Skype, except a much stronger and harder method of delivering security.

Q: How is SecurVoice© unique when compared with other commercial solutions?

SecurDigital©' has used existing parts of software and designed a re-arrangement of software configurations to produce a common, yet hard architecture within Java and produced a small foot print of 38Kb that will be compliant tested with FIPS 140.2 validation, along with Secret and Top Secret Certifications during the coming year.

Q: Issues surrounding confidentiality and differing methods of electronic communication have yet to be fully addressed from a legal perspective, what kind of risk is a company assuming when using mobile systems to relay proprietary information?

We are seeing NEW HIPAA laws calling for secure communications for patients being remotely monitored, and to say that a Doctor giving a patients information over an un-secured cell phone is not being compliant with Patient Privacy of information laws surprises most Medical Centers and they7 now realize the damage they may be doing with carless actions with cell phones.

We are discussing client privacy rights with a couple of DC law firms that now realize how easy it could be to scan a cellular conversation.

Q: What can a company do to ensure they do not mistakenly forfeit their right to confidentiality when using wireless communications?

Every person, Company, Organization or Agency must realize and accept responsibility that unless they take positive actions to secure their business communications of cellular and radio, that they may lose their most prized positions, clients, trade secrets, and methods of operation that made them the success that they are today.

Q: SMB's, education, local government, and smaller organizations have a tough time keeping pace with technology upgrades and are falling further behind in regards to security efforts, how do SecurDigital©'s services impact ever tightening IT budgets?

The switch from hardware security to software is a very green and cost saving event. We stop manufacturing metals and plastics and the implementation of more and more hardware to create interoperability.

In a National Guard Demonstration in Melbourne, FL at the Conference for the Global Center for Preparedness in 2008, we saw five trucks loaded with hardware used to create open communications with a central command center, but to have the ability to cross talk directly.

Our Government has been using a hardware device to secure the Blackberry communications for years and the cost of that hardware is $3,350.00 retail, while the cost of using SecurVoice© with that huge number of users will be only about $0.99. Per month and in time we see the pricing dropping to $0.49 per month when the carriers put on millions of users.

Q: Consumers face many of the same security issues as enterprise, is the SecurVoice© software available for noncommercial users?

SecurVoice© is available to sets of two users for only $19.95 per month and will be downloaded directly from our web site by December. Bruce Magown of InterWeave has constructed a back office for SecurDigital that will accept payment, issue a license, and then download the soft ware directly to a laptop or phone, any type of phone instrument. We can audit and manage more than 250,000 licenses per day.

Q: Anything else you would like to add.

SecurDigital© is the product need for another solution of keeping people safe and secure during an event that could harm many people, either from man or Mother Nature. I have committed myself towards making a difference in life threatening emergencies to the human race.

I spent the morning of 9/11 watching a large screen TV with two friends that had been through the war in Vietnam. The correlation is the same for us now. Soldiers no longer wear uniforms; your next-door neighbor could be the one sending a Van loaded with explosives into the heart of New York City.

In my time of being self-educated in systems and methods of security, I found that you could never really be secure until you give up some privacy, which is the trade off. You make that decision.

Thank you for your consideration and well composed and thoughtfully contemplated questions, Anthony!

Conclusion

The Infosec Island community is extremely grateful at this opportunity to glean some of Steven's expertise and vast experience, and we appreciate his time and efforts!

Saturday, June 26, 2010

Police Warn of Smartphone Scanner Apps

During a city-wide sweep for gang members and drug dealers last week, the Oakland (Calif.) Police Department confiscated several cellular phones loaded with an application that could stream the department’s police radio system. The software app is one of several available for iPhones and other smartphones that stream public safety radio audio obtained from scanner radios via the Internet. OPD has not said if the apps were actually running on the smartphones, or if any suspects were able to avoid arrest from hearing police radio broadcasts. However, in a bulletin notice to officers, the department warned officers that criminals are able to monitor the city’s 800 MHz trunked radio system from smartphones, and to use caution when transmitting confidential information.


Article posted at Dispatch Magazine On-Line - http://www.911dispatch.com
Link to full story: http://www.911dispatch.com/2010/06/police-warn-of-smartphone-scanner-apps/

Thursday, April 15, 2010

Smartphones won't take off as true enterprise devices (beyond e-mail) until companies start investing in security.

I thought this article very relevant. If your mobile device is secure - enterprises won't be adopting.


Practical Analysis: Why There's No Enterprise 'App For That'

Smartphones won't take off as true enterprise devices (beyond e-mail) until companies start investing in security.

By Art Wittmann
InformationWeek
April 12, 2010 12:00 PM (From the April 12, 2010 issue)

A lot happens in two years, particularly in the world of smartphones and mobile applications, or at least it seems that way with all the noise about upgraded networks and fancier handsets. When we did our first survey on mobile device management two years ago, the iPhone 3G was barely out and the BlackBerry Curve was all the rage. Enterprise deployment of smartphones was in full swing: 56% of survey respondents had supplied smartphones to up to 25% of their employees, 27% had given them to 26% to 50% of employees, 11% had them out to 51% to 75%, and 6% had equipped every employee with smartphones. The vast majority of those devices were BlackBerrys, and they were used mainly for e-mail and calendar management.

Now two years later (full report to come later this summer), with widely available 3G networks, you'd think that the devices would be more widely used and that the applications would be richer and more varied. You'd be dead wrong. Within the accuracy of our survey, which is within five percentage points, the extent of deployment and the applications in use on smartphones are practically identical to what they were in 2008. E-mail is still the main use by a large margin, and whereas just 30% used a smartphone for job-specific applications in 2008, 31% now report such use. The fraction of employees with smartphones remains the same; they still use mostly BlackBerrys.

More Insights
Whitepapers

* Automating Virtualization Management: Critical Management Practices for Next Generation Data Center
* Beyond Reporting Delivering Insights with Next-Generation Analytics

Webcasts

* Wireless Security – What Hackers Know That You Don’t
* Real-Time Goes Prime Time: Seize the Moment with Event Processing

Reports

* Google Rethinks The Operating System
* How To Manage Risk In Tough Times

Videos
Bay Area Internet Solutions Raja Hammound, Group Product Manager at Adobe, at Enterprise 2.0 2009 giving a demo of Adobe LiveCycle ES2 Al Williams gives you a demor of One-Der: The One Instruction CPU
Raja Hammound, Group Product Manager at Adobe, at Enterprise 2.0 2009 giving a demo of Adobe LiveCycle ES2
It could be that there's limited call for job-specific applications, and that over the past two years those applications have grown from rudimentary designs to more robust enterprise tools. But it seems highly unlikely that everyone who wanted to start down the mobile app path had done so before 2008.

So why do we see such stagnation? Device management is still a work in progress by any measure, even though it's clear that you see the need for it. Whereas in 2008, 52% of you said security was the reason to deploy mobile device management, that's now up to 73%, with the next highest response coming in at 10%. And therein lies the problem.

While the vast majority of you say that unmanaged devices are a security risk, 61% of those not implementing device management identify staffing resources as an issue, up from 46% in 2008; and 32% of you now see mobile device management as too expensive, up from 26%. Simply put, for many organizations IT budgets have been too tight over the past two years to allow them to tackle mobile device security, and until those issues are addressed, few shops are likely to step step up their development or deployment of job-specific applications beyond e-mail and the basic productivity tools that come with the BlackBerry.

This is just one of many examples that have played out in our research recently. It's becoming clearer and clearer that through the depths of this recession, the lack of staff and money to do security right has (correctly) led many organizations to shelve projects that would otherwise be highly beneficial to the business. As the economy improves, however, those same organizations must understand that if the lack of security could stop key business initiatives, then its presence should now be seen just as much as an enabling technology. The days when the value of security was viewed as too difficult to quantify should be behind us.

Art Wittmann is director of InformationWeek Analytics, a portfolio of decision-support tools and analyst reports.

Tuesday, January 19, 2010

Smartphones need smart security practices

Yes, it's 'blue and plays music,' but that cute smartphone is also a serious computer that must be secured
By Mary Brandel
January 18, 2010 06:00 AM ET

Computerworld - As vice president of IT at Windsor Foods in Houston, Stephan Henze has to stay one step ahead of the latest IT trends. That's why he's spending a lot of time thinking about securing and deploying smartphones enterprisewide. The company had only a few-dozen smartphones just a short time ago, but IT now manages about 100 of them, and Henze foresees substantial growth in the near future.

The task of securing smartphones keeps getting hairier, Henze says, while the company's need for mobile communications grows stronger, even on the shop floor, where maintenance engineers will soon receive automatic SMS alerts on their phones.

He's not sure he can continue to enforce the company policy of supporting only Windows Mobile-based phones, yet nonstandard devices will complicate his security efforts. He is well aware that for some people, a smartphone is a fashion statement. "With PCs, I was able to tell them we're not a Mac environment, but I'm not sure I can do that with phones down the road," he says.

Henze is among a growing number of IT and security leaders grappling with the challenge of securing these increasingly popular devices. The primary concern, of course, is the risk of exposing sensitive data if a phone or removable memory card is lost or stolen. Data can also be exposed if a phone is sold or sent in for repairs without its memory first being erased.

There's also the risk that VPN-connected devices could expose corporate networks to hacker and malware intrusions. And there's a growing potential for viruses to attack the phones themselves through SMS hacks and other exploits. "If I take your device and muck around with it, what if the VPN is set up on it?" asks Philippe Winthrop, an analyst at consultancy Strategy Analytics Inc. "It's a huge risk not being dealt with enough today."
10 smartphone security risks

Here's a look at 10 common smartphone security risks, with tips for dealing with them from Gartner analyst John Girard:

1. No configuration management plan.
Tip: Responsibility for managing smartphones should be given to the same staffers who provision and manage PCs.

2. No power-on password, or a weak password policy.
Tip: Several vendors' device management consoles allow you to configure password complexity rules and password reset questions and answers.

3. No inactivity timeout/auto-lock.
Tip: Timeout policies should be enforced over the air through your device management console, so that the enterprise can maintain near-real-time control.

4. No auto-destruct/data-wiping plans.
Tip: Two methods should be used: over-the-air commands and locally initiated wipes. The latter should occur after a password has been entered incorrectly a certain number of times or when a device has been off the network for a predefined amount of time.

5. No memory encryption rules.
Tip: Major enterprise smartphone operating systems provide settings for enforcing encryption.

(continues on next page)

Complicating matters, users are apt to view smartphones as their own personal gadgets, not something IT should control. "There's a deep underlying current of 'This is my mobile device,' " says John Girard, an analyst at Gartner Inc. A user will often see his smartphone as something that's "blue and plays music," not as an asset that needs to be secured, he says.

Smartphones' multimedia capabilities raise other concerns, Girard says. For instance, company policy might prohibit moving corporate documents to external media, but is there a policy that governs using a smartphone to take photographs in the office or record meetings?

Many companies try to take control by purchasing standard phones for employees -- a move that at least enables them to support just a single operating system. But even then, users may adhere to the standard only loosely, says Paul DeBeasi, an analyst at Burton Group. "I see employees who have the company phone in their left pocket and their personal phone in their right," he says.

Indeed, in a recent study of 300 companies in the U.S. and Europe by Good Technology Inc., a vendor of mobile security and management tools, nearly 80% of the respondents reported an increase in the number of employees who wanted to bring their own devices into the workplace in the past six to 12 months, and 28% reported a data breach because of an unauthorized device.

To view the whole article, select this URL. http://www.computerworld.com/s/article/345297/Smartphones_Need_Smart_Security