Archive for June, 2009

Wireless (in)Security in Your Pocket

Verizon has launched the pocketable MiFi router. The MiFi 2200 has CDMA with EV-DO Rev. A. So you can roam around without a datacard as the only means for your laptop on the middle of nowhere. This credit card size access point can connect multiple devices such as your iPhone or a laptop. I havent bought a gadget in awhile, but this might be the one.

 mifi_full

Sitting on the plane for three hours in a delay might be more tolerable if you can get online. Not having to pay for TMobile hotspot access and not being tethered to your laptop, all great features. But what about the dangers?  Wireless security is a challenge here and it should be addressed sooner rather than later.

The wireless risks actually havent changed. But the reality is that if someone uses the MiFi to connect their IPhone rather than using the ATT network to browse, do you think they will think as much about security as if they used a laptop? Probably not.  Using portables to get online doesnt seem as dangerous as a laptop does it? People equate more “data” risk with a laptop, but most portable devices have tons of stored data, contacts, files etc. They are at risk and the education isnt there yet about these risks. Should you be running antivirus on your portable device? Should you have an iPhone Firewall application?

So what do you need to do? Well the steps are pretty much the same as for other wireless hotspot access points:

1) Require encrypted authentication

2) Change default username and passwords

3) Disable broadcast of the SSID

4) Enable logging and alerting

5) Have hostbased security tools such as antivirus, firewalls and intrusion detection on your portable devices if possible.

If you are so old fashioned that you dont have one of these in your pocket and you need a hotspot, try the HotSpot finder Jiwire, http://www.jiwire.com/  Here are some interesting Wifi hotspot stats from Jiwire

Top 10 Location Types

Rank Type Locations
1 Hotel / Resort 59,224
2 Cafe 39,310
3 Other 38,430
4 Restaurant 37,159
5 Public Space / Public Building 19,386
6 Store / Shopping Mall 16,063
7 Office Building 10,145
8 Pub 5,478
9 Hotzone 5,413
10 Airport 2,938

 

Gary Bahadur

baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Vanguard Security Conference – Supplier Security

I spoke yesterday at the Vanguard Security Conference (http://www.go2vanguard.com) Vanguard has been doing this conference for a number of years. The focus is on Mainframe security. Most security professionals these days have never worked on MF security. I am proud to say I have back in the mid-90’s. We perhaps I shouldnt be do happy, it was over a decade ago.

The point being, that there are so many areas of security out there that most of us will never touch yet there is a dire need for professionals. The conference was less attended, as are most conferences this year, but I found the folks here are REALLY interested in learning and excited about the classes.

My topic was on Supplier Risk Management processe. You are asking yourself, what is that? I asked myself that same question in coming up with some good processes to target Supplier security. We have to go way beyond a SAS70 if you want real security over the hundreds or thousands of vendors that a large company may work with.

The Problem:

  1. No framework for managing vendor risk
  2. Inconsistent processes for tracking vendors
  3. Lack of enforcement capabilities

The Opportunity:

  1. Provide practical steps to manage vendor access/management
  2. Provide cost effective solution for risk mitigation
  3. Provide numerical risk analysis of vendor/partner security issues
  4. Risk reduction or risk acceptance
  5. Documented exposure
  6. Iterative process for risk management
  7. Happy CIO

So a Supplier Security assessment follow 4 main steps:

  1. Analyze current vendor database, catageorize each
  2. determine risk of each supplier, determine threats posed by each supplier
  3. Perform assessment tests of each supplier, their processes of interaction, and data access
  4. develop risk mitigation plan, update processed, monitoring processes

Gary Bahadur

http://www.kraasecurity.com

http://blog.kraasecurity.com

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test

Medical prescription pharmacy online you can buy medicines.