NIST Provides a Balanced Approach to the Cloud

The Federal government has just published it's first guidance on how to design and manage cloud computing.  They provide 10 requirements for cloud initiatives.  It's a well balanced document that looks at security as well as protections for the cloud service providers and the businesses who use them.  The guidance covers categories of accessibility, interoperability, performance, portability, and security technology.

The requirements push for setting the standards high for security and clear and consistent guidance in developing service agreements, good quality metrics and reliability.  In reality, this is just the guidance that provides the roadmap for where cloud computing should be implemented from the viewpoint of the federal government.  NIST is an agency of the Department of Commerce, so they are focused on both business interests as well as protecting businesses.  There are at least 3 more publications to be written and revisions of existing governance in the works.

NIST seems to be one government agency that is actually helpful.

McKendrick, J. (2014, October 25). NIST puts a sharper point on cloud computing | ZDNet [Web log post]. Retrieved from http://www.zdnet.com/nist-puts-a-sharper-point-on-cloud-computing-7000034990/

National Institute of Standards and Technology. (2014). US Government Cloud Computing Technology Roadmap Volume I: High-Priority Requirements to Further USG Agency Cloud Computing Adoption. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.500-293.pdf

Finally! A Secure SmartPhone!

The worlds first smartphone designed with security in mind was released in June this year.  The maker, SGP Technologies, states the phone is "Secure by design".  As a smartphone it has all the same basic features any user would expect, 3G GPS, Bluetooth, Wifi 802.11 b/g/n, a camera  and lots of sensors.  But where it really sets itself apart from the rest of the market is the security features.

 At the heart of the phone is the modified Android version 4.4 called PrivateOS.  Unlike the standard Android, all Google services are removed and standard applications like email, browser and cloud storage are generic (not Gmail, Chrome or Dropbox) so they don't have services gathering data on the user.  Other security features have been added such as encryption and a VPN client as well as a suite of security apps from Silent Circle, creator of Android and Apple security apps such as Silent Phone, Silent Text and Silent Contacts.  These apps encrypt the stored data and transmit securely.  Other features are remote wipe and full disk encryption.

The best feature is the Security Center.  After installing any new applications, the services that you have to allow to set them up can be disabled individually.  For example for a mapping application you can disable access to your address book and phone ID, but keep location services running.

The cost of all this security is that the phone doesn't come with an App Store.  This is because the app stores themselves are insecure.  Installing any additional apps will make the phone less secure.One other problem is that the phone doesn't have any malware protection installed.

All in all, it's great to have a secure Android smartphone on the market.  The benefit of security comes at the cost of convenience that all those insecure apps bring.  Maybe we will be able to keep our privacy and still enjoy the convenience of always being connected someday.  We just got closer!



Malenkovich, S. (2014, October 22). Blackphone review: is a secure smartphone possible? [Weblog post]. Retrieved from Kapersky Lab Daily Blog website:  http://blog.kaspersky.com/blackphone-review/

SGP Technologies.  (2014).  Blackphone.  https://www.blackphone.ch/

Humans are the Weakest Link in Security

IBM has just released its 2014 Cyber Security Intelligence Index.  Much of the information presented seemed like the same old news.  Humans intentionally instigated 95% of the attacks and that's not really surprising.  Computers don't hate us and have no reason to steal personal information, trade secrets or credit card numbers.  What I found surprising is that social engineering is still a preferred method for these malicious attacks.  Ohlhorst points out the engineering is getting more targeted;

IBM correctly identifies how social networking has impacted IT security and makes the point "Rather than seeing a particular enterprise as a single entity, attackers now also look at an enterprise as collections of individuals. That means they decide to target specific people instead of enterprise infrastructures or applications. In other words, the personal lives and business activities of employees can be leveraged to target an enterprise."

IBM says the average security breach costs the company $3.5 million.  If 5% of the employees at your company are the inadvertent actors they target, are they trained to see social engineering methods? My employer has about 2000 people working in my building, so that means 100 of them are likely to provide the access an attacker wants. Is it worth the time and effort for companies to take this threat seriously and train employees more thoroughly?


Ohlhorst, F. (2014, October 8). IBM says most security breaches are due to human error.  Retrieved from TechRepublic website:  http://www.techrepublic.com/article/ibm-says-most-security-breaches-are-eue-to-human-error.

IBM. (2014).  2014 Cyber Security Intelligence Index.  http://www-935.ibm.com/services/us/en/it-services/security-services/2014-cyber-security-intelligence-index-infographic/

Microsoft needs to Stop Trying to Do Everything

The latest test results of independent antivirus test lab AV-Test Institute were released recently and Microsoft System Center Endpoint Protection, the Corporate version, came in dead last.  The Home version, Microsoft Security Essentials, also performed poorly.

 AV-Test Institute reported on 33 antivirus applications, 9 corporate applications and 24 home applications.  They have a very comprehensive testing process that uses 150- to 200 current real-world threats.  They evaluate the software for the following categories;

 Protection - effectiveness against virus and malware threats

 Performance – impact of the software on the performance of the computer

Usability – detection of false positives

Microsoft’s corporate version only detected 74% of the real-world virus and malware threats compared to the industry average of 96%. The home version did slightly better.   The software performed well in the other two categories.  All other vendors performance was rated 96% or better.  Microsoft needs to go back to doing what they do best – Application software for servers and PC’s.  Antivirus software is specialized and it’s apparent they don’t do it well. 

Kassner, M. (2014, October 6). Microsoft scores poorly in latest virus protection test for Windows 7 - TechRepublic [Web log post]. Retrieved from http://www.techrepublic.com/article/microsoft-scores-poorly-in-latest-virus-protection-test-for-windows-7.

Social Engineering - Train Your Users to be Secure!

After my last post about passwords, I thought I should address another common problem in security - social engineering.  As a customer support computer professional, I work with users regularly that offer me their passwords so I can fix their computers.  I always try to impress on them that anyone who is authorized to fix their computer will have the credentials (authorized access) to do so.  Maybe I need to take a different approach - fear.

I commonly hear users tell me that their access is so low that no one could possibly use their password to access anything important.  That attitude is the problem.  If what they can access isn't important, why do is it protected with passwords at all?  Everyone needs to learn to think defensively about security.

In addition to all the hardware and software protections we put in place, we need to train our users to be suspicious and skeptical.  Patrick Lambert says we need to "drill into our users that they should regard all links and attachments with a high degree of skepticism" to reduce phishing.  We should also stress to them that there should be few if any reasons to share their login credentials.  Educating them on the usefulness of even small amounts of data should be reinforced at every opportunity.  Any time you can make them stop and think is a good thing.

Social Engineering is still the easiest way for bad people to gain access to a network.  We need to implement controls to protect our networks from our own innocent friendliness, but teaching suspicion will go a long way to help, since controls can't protect against authorized access if it's given away.




Lambert, P. (2014, September 26). Social engineering red flags and tips for training users [Web log post]. Retrieved from TechRepublic Blog website: http://www.techrepublic.com/blog/it-security/social-engineering-red-flags-and-tips-for-training-users/