2012 Trends in Social Business

In “Six Social Media Trends for 2012”, David Armano explores the evolution of social media into social business. “Social media,” says Armano, “continues to move forward towards business integration.”  According to Forrester’s Stephen Mann, the increasing ubiquity of mobile devices in enterprise environments is facilitating this trend. A joint Booz Allen/Buddy Media study found that 57% of businesses surveyed plan to increase social media spending. The study also showed that 38% of CEOs perceive social media as a high priority. These statistics point to increasingly mercantile applications of this mode of social expression, communication and bonding – social media is maturing as a business tool.

Below are two social business trends that offer attractive competitive and financial returns for a variety of attackers focused on mobile devices.

Convergence Emergence
According to Armano, merchants are developing creative ways to integrate social media with their product/service offerings. He cites a 2011 Domino’s pizza marketing campaign that posted customer feedback from social media on an electronic ticker in Times Square as an example where virtual interactions were translated to real-world presentations.  This campaign led to a double-digit increase in sales and a refinement of their brand image.

The use of social media by merchants to promote the perception of their brand could be targeted by hacktivists with a social agenda, or by hackers with financial goals. Over the holidays, I witnessed demonstrators picketing a major pet product retailer and protesting their alleged mistreatment of animals. If hackers aligned themselves with these protesters, they could launch social media campaigns designed to influence the perception of that chain. This trend also has privacy implications for consumers.

The market penetration enabled by commercial convergence is enhanced by the increasing influx of personal devices into the enterprise.  According to Contos, “There will be more demand from both technical and business users wanting to bring their own devices, whether or not the company has authorized their use.”  As was the case with one of my clients, uncontrolled connections between the corporate network and personal devices may provide an internal attack surface to cyber miscreants.  Device management systems such as the McAfee Enterprise Mobility Management solution may help control the touch-points between these devices and organizational assets.
Gamification
“Game-like qualities,” says Armano, “are emerging within a number of social apps in your browser or mobile device.”  Businessweek’s Rachael King authored an article discussing the use of games to train employees and improve the quality and effectiveness of their work experiences. “The trend, known as gamification, lets businesses weave elements of games into applications that otherwise have little to do with playing,” writes King.

According to a Gartner study, the goals of gamification are to “achieve higher levels of engagement, change behaviors and stimulate innovation.”  This study highlighted the engagement drivers that impact the perspectives and choices made by the participants.  These drivers rely on a reliable feedback mechanism consistent with game rules that reflect the corporate mission.  Given the consumerization of IT, the application infrastructure that enables these games will support mobile devices.
The introduction of software applications to “gamify” business may lead to attacks targeting feedback mechanisms and the game rules. Imagine a worm that alters the rules of a training game or changes the way individuals are ranked. A more discreet attacker may design an application to gather information on the “gamified” business functions to inform a social engineering attack.  For example, the game activity and rankings of key staff could be used to customize phishing attacks that incorporate aspects of corporate games.

These trends are but a glimpse of the challenges that can only be tackled through hybrid solutions developed by business and technical professionals. My 2012 contributions to the @McAfeeBusiness feed and the Security Connected blog will explore the application of this strategy.

By Steven Fox

The Daunting Challenge Of Mobilizing Your Enterprise

Around the globe, IT strategists are starting to grapple with the rapidly emerging challenge of mobilizing their enterprises.


Call it the end of the PC era, call it what you will -- but the trends are undeniable.  People prefer a tailored mobile experience.

EMC's own IT group is no exception.

We need to quickly create broad capabilities to mobilize our workforce, our partners -- and, eventually -- our customers directly.

When EMC IT was investing in transforming to an ITaaS model, I enjoyed sharing with you the many rich experiences and learnings from our journey.

Well, we have the opportunity to do it again -- just on a different topic.  I think there will be much that we can share with all of you as we begin to tackle our own requirements.

Because, sooner or later, I think just about every enterprise IT team will have to face a similar challenge.

Big Picture Mobile devices are all about convenience and ultimately productivity.

We saw it first with cell phones, then smart phones, and now tablets.
If you're thinking "cost savings", you're missing the point: within most enterprises, it starts with dramatically juicing the capabilities of your workforce.

Many business models are increasingly built around a strong cadre of knowledge workers who are frequently mobile -- sometimes predominantly so.

Make them more productive, and they deliver more value -- to customers, partners and their co-workers.

At a high level, it's sort of that simple.

But there's a consumer angle to this as well.  If you're doing business with a company, you're starting to demand a slick mobile experience for all your interactions with them.  It makes them easy to do business with.  And we all want to be easy to do business with :)

While there are plenty of B2C companies investing heavily in slick mobile experiences, in many cases there's the opportunity for convergence: one strategic approach for addressing both the needs of the enterprise worker, as well as the need to reach customers and partners in new ways.

I think the opportunity for many IT strategists will be to frame this "bigger picture" vs. creating dozens of standalone capabilities for each and every mobile use case that comes along.
Or that's the hope, anyway ...

What You Need To Know About EMC
You can't really evaluate our internal approach to enterprise mobilization unless you have some context around EMC as a company.  The strategy fits the need, or should.

First, let's start with the obvious: we compete successfully in a very fast-moving business.  Yes, we invest in great processes, but they're no substitute for really bright people -- as many of them as we can find.  Whether it's engineers, sales rep, customer service, business analyst, marketeer, partner rep, etc. -- we invest heavily in expertise and talent.

It's a fundamental part of our business model.

An important part of our organization spends a majority of their time outside the office: meeting directly with customers and partners.  As a company, we value face-to-face interaction -- and we do an awful lot of it across the organization.  We're global as well, with thriving and growing operations in many corners of the world.

Because we're an IT company, we tend to "get" what technology can do for our business.  We have no shortage of bright technologists and consultants either working for EMC, or in our extended ecosystem.

And we have plenty of great technology products at our disposal, with more coming every day.
We've recently completed a mind-wrenching IT transformation to an IT-as-a-service model, basically patterning our internal IT operations and processes around what a competitive service provider might do.  Because of this, we feel we have a distinct advantage in tackling enterprise mobilization as compared to if we were running a more traditional IT shop.

Our customers and partners tend to be a lot like us: fast-moving, technologically adept, and very comfortable with mobile experiences.

And, of course, we take security and compliance very seriously.  Very, very seriously.

The Vision Thing
I guess it all starts with some sort of vision statement, and here is ours.
The elements are pretty clear.

First, there's the notion of a "rich user experience".  We want to go far beyond simply using the web to get to apps, or presenting traditional desktops on mobile devices.

The user experience should ideally be *better* on a mobile device than elsewhere.  That implies a long list of things, which we'll get to later.

Security is there, but also the notion of "reliable".  Good network connectivity is not as pervasive as we'd all like, and probably won't be for the medium term.  So we need to consider user experiences that are productive and functional even if the connectivity isn't so great, or -- perhaps -- nonexistent.
The "anywhere, anytime" is rather self explanatory.  And, with a few caveats, so is the "user's choice of computing device".  While we want some flexibility in device choice, this also means that I can get similar great user experiences on my choice of laptop, for example.

Sounds easy, yes?

Use Cases And Scope
The team spent some productive time envisioning use cases across the enterprise, just to help everyone involved get the right frame of reference.

This particular slide struck me as particularly effective in communicating -- in narrative form -- just how powerful mobilization could be across our business.

The team also came up with two important "expansion axes" that we wanted to achieve over time.
The first vector was the expanding user base.  We'll of course start with our own employees, then move to our partners, and -- over time -- directly to our customers.  Thus, whatever strategic framework we come up with has to be able to be easily expanded outwards from the more traditional employee use cases.

The second vector is perhaps ultimately more important -- and that's the degree of organizational impact.

Along these lines, the first phase is simply about extending the enterprise: making exisiting enterprise IT service and apps available on mobile devices -- with VDI and web apps being the classic example.
The second phase iss around empowerment: allowing people to do new kinds of work on mobile devices that -- perhaps -- they weren't able to do on more traditional devices.

And, finally, transforming the enterprise.  We're all sort of signed up to the big notion that mobilization -- in its full instantiation -- is one of those transformative technologies that can change the very nature of your business.

What I really appreciate is the larger frame of reference.  Sure, we can't do everything at the outset, but the decisions we make along the way will be tested against this expanded vision and critically evaluated as to whether they support it, or not, as the case may be.

Guiding Principles
The team also hammered out a short set of guiding principles to help keep various workstreams on track.  Here are the ones we came up with -- perhaps you'll find them useful as well.
The user experience should be obvious -- anyone who's used an iPad app will instantly recognize this thought.

The stakeholder concept should be obvious, but sometimes gets lost in translation :)  The idea is to build what people want to use -- favor fast iteration and prototypes vs. classic waterfall approaches.  If there isn't a specific and articulate user in the discussion, don't proceed :)

The notion of mashable data services shouldn't be all that foreign.  And not all data will come from internal sources, either.

The team felt it important to call out exploitation of native device capabilities: touch screens, cameras, etc.  No lowest-common-denominator approaches, please.  I agree.

The tools discussion is fairly striaghtforward.
And, finally, there's no getting around that these devices will need to be managed and secured -- preferrably without getting in the way of the rich user experience that's the original motivation for all of this.

The Notion Of "Mobility-As-A-Service"
Yes, I'm sure there will be the need to support pre-packaged mobile versions of enterprise applications.  Plenty of that out there, with more coming.  And as we look across the organization, there are obvious places where being able to support shrink-wrap enterprise mobile apps will be required.  But that won't be enough.

We continue to do a significant amount application development across the EMC organization for our internal purposes.

IT does it, marketing does it, our services organization does it, finance and HR does it, manufacturing groups do it, our products groups are starting to do it, and so on.

As a result, we need the ability for application developers across the enterprise to build on a set of standard mobility services that speed their time to market yet give us a managed environment.
Finally -- and perhaps most importantly -- we need to teach our many formal and informal application developers a new skill set around creating useful mobile applications.  Just because we have a set of great mobile services and frameworks doesn't mean that everyone will know how to use them effectively at the outset.

The notion of "intelligent consumption" comes in to play very quickly.

Initial Workstreams
With vision, strategy, guiding principles in hand, the next step for the IT team was to break the work into workstreams, and to get busy investigating the pieces.  Divide and conquer -- or, at least, attempt to :)

Here are the workstreams that were started in 2011.

One team started to investigate various use cases.  They looked at collaborative vs. transactional.  They looked a view-only content vs. revisable and reusable content.  They went across different parts of the organization, simply in an attempt to get a "feel" for all the potential use cases that were out there.
Another team broke off and started to think about the application development platform that could support all the different models we were envisioning.

The security team started to dive into authentication and DLP issues, and come up with some workable approaches.

A separate team went and started to investigate not only all the different potential devices, but the ones we'd be likely to see in the marketplace before too long.

One more team dug into various options around device and application management, and found some workable solutions.

Based on our experiences in ITaaS, we realized we had to have another team take a hard look at the operational model -- how would work get done behind the scenes?

The infrastructure team had to consider what impacts might be involved against EMC's private cloud capabilities.

And then, finally, we needed a team that could take all these inputs and come up with "the plan": a roadmap, phased delivery, budget, governance, and so forth.

I know, it sounds like a lot -- and that's the point.

When you're doing enterprise mobilization at scale -- and are expecting dramatic results -- these are the major components that have to be thought through prior to actually standing anything up.
Did we get it 100% right?  Time will tell -- but it's certainly a thorough and thoughtful approach.

Where To Start?
I think we internally realized that -- well -- we hadn't done anything like this before.
We weren't familiar with many of the newer technology components we'd selected, and we certainly weren't comfortable with the new operational processes we'd be using.

So the decision was made to pick a handful of low-risk, low-profile mobile use cases as an experience-gaining exercise.

For example, we tried our hand at rolling out a few home-grown applications -- such as a conference room finder.  Don't laugh -- figuring out what conference rooms are available and where they're located can be a frustrating experience at a large company like EMC.

Useful, but certainly not mission-critical.  Unless you're late to an important meeting, and don't know where the heck the conference room is :)

We implemented a pre-packaged mobile enterprise app that does travel and expense management (Concur).  And a few others along those lines.

We wanted to exercise the plumbing: prove we could provision, prove we could manage, prove we could publish apps with an internal app store, cprove we could secure information -- and so on -- without either major investments or major risks.

Not everything went 100% perfect, but I guess that's the point.

Interesting Preliminary Observations
In our environment, many of the high-value applications involve associated content: maybe it's a training application, or videos, or perhaps a document repository, or something similar.  If you could get the content to the device *ahead* of time, the user experience was dramatically better.  Especially if network connectivity was poor :)

We quickly realized that we'd need some interesting and flexible mechanisms to (a) stage content into and out of mobile devices, (b) allow users to manage aggregate usage, as mobile storage tends to be rather finite, and (c) protect and secure sensitive information in containers on the device.  More on this later.

Another interesting observation was -- when we got it right -- there was no real issues around migration, training, compatiblity, etc.  People found the apps, people consumed the apps, people liked the apps and that was that.  The lack of drama was notable.

A third interesting observation is that we found a lot of people throughout the organization that wanted to build their own personal apps, which were essentially mashups of the data they tended to use in their day-to-day environment.

At the time, we didn't really think of that requirement -- a set of self-service app building tools for power users -- but it's an interesting development.

The Road Ahead
Yes, we've just begun on our journey towards mobilizing our enterprise.  Good progress, but the real work lies ahead.

But I feel good that (a) we recognized the need, (b) did the necessary up-front strategy work, and (c) are now starting to make serious progress.

Personally, I think we can add a lot of value by packaging up our early experiences and learning, and making them freely available to our customers and partners who face similar challenges.
Maybe what we're doing can work for you.  Maybe not.  Either way, it's worth studying.
And -- trust me -- this won't be the last post on this subject :)

By Chuck Hollis

Phishing Scammers Target Macs

On Christmas Day, 2011, Apple product users were targeted by a major phishing attack. The Mac Security Blog reported, “A vast phishing attack has broken out, beginning on or around Christmas day, with emails being sent with the subject ‘Apple update your Billing Information.’ These well-crafted emails could fool many new Apple users, especially those who may have found an iPhone, iPod or iMac under their Christmas tree, and set up accounts with the iTunes Store or the Mac App Store for the first time. The messages claim to come from appleidatiddotappledotcom.”

As in most phishing emails, the template and body of the message mimicked Apple’s logo, design, colors, and font. When users clicked links within the email, they were directed to a spoofed website that also had the same Apple feel. Once users entered their personal information, they might be thanked for “updating” their account, or simply wind up in the Internet abyss.

One way to determine whether an email is legitimate is to hover your curser over any links and look at the text displayed. If a link isn’t something like http://store.apple.com or https://appleid.apple.com, it’s a fake.  To learn more about how to recognize a phishing attempt, watch this video from McAfee.

While I’m on the subject, however, I may as well mention that I don’t recommend clicking any links within emails, regardless of what the domain says. The safest way to determine whether your account needs updating is to log into your Apple account directly, at https://appleid.apple.com. If there is a problem, you will be notified via internal messages within your account. If not, assume the email is a phish and delete!

And remember, just because you are using a Mac, it does not mean that you are safe from web threats, so make sure you stay educated on the latest threats, use comprehensive security software and be wary of things that sound too good to be true.

5 Digital New Year’s Resolutions For Parents

McAfee recently distributed a press release and the line that caught my eye was, “Now is the time for parents to model good behavior and etiquette.”  This wasn’t something you’d normally expect to see from a major security company, so intrigued, I read on.

Instruction in etiquette and good behavior is something we could all probably use a little more of. And when I read McAfee’s “5 New Year’s Resolutions,” I realized that even though I have young children, I ought to brush up on some digital etiquette myself. It’s not too late to do your resolutions or start news ones or just brush up on your online safety.

McAfee suggests that parents begin the New Year with resolutions that address their own behavior, so they can model best practices for kids and teens:

1. When I’m with my children, I pledge not to spend more than 10% of the time on my phone or computer.
   Adults spend about 3.5 hours day perusing the Internet or staring at their cell phone each day, according to estimates from eMarketer. This year, make a promise to give your full attention to your children, and develop a plan to limit your use of electronic devices.
2. I will not communicate with my children via text when they are in the house.
   One downside of technology is that fewer people actually speak to one another. A Kaiser study found that children in grades 7-12 spend an average of 1.5 hours a day sending or receiving texts.
3. I will not give my child access to an Internet browser on a smartphone or tablet that is not safe for them to use.
   It’s important for parents to shield children from cyber-danger by filtering explicit content on smartphones and tablets via applications such as McAfee Family Protection or McAfee Safe Eyes software. This software can prevent children from establishing or accessing social networking accounts, limit Internet use, and block inappropriate websites or messenger chats.
4. I will be prepared to have a “texting intervention” if my teen’s thumbs begin to look like tiny body-builders.
   Texting may be a quick and easy way to interact with others, but the impersonal nature of the communication and frequency of use can cause problems.
5. I will have “the talk” with my kids, to discuss what they are doing and with whom they are connecting online.
   Children often lack an understanding of online dangers, or they may lack the maturity to make appropriate decisions.

By modeling good behavior and ensuring that children’s experiences on Internet-connected devices is a safe and healthy one, parents can ensure a 2012 that is free of digital drama.

By Robert Siciliano

What’s Your Medical Data Worth? More Than You Think

Two weeks ago, I discussed the difficulties of obtaining relevant data regarding medical identity theft.
I started my research in this field after I read some old stories on the Internet:

• Lind Weaver refused to pay hospital bills she received for the amputation of her right foot. It was in 2006, but the story still makes the headlines in 2011.
• Joe Ryan got a bill from a Denver, Colorado, hospital for a surgery. In was in 2004, but everybody talks about it today.
• The Virginia Prescription Monitoring Program welcome page was replaced in April 2009, with a US$10 million ransom demand.
• The Indian police arrested, in November 2009, the director of a business process outsourcing company for his involvement in stealing medical history data of a UK-based entity.

Finally, I visited the Datalossdb website, which is a great source of information.
For the year 2011 and the beginning of 2012, I searched for incidents where data types referred to “medical data” and the source excluded “Inside Accidental.” I obtained 176 rows. A quick analysis shows:

• 97 cases were related to the theft of documents or equipment (desktop, laptop, drive, tape, USB key, etc.)
• 21 cases were related to an inappropriate disposal of documents (dumpster, email error, recycling bin, etc.)
• 14 cases were related to a loss of documents or equipment
• 16 were unknown

I also found these incidents:

• 14 hacks (computer-based intrusion, data not generally publically exposed)
• 10 fraud or SE (fraud or scam–usually insider-related or via social engineering)
• 3 virus (exposure to personal information via virus or Trojan, for example, a keystroke logger, possibly classified as hack)
• 1 web (computer/web-based intrusion, data typically available to the general public via search engines, public pages, etc.)

Although it is easy to find prices on the black market for personal data that can lead to the theft of funds, or forged drivers licenses, or passports, I was unable to find any reliable prices for stolen medical records. At the Digital Health Conference held on December 1, 2011, in New York City, a panel claimed that such records were worth US$50, much more than other personal identity data such as Social Security numbers or credit card information.

In a January 2007 interview with Pan Dixon, then executive director of the World Privacy Forum, he said, “Our research found that there is a huge black market for medical records. Police tell us such records go for $50 each on the street, compared to Social Security numbers that go for a dollar or two.”
I also found a price connected with the November 2009 case in India. It was said that the suspect sold data–for UK£4 per record–to an accomplice who marketed the private records in Internet chat rooms.

By Francois Paget

Cross-Device Security Means “All Access”

You may have a laptop, desktop, netbook, notebook, Ultrabook, tablet, Mac, or mobile phone. You might be single, married, or have ten kids. Either way, you probably have at least one, if not six or more, devices requiring comprehensive security. My family of four has 12 devices, all of which I do my best to lock down like the digital equivalent of Fort Knox.

In order to manage multiple devices “cross-platform,” wherein one device may run Mac OS X while another runs Windows, while your phone is completely different, you need a security solution that is comprehensive, affordable, and straightforward.

PC Magazine selected McAfee All Access for its Editors’ Choice Award, scoring the product with 4.5 stars out of 5 and praising the thoroughness of the protection offered, for any and all devices an individual or a household might own.

In contrast to traditional consumer security products that only offer per-device subscriptions, McAfee All Access is the first solution that uniquely protects all of the PCs, Macs, smartphones, and tablets owned by an individual or household. By providing consumers with a simple, cost-effective means to holistically safeguard all of their devices, McAfee All Access also represents a fundamental shift in the way consumers think about security.

McAfee All Access users can download, activate and manage essential protections from a central console, enabling them to safeguard personal data, defend against malware, and protect kids as they browse online by allowing parents to filter inappropriate content, including YouTube videos and explicit music lyrics, and monitor the use of social media.

By: Robert Siciliano

The Day After the Year in Mobile Malware?

2011 has seen some dramatic changes in the mobile landscape, with the ever-increasing growth rates in consumer adoption of smart phones. This has not gone on without getting the attention of the criminal fraternity, which has turned its attention to mobile malware. But what remains to be seen is if this trend moves beyond the stage of testing the waters to actually making a significant impact, reaching the scales we associate with threats for Windows. If the activities of the past week are any indicator, then 2012 is off to an interesting start. Another scam has come to our attention, this time targeting Android users in France, attempting to exploit the frenzy surrounding Carrier IQ.

From our analysis, Android.Qicsomos is a modified version of an open source project meant to detect Carrier IQ on a device, with additional code to dial a premium SMS number. On installation, the app appears in the device menu with an icon similar to the logo of a major European telecom operator. It is this fact, not to mention we cannot find any trace of this on the Android Market, that leads us to believe that there may be a social engineering vector being used to spread the malware, such as a spam or phishing campaign pretending to be from an official carrier asking the users to download and run the software.


The malicious code goes to work when the user presses the button marked ‘Désinstaller’ from within the app. Once pressed, four SMS messages are sent to 81168—a premium-rate number. The Trojan follows up by executing an uninstall routine to remove the app.

A safe removal method would be uninstalling the app from the setting button in the main menu.

In an additional twist, it appears the apps were signed with a certificate published as part of the Android Open Source Project (AOSP). The signing of an app with a publicly known certificate would allow an installation without having to go through the regular permissions notification screen on devices built with those keys. This shouldn't affect commercial devices used by most consumers (where the keys are kept private by the manufacturer), but might trick certain older, custom mods which reused these published keys.

With all the bold predications being made about the state of the mobile threat landscape in 2012, one can be forgiven for being little skeptical about their significance. But to any skeptics out there, I can assure you some concerns, such as this threat, are not without merit.

By Irfan Asrar

More fraudware headaches for the Android Marketplace

Contributors: Conor Murray, Paul Mangan.
Fraudulent apps appearing on the official Android marketplace is an ongoing issue and one that we have blogged about in the past.  Today we received reports of yet more fraudulent apps capitalizing on popular game titles and masquerading as these games. In this case, the apps are published under the name "Stevens Creek Software".

During installation of the fraudulent app, only one permission request is made for full Internet access. In the past, we have seen fraudulent apps looking for numerous unnecessary permissions during installation that may alert the user of the risks involved in installing the app. With just one permission request required by this fraudware during installation, it may seem less of a risk to potential victims. Once installed on the device, the app opens and brings you to a splash screen related to the installed fake app which asks you to finish the installation process by clicking on the button as seen below.

If a user clicks on the button, their Internet browser is opened and they are redirected several times until they arrive at a website advertising an online income solution.

Symantec has added detection for these fraudulent apps as Android.Steek. Google has also been notified in relation to their presence on the Android marketplace.  A tip to try to help in avoiding fraudulent apps is to check if the publisher of the paid and free versions is the same.

By Peter Coogan

2012 Resolution: A Healthy Computer!

I recently went in for my yearly check up. It got me thinking… what are the things I can do to keep my computer and my identity healthy?

You know your computer always has some major servicing when you’ve been meaning to back up all those photos and all the music you’ve got saved on your hard drive, right? Chances are you will get hacked or download a virus when you are rushing and not paying attention when clicking on  links. When was the last time you changed your passwords for your banking website or any other site that keeps your financial information on file?

Here is a 2012 resolution for your consideration: Take a few small steps that will save you big headaches later. Here a few tips to get you started towards technology health:

1.       Check your security suite: Make sure it is up to date and set to update automatically. This will protect you from the latest viruses.

2.       Check your Operating System: Make sure it is up to date and has the latest security patches. (Start>Control Panel> Security Center)

3.       Run a backup: Whether you use an online backup service or a removable hard drive, back up your system. This should be done regularly, so make a plan for this. Purchase an external hard drive or use an online service. If you use McAfee Total Protection, 2GB of online backup are included.

4.       Change your passwords: Still using the same password for everything? Time to start using something other than “password1234”. Here are  some tips for better passwords.

5.       Do you have kids and need to set up filtering software? It is easier than you think!

Finally, do you have multiple devices that need protection? Perhaps you are not sure what you need or which devices should be protected? Try McAfee All Access. I love this product. It is simple to set up and makes it easy to keep all my devices protected.

These are a few basic steps to keep your technology sound in 2012!

Stay safe out there!


By Tracy Mooney

Safe Banking On Your Mobile Device

Mobile banking has experienced rapid growth over the last three years, in the U.S., more than doubling from 5% of online adults in 2007 to 12% by June 2010. Furthermore, Forrester predicts that one in five–or 50 million–U.S. adults will be using mobile banking by 2015.

However, identity theft is a major concern and studies show that many Americans are still uncomfortable with mobile banking, citing security as a top concern. In fact, 35% of US online adults said that they do not use their device to do banking for this reason.

Responding to these concerns, banks have been working to improve mobile security by offering a consistent sign-on experience for both their online and mobile channels, including multi-factor authentication programs for mobile.

While banks are trying to do their part, users have to take additional steps to make sure that their mobile data is protected. Consumer Reports estimates that almost 30% of Americans that use their phones for banking, accessing medical records, and storing other sensitive data, do not take precautions to secure their phones.

So, here are some tips for mobile bankers of all ages to keep you safe while banking on the go:

• Connect to your bank’s mobile site or app securely by making sure that your wireless network is secure. Never send sensitive information over an unsecured wireless network, such as in a hotel or café.
• Download your bank’s mobile application, so you can be sure you are visiting the real bank every time, not a copycat site.
• Configure your device to auto-lock after a period of time.
• Don’t store data you can’t afford to lose on an insecure device.
• Use mobile security protection like McAfee Mobile Security™ that offers layers of protection including: antitheft, antivirus, antispyware, antiphishing and app protection.

By Robert Siciliano 

Robert Siciliano is an Online Security Evangelist to McAfee. See him discuss mobile phone spyware on Good Morning America. (Disclosures)

Gift Shopping Scams

As you continue to shop for birthday presents and plan for holiday gifts during the year, here’s something that I learned about finding the hot “it” gift for your child. This year my youngest had her little heart set on a brand new LeapPad. The only problem was that this was the hottest gift of the year and they were selling before they even hit the shelves!

So I did what any cyber-savvy mom would do, I scoured the Internet for any store that might happen to have a Pink LeapPad in stock. I found a website Cherishyourbaby.com that had the prized toy listed for $71 – not $99 msrp. That price was way below the $200+ I was seeing it sell for on eBay!
Before I got too excited, I began to look at the website. On the page in the upper corner it clearly stated that they had a money back guarantee.  I decided to see if I could find some contact information. I couldn’t find so much as an email address. The first red flag went up!

As I looked at the page, I noticed links to other hot games and toys. World of Warcraft? Halo? Those aren’t baby toys. I hightailed it out of there. Better to be safe than sorry when it comes to my credit card information!

Every year there is some “It” toy or game that all the kids want. Some parents are willing to pay big bucks to get that toy under the tree. One year my hubby was willing to sleep outside in the Chicago winter to put the brand new Wii under our tree! Some savvy folks buy those games up early, in the hopes of cashing in later by selling them online.

Criminals, however, start advertising on rogue websites, posting on social networks, anything to drive traffic to their site, which claims to have the hot toy in abundance! You quickly make the purchase and excitedly await a box to arrive in the mail. Unfortunately, no box arrives and your credit card number is now in the hands of a criminal.

Follow my lead and these tips when you shop online:

1.        Shop only from well-known websites.

2.       Make sure that you check out return policies and contact information before you type in your credit card info.

3.       Look for a Trustmark, such as the McAfee Trustmark, when shopping online.

4.       Don’t let emotion override your sensibility – check out a website thoroughly before you buy. Google the name and look for reviews.

Remember that although you can find good deals online, if a deal seems too good to be true, it probably is.  For more tips for shopping online, see this post.

Stay safe out there!

By Tracy Mooney

Beware of Malicious Mobile Apps

Criminal hackers are targeting mobile phones in record numbers, and one increasingly popular technique is to corrupt legitimate applications. Approximately 200 of these maliciously modified apps have been discovered thus far.

The amount of malware targeted at Android devices has jumped nearly 37% since last quarter, which made 2011 the busiest in mobile and general malware history.  Nearly all new mobile malware in Q3 was targeted at Android’s operating system.

Here are five easy steps device users can take to secure their own devices:

1. Be aware. For the moment, relatively few instances of smartphone malware have been detected compared to malware targeting desktop or laptop PCs, but awareness of the threat is a crucial first step toward protecting yourself and your data.
2. Research applications and their publishers thoroughly. Check the application’s user ratings. It safer to install applications that are broadly used, or have been recommended by your circle of friends.
3. It is wise to purchase applications from a reputable, well-known market. One way for Android users to avoid installation of non-market applications is to deselect the “Unknown Sources” option in their device’s application settings menu. If that option is unavailable, your mobile provider has already automatically blocked applications from unknown sources.
4. Watch the permissions. When you install an app, you’ll see a list of permissions for services that are granted access to the hardware and software components on your device, like contacts, camera and location. If something in the permissions screen doesn’t look right, don’t install that app! For example, a game or alarm clock app probably shouldn’t need to access your contacts or have the ability to transmit that data from your device. And if you don’t feel comfortable or are unsure about what data the app is accessing, it’s best not to install it.
5. Install antivirus software on your phone. When setting up a new mobile device, it is a good idea to install an antivirus program before adding any other apps.

When it comes to the complex world of mobile threats, your best defense is security software that offers several layers of protection, such as McAfee Mobile Security™ for Android smartphones and tablets as well as BlackBerry and Symbian smartphones. McAfee Mobile Security offers:

Complete antivirus, antispyware, and antiphishing—Scan and clean malicious code from inbound or outbound emails, text messages, attachments, and files.

Safe searching and shopping—Protection against web threats such as risky links within text messsages, email, and social networking sites, as well as browser exploits and malicious QR codes.

App protection with app alert—Review a report on your app’s access to your personal data so you can make informed decisions about each app.

Device lock—Protect against misuse of your phone and personal data by remotely locking all data, including the data on your memory (SIM) card.

Remotely wipe data—Protect your privacy by remotely deleting the data on your phone and removable memory card.

Backup and restore data—Preserve irreplaceable personal information on demand, on a schedule, or before you wipe your missing smartphone; then restore your information to your new device.

Locate and track—Recover your smartphone if it is lost or stolen. View its location on a map, send an SMS to prompt its return, and use a remote alarm to make it “scream.

Over the years, you've probably learned that you don't talk about politics or religion at social gatherings.

If you're in the IT industry, you'd probably add "cloud" to the list of topics you approach with some  caution, especially in larger settings.

I've often wondered what is it -- exactly -- that makes cloud such a divisive discussion?
We've been collectively hacking away at the cloud debate for many years now, and -- although there's been some progress in a few areas -- we're nowhere near anything that approaches an industry consensus.

James Urquhart does an admirable job of tackling this thought in his recent post "Why It's So Hard To Talk About Cloud", but -- after reading it -- I think there's something deeper going on: the incredibly wide swath of stakeholders inevitably leads to an incredibly wide range of divergent perspectives.
For those who are waiting for the debates to subside and a reasonable common ground to emerge, don't hold your breath: there's far too much at stake for all involved.  Smart IT leaders will have do what all leaders usually end up doing: listening to all the perspectives, and deciding their own path forward in the face of rampant and bitter industry arguments.

And, since the potential benefits of cloud concepts are very great indeed, there's a strong incentive to plan a course of action sooner than later.

Where You Stand Depends On Where You Sit
As with any heated discussion, your personal perspectives have a lot to do with your particular vested interests.  And, since cloud concepts cut across such an enormous swath of said vested interests, there are many perspectives indeed to consider.

I see people inevitably get dragged into pointless arguments around who's "right" and who's "wrong".  As is the case with politics or religion, there are very few universal truths.
The most successful leaders will acknowledge the different perspectives, and chart a path forward that respects diversity of opinion without being enslaved by it.

The Business User Perspective
If you're a business user of IT, you often wonder what could be so darned hard about delivering competitive and easy-to-use IT services.  Heck, we live in a world of smartphones and iPads and Google and SalesForce.com and Dropbox and all manner of easy-to-use IT environments.
What's the big problem?

You say the word "phone" and everyone thinks about small, easy-to-use devices that dramatically improve productivity.

But behind that "phone" is an wonderfully complicated and sophisticated set of network services that didn't spring into existence overnight.  The people in the telecommunications industry have one perspective --but the people who buy and use their services have a decidedly different one.
To the extent that the people providing the service can adopt the perspective of the people using the service, they win.

And that's only one of the major seismic faults in the cloud discussion: the complete divergence of perspective between the people providing the IT service (the enterprise IT group) and the people using the services.  The people providing the service often get frustrated because the people consuming the service have no idea how complicated and difficult this all is.  And the people consuming the service point to other examples and wonder what could possibly be so darn difficult?
I did what I could to dive into an approach to bridging this particular schism with "Why IT Organizations Will Invest In Marketing".

The Business Leader Perspective
Business leaders tend to be singularly focused on making their businesses more successful.  They tend to be good at it :)

When it comes to IT services, it's an increasingly important input into the business equation: much like labor or capital.

Like any other business input, you want the perfect trifecta of relatively low costs, high quality and exceptional agility.  And, more than likely, you -- as a business person -- are willing to invest to get that outcome if you believe the team can deliver.

From a business leader's perspective, the interest in all things cloud is clear: is there a potentially better way to do IT?  One that my existing team might not be 100% comfortable with? 

If you're an experienced business leader, you're quite familiar with the phenomenon of encountering and evaluating "potentially better ways of doing things".  You've done it for a few decades, maybe more.  And, as a result, you've seen just about every part of your business operation transformed over time with new thinking and new approaches.

IT is certainly no exception.
You have probably come to realize that corporate functions can often become entrenched and disconnected through no fault of the good people who work there.  You suspect that the IT
team might need a nudge or two to start pursuing a new line of thinking.  And you -- as a business executive -- are more than willing to supply that encouragement.

If you've ever been on the receiving end of one of these executive "nudges", it can be pretty uncomfortable indeed.  The natural human reaction is to assume a defensive stance: the technology isn't ready, there are security concerns, there are no industry standards, etc. etc.  While all of these are reasonable statements, the experienced business executive has seen defensive reactions before, and knows how to continue to press forward.

This is a version of the "irresistible force meets immovable object" logical paradox we're all familiar with.  Sometimes the immovable object wins; sometimes the irresistible force wins.  Again, I've done what I could to explore this thought in my post "Learning To Compete" -- which, after all, is what most businesses really want at the end of the day.

The IT Vendor Perspective
If you sell IT products and services for a living, you have to learn to thrive in an incredibly competitive business.  Industry transitions tend come through hard and fast, and you don't want to miss a big one.  If you see a big wave coming, you start paddling for the wave, and perhaps figure out later exactly how you're going to ride that wave.

Cloud is one of those big waves: perhaps the biggest one we've seen in a very long time.
Even if you haven't 100% figured out what it all might mean to you as a vendor, you are immediately focused on (a) making yourself an integral part of the discussion, and (b) discrediting all others who are doing the same.

If you've been watching the Republican presidential debates in the US, you'll notice the similarities.
This intense jockeying can lead to some fairly outrageous and unproductive claims and counterclaims in the industry discussion, not to mention some rather extreme positions.

The term "cloudwashing" is too mild; perhaps "cloud campaigning" is more accurate.
If you've followed a campaign season from beginning to end, you'll notice that the discussion gets more narrow and focused as time progresses.

When it comes to the cloud campaign season, we're seeing that same narrowing starting to occur, but we're nowhere near a clear two-candidate choice.

Think about it: if every vendor is saying essentially the same thing, how do they differentiate and compete?  So we have yet another important source of continuing divisiveness with regards to cloud: the inevitable tendency of vendors to jockey for position.

The good news?  Many of the early primary candidates have essentially dropped out of the race, simply because they don't bring enough to the table to be relevant enough.

The IT Organizational Perspective(s)
Most IT organizations are not homogeneous entities; many appear to be collections of technology tribes that happen to be working at the same company at the same time.
The infrastructure guys have their guild, the application team has their guild, the security people, the network people, the operations staff, and so on.

In larger settings, you'll find "guilds within guilds" -- clear lines of divergent opinion, often within the same functional teams.

In an ideal world, IT professionals would prefer to orient around the needs of their company vs. preserving and enhancing the influence of their guild, but we don't live in a perfect world, do we?  I have been in many, many situations where different IT stakeholders are arguing about cloud concepts between themselves, and -- yes -- there's a clear tendency to jockey for position in the new world order.
I remember a few situations where the storage guys were getting into it, and turned to me for a lifeline to support their case.  Sorry, guys, I don't see it that way -- at least, not the way you're seeing it.

In my world, cloud is all about enabling IT groups to deliver competitive and attractive services that are easy to consume -- whether those services are built or brokered.  The technology guilds are still important, but they have to come together in a better model that's oriented around service delivery vs. isolated components.  Put differently: you're still important, but in a different way.  Learn and apply the new concepts, and you'll be more valuable than ever before.

So, when it comes to a cloud discussion within an IT organizational setting, we have two important sources of friction.  One is the squabbling and jockeying between the traditional technology disciplines, and a second source is the discomfort that inevitably occurs when your role is evolving faster than you are :)

The good news: there are now clear educational pathways for ambitious IT professionals to take their broad backgrounds and experiences to the next level.  I shared one set of offers from EMC in "Cloud And The Act Of Being Selfish".

The IT Leader's Perspective
Many senior IT leaders tend to be rather quiet when it comes to cloud.  They know something important is happening in the industry, and they're carefully evaluating their options.
Yes, there are a handful of IT leaders who have plunged in, successfully managed the transformation, and are now quite justifiably proud of what they and their teams have achieved -- but I think they are measured in the many dozens vs. many hundreds or many thousands.

Many have yet to publicly commit themselves to a course of action with regards to setting a path towards learning how to compete for their internal users, using cloud as a foundation.

For some, it's a timing issue -- everything has a season.  For others, it's trying to figure out what the business really wants, which -- of course -- is made more difficult since most of their business consumers aren't quite sure what they want until they see it.

Did you really know you needed an iPad before you saw one?

For others, it's a simple people equation: do I have the support of my people and and the mandate from my peers to make the investment in a long and challenging IT transformation?  And -- if the answer comes up "no" -- as it occasionally does -- what's the best alternate course of action?

Either way, most IT leaders are carefully watching the discussions, and not really participating vocally to the extent that other engaged parties are doing.  As in every election, the "silent majority" will usually be the deciding factor, and "cloud" appears to be no exception.

It's Election Year In The US
We've started the multi-year process of deciding who our president will be, and a good portion of Congress as well.  Although the actual election won't be until early November 2012, election fatigue has already set in for many of us.

The discussion is noisy, rancorous and occasionally outrageous.  Agreements between factions are hard to come by.

There's plenty at stake as well -- from taxes to job creation to foreign policy to ... well, there's a lot on the table that essentially boils down to "who are you going to vote for?"

But, come November, we'll all march to the polls and cast our votes.  If we don't, someone else will decide for us.  But there will be a decision.  And that will be that for the next four years.
When it comes to cloud, how will you vote?

 By: Chuck Hollis

Medical Identity Theft Plagued by Confusing Claims

The topic of medical identity theft makes the headlines one or two time per year. In spite of its rarity, it’s worth delving into this subject.

The elements that define private health information in the United States can be found in the Health Insurance Portability and Accountability Act (HIPAA).

Medical identity theft is the inappropriate or unauthorized getting, possession, use, or knowledge of individually identifiable health information to acquire medical services or goods, or to obtain money by falsifying claims for medical services and falsifying medical records to support those claims. Penalties are defined in the HIPAA privacy rule 42 U.S.C. § 1320d-6.

If you’re interested in cybercrime, you’ll find numerous and reliable statistics covering all aspects of those online misdeeds. Excellent Internet sources are the Federal Trade Commission, CyberSource, and the Internet Crime Complaint Center. But searching for data about medical identity theft is more difficult. Of these three sources, only the FTC lists medical identity thefts. The FTC claims that among all the complaints it registers (250,854 CNS identity theft complaints in 2010), medical theft amounts to only 1.3 percent (3,261 complaints).

Just to make medical theft searches more difficult, we find conflicting data. I have repeatedly read online that “Medical identity theft accounts for 3 percent of identity theft crimes, or 249,000 of the estimated 8.3 million people who had their identities stolen in 2005, according to the Federal Trade Commission.” When I searched for the source of this information, I found a November 2007 FTC report (page 21) that states “Three percent of victims said that the thief had obtained medical treatment, services, or supplies using their personal information.” However, a footnote adds: “Based on the responses of the 559 individuals surveyed who indicated that their personal information had been misused between 2001 and the date they were interviewed.”

Looking at specific surveys covering the United States, I have found some strange figures, such as 86,168 victims in 2001 and 255,565 victims in 2005. For example, the Redspin blog, states “Several of these cases, dating back to 2005, are documented by the World Privacy Forum along with many other patient record thefts. They also note an increase in medical identity theft victims from 86,168 in 2001 to 255,565 in 2005, and this number is still increasing. Only time will tell what new crimes come with the theft of electronic medical records.”
 
The only acceptable figures I found on this subject are from the Second Annual Survey on Medical Identity Theft by the Ponemon institute:


Even if this table covers all medical identity theft categories (both online and offline), the figures seem high compared with the 8.1 million American identity fraud victims cited by Javelin Strategy & Research for 2010 or the 7 percent rate claimed elsewhere. 

Next week, I will continue this blog by discussing a claim that medical record data is worth US$50 on the black market.

By: Francois Paget

Networked Printers at Risk

Multifunction printers (MFPs) have been common in offices for years. They let employees print, scan, and copy documents. Two separate talks at the 28th Chaos Communications Congress (28c3) show how attackers can infect these trusted office devices.

Hacking MFPs
In Andrei Costin’s presentation “Hacking MFPs,” he covered the history of printer and copier hacks from the 1960s to today. The meat of the talk concerned executing remote code on an MFP using crafted PostScript. Just printing a particular document can get code to run on the machine. Previous research proof of concepts have done exactly that, once with a specially designed Word document and once with a Java applet.

Printers and copiers have been targets of attackers and spies for decades.

Costin found a method to exploit the firmware update capability of certain Xerox MFPs to upload his crafted PostScript code. He was able to run code to dump memory from the printer. This could allow an attacker to grab passwords for the administration interface or access or print PIN-protected documents.

Attackers can grab passwords to the administration interface from an MFP's memory.

MFPs are trusted devices connected to the office network, but sometimes they’re also accessible from the Internet. The numbers of publicly accessible office MFPs range in the tens of thousands. An attacker could craft PostScript code tied with exploits from the Metasploit framework and upload it to an MFP to attack a corporate network.

Print me if you can
A day later researcher Ang Cui referred to Costin’s talk about PostScript attacks, though Cui’s research was limited to MFPs from HP. Similar to the earlier presentation Cui’s attack leveraged the update capabilities on multifunction devices.

Ang Cui and Jonathan Voris demonstrate printer malware that forwards printed documents to a printer outside the corporate network.

Cui’s technique for infecting printers involves the more limited Printer Job Language, rather than PostScript, and injects code into processes running on the printer. This was effectively a custom rootkit for the printer’s OS.

To get his code on a machine, he needed to reverse-engineer HP’s proprietary firmware update file format. This involved dumping memory images from the printer and using a disassembler on the extracted firmware to determine how to parse the update files. Cui has developed a tool, HPacker, that can take an infected firmware image and repackage it into the proper RFU format for updates. This tool can also analyze current memory dumps.

Researcher Ang Cui uses a memory dumper to access the boot code and reverse-engineer the update file format.

The vulnerability was disclosed to HP, and updates for infected printers were released last week.

By: Jimmy Shah

10 Security Predictions for 2012: Top Trends

With 2012 just a few short days away, it’s that time of year when, in the words of McAfee Labs’ Dave Marcus, we “dust off the crystal ball, put on our battered Mr. Wizard hat,” and speculate about what the new year has in store.  McAfee Labs recently announced its 2012 threat predictions, to which I’d like to add some color, and throw in some observations of my own.

Attacks on Critical Infrastructure
We expect that the volume and sophistication of attacks focused on critical infrastructure – in particular electric, oil and gas, and chemical, will continue to rise in 2012, taking the form of extortion, Denial of Service, and targeted Stuxnet-like attacks. In an ever more networked world, the cyber vulnerabilities of critical infrastructure pose challenges to governments and owners and operators in every sector across the globe.

Threats to Mobile Devices
With increasing popularity, and use cases expanding beyond games and books to work-related tasks like banking, we are seeing more and more people trying to exploit mobile systems. Last month, McAfee Labs released its Q3 Threats Report, which showed that the Android mobile operating system solidified its lead as the primary target for new mobile malware. The amount of malware targeted at Android devices jumped nearly 37% since Q2, putting 2011 on track to be the busiest in mobile malware history. We expect this trend to continue into 2012, with more organizations leveraging Virtual Desktop Infrastructure solutions to sandbox organizations from users’ consumer devices.

Consumerization of IT
In 2012, we expect to continue to see an increased use in tablets for mobile computing, as well as an increased use of social media applications from mobile devices. There will be more demand from both technical and business users wanting to bring their own devices, whether or not the company has authorized their use. 35 different brands of tablets were released this year – it’s a huge and growing industry, and organizations are leveraging technology like virtualization, network access control, and solutions like McAfee Enterprise Mobility Management to adapt to this flood of new technology.

Social Media
Social media is already such an ingrained part of our personal lives, but it has now infiltrated even the depths of our businesses and organizations. Data loss prevention controls, firewalls, IPS, and the like will need to become more application aware in 2012 in order to allow organizations to continue to use social media from a business perspective. We are seeing more and more threats coming in through vehicles like Facebook and Twitter, and we expect to continue to see malware growth in this area, a threat that McAfee is taking very seriously.

McAfee’s Innovation Team has been working hard on a project to apply the concept of reputation from McAfee Global Threat Intelligence to social media systems, letting us probe sites like Twitter for malware-related concepts. On the horizon for 2012 are products using this data – for example, allowing bad tweets to be stripped out of your feed, and flagged in your Twitter reader.

Stealth Rootkits
We expect to continue to see an increase in malware and rootkits getting below the user space and into the kernel space, making it tough for most security controls to detect them. Rootkits will self-mutilate – when traditional anti-malware solutions look for malicious content, a rootkit doesn’t come up as looking like anything bad. But the malware is designed to reassemble itself so it can function. The system looks good, you back it up, and a few weeks later that machine you’re running is infected. You restore from what you thought was a good backup, but you restore with a rootkit that has reassembled itself.

Sometimes this means a whole rebuild and a new OS – one of the reasons why we are looking to move security down to the silicon level. Products like McAfee Deep Defender utilize McAfee DeepSAFE technology with Intel, to sit between the processor and the OS to help protect vital system software residing in the physical memory, providing a new view of the drivers and other software as they operate.

Hacktivism
In the past, financial gain served as the primary motivation behind cybercrime, but we’re seeing increased groups of hackers with other motivations. They are guided by economic, political, or religious interests that generally go beyond their nation’s borders. In 2011, hacktivist “groups” like Anonymous and Lulzsec grabbed a significant number of headlines, and we expect to see this trend continue into 2012. Especially since many of these groups have garnered publicity and notoriety for their cause, we expect that more individuals will decide to take this path.

Spearphishing and SQL Injection Attacks
As the easiest and most common ways to penetrate an organization, these types of attacks are effective and extremely prevalent. User awareness and reputation solutions will be used to combat these types of threats, as well as improved coding techniques and better database security controls.

Cyberwarfare
In 2012, we expect to see at least one major cyber security event similar to South Korea’s 10 Days of Rain attacks – a blatant attack from a nation state that will serve as a prelude to information warfare. Cybercrime has evolved from something of a hobbyist affair to a very professional activity, and is now being leveraged to increase a country’s political power. As the world enters a new period of tension, many countries have redirected their services toward a cyberwar strategy, and many states have not hesitated to put forward their expertise in this arena.

Connected Solutions
Here at McAfee, 2012 will continue to see a bringing together of network security, data, endpoint and security management. We’re looking for cohesive solutions – disparate parts that enrich each other with reputation information from McAfee Global Threat Intelligence, and pieces such as our acquisition of SIEM provider NitroSecurity, McAfee Risk Advisor, and security at the silicon level with McAfee Deep Defender. We will be bringing all of these pieces together, making them all much more relevant and central to the business.

Security is becoming more about business enablement and risk mitigation, as evidenced by the recent Disclosure Guidance on Cybersecurity issued by the SEC – a big step towards the widespread realization that for many orgs, IT and the business are one.

Optimized Security Strategies
Going into 2012, we will need to stop narrowing our focus on just stopping bad things from happening – we need to also focus on improving other business units to support this goal. For example, reducing the overhead for an organization’s help desk, and integrating IT and security as early on as possible. We need to see security as a business enabler that will allow us to take advantage of new market opportunities, without taking on inflated levels of risk.

What are your thoughts on this list – anything trends for 2012 that you would add or take away? Let us know here in the blog, or on Twitter at @McAfeeBusiness, where we regularly update our followers on McAfee news, happenings and events.

By: Brian Contos

Big Data Analytics: The New Corporate "Six Sigma"?

If you've been around for a while, you'll remember how a giant wave of Six Sigma investments crashed over corporations around the world in an effort to improve competitiveness.


At EMC, we all went to Six Sigma class, and learned how to DMAIC key processes, and then DFSS.  My personal favorite was the statapult exercise -- big fun if you've never done it.

Over time, an army of Six Sigma green belts were developed throughout EMC's ranks, augmented by the ultimate masters: the Six Sigma Black Belts.

Why did so many companies make such a large investment in Six Sigma?

The answer is painfully simple: it quickly became the new competitive ante.
You either invested in getting good at Six Sigma, or you had better be prepared to suffer at the hands of competitors who had wisely made that investment.

I think we're seeing the opening scenes of a similar movie: a need for investing in broad-based skills in big data analytics proficiency.

The case for this particular observation is strengthed by recent results from EMC's Data Science survey -- practitioners point to the lack of these broad based skills as one of the major things holding them back.

This time around, the motivation is also simple: invest in learning to use multiple data sources and the newer tools to better predict the future, or be prepared to suffer at the hands of those who have made that investment.

And today, EMC is announcing a key component of our investments to help our customers and partners get better at this new and important skill set: an associate-level one week course and certification in big data analytics techniques.

I think it's going to be popular :)

History Can Always Teach Us Lessons If you're in a competitive industry (and who isn't?), a lot of leadership time is spent thinking about new ways to create a competitive edge.  Everything is fair game: better versions of existing products, new ways of engaging with customers, investments in entering new markets, a focus on creating an innovative culture, tools to make better decisions, and so on.

The story of Six Sigma is instructive in this regard.  My impression is that Motorola figured out a way to improve quality processes and ended up kicking serious patootie on everyone else in their sector at the time.  Although Six Sigma had its roots in semiconductor manufacturing, the framework proved broadly applicable to all manners of business processes.

EMC's motivations -- at an executive level -- were likely quite simple.
This Six Sigma stuff looks like it creates a meaningful competitive advantage for those that seriously adopt it.  

We do business in an incredibly competitive industry.  
Ergo, we have no choice but to enthusiastically embrace Six Sigma proficiency throughout EMC, so let's get started.

(Quick note: this was the same line of thinking that was behind our investment in social media proficiency five years ago, not to mention other similar corporate initiatives).

The executive team started broadcasting the priority loud and clearly.  A Six Sigma program office was formed and staffed to drive engagement.  As a member of the management team, I was "strongly encouraged" to take a few days of training.  A few of my people were really interested in the whole topic, and ended up going down the green-belt-leads-to-black-belt path.  Communications on progress and business results were consistently frequent.

And then, one day, we were all sort of done with the heavy lifting.  
We understood the problems, the tools and the methodologies.  We had successfully applied the methodologies to broad portions of our business, and the results were plainly obvious to all.  Six sigma had simply become part of our culture and the way we did business.

The envisioned change had happened.

History Is Repeating Itself
Done well, big data analytics enables organizations to create models that can help predict future outcomes.

Traditional business intelligence was mostly about understanding what had happened in the past using limited data sets; the new wave is clearly focused on understanding underlying relationships between ostensibly disparate data sets and using them to make predictions about likely outcomes.
In essence, you're investing in creating the proverbial crystal ball.  Being able to predict future outcomes using statistically validated models seems like a handy thing to have in the corporate tool belt, if you ask me :)

While the ideas behind big data analytics and associated data scientists aren't really all that new, their broader applicability is certainly new.  New, rich data sources are popping up everywhere, and they're getting easier to acquire.  The costs associated with the supporting tools and infrastructure are droppping like rocks (insert obligatory EMC product technology plug here).  Core business processes that are enabled with real-time predictive analytical insights can clearly be shown to perform far better than those that are not.

And more and more business leaders are realizing that -- yes -- big data analytics is the next competitive ante.  Whether they got there by themselves -- or are seeing their erstwhile competitors doing it -- really doesn't matter.

For the newer business models that were "born digital", they already get it, and are well along their way.  Feed them cool technology (and lots of data sources), and they'll be just fine.
The real interesting action is in traditional business models that look very different when augmented by big data analytics.

I'm starting to see more executive teams "get it" (just like they did with Six Sigma), invest in corporate-level program offices (just like they did with Six Sigma), driving broad-based training to create a cadre of data science green belts and black belts, and creating newer self-service large-scale analytics environments where the new skills can be developed and practiced.
For me, history is starting to repeat itself.  Again.

EMC Education Is Investing In Skills Creation
If you're with me so far, you probably have a good understanding how EMC Education's new EMC Proven Professional Data Science Associate coursework and certification fits in (EMCDSA for short).
We think these skills are going to be incredibly important: now, and in the future.  We believe it, and our customers are telling us the exact same thing.

While this specific new educational offering won't make you a bona-fide, card-carrying data science rockstar in a week, what it does do very well is take someone with the natural skills and inclinations, and gives them the background and experience to work as part of a larger data science team.

People who are interested in data science and this whole area are generally fun people to work with.
We've constructed a sample persona, and -- based on my personal experience -- it's pretty accurate.  It's a nice mix of left-brain and right-brain skills: from the quantitative to the collaborative to the creative.
If you're a regular reader of this blog, your personality probably lines up in many of these regards, as does mine :)

The model I'm seeing over and over again is a small team of hard-core data scientists, augmented by a much larger audience of people who understand what they do, and how they do it.

Whether these people are co-workers, managers, helpers, business partners, etc. etc. -- this course is targeted at people who (a) see themselves working more with data scientists -- and data science -- in the future, or (b) see themselves evolving into a rock-star data scientist over time.

Either way, I think there's a large audience for this sort of coursework.

The Coursework
As you can see from the attached graphic, it's a week well-spent, in my humble opinion.
The first day is about context: why this is important, why it's different, the intended role that's being fulfilled, and so on.

The next two days are deep dives in classical analytics using modern tools.  The fourth day branches out to unstructured data (e.g. Hadoop) as well as the powerful capabilities of in-database analytics.
And the fifth day is mostly about the all-important communication and storytelling aspects.
Lots of labs with real-world data sets, modern tools and large-scale infrastructure, plus the opportunity to meet and work with like-minded people.  Like other EMC Education offerings, I'm sorely tempted to clear a full week and go have some fun :)

Wait, I'm In IT -- Why Should I Care?
When I talk about this subject to career IT professionals, they're interested, but they're not exactly sure how these skills might apply to them in their chosen profession.  I think there's a deeper connection than most may realize.

First (and most obviously) if you're going to have an organization with progressively more big data analytics types, it pays to understand a bit about who they are, what they're doing -- and what they need from IT.

More directly, it appears that many IT disciplines will incorporate big data analytics skills in the near future.  Consider, just for a moment, what capacity planning or performance management might look like in a few short years, especially in a world of large-scale variable IT service consumption.  You're going to want to get pretty good at predicting the future :)
Indeed, the next wave of security thinking is already leaning towards predictive analytical models using an incredibly wide variety of data sources.

The message is simple: big data analytics will not only be a new use case for IT, it will likely transform many of IT's key processes as well.

Why This Matters
Competing through big data analytics is quickly becoming the new ante in so many industries that I encounter.  Sooner or later, most business leaders will realize they have to invest in these proficiencies, or suffer at the hands of those that have.

Once these leadership teams make their decisions -- and start to organize for success -- there will be a real and immediate need for increased proficiency across the broader organization.

I think all the bright people who think they might be involved with this have a decision to make.
Do they wait for the time when they're told to attend a specific course?

Or do they decide to get ahead of the curve -- ahead of the inevitable wave?

By: Chuck Hollis

Worker Safety In The Information Age

The modern economy is increasingly built on a cadre of knowledge workers who consume and process enormous amounts of information.


But these information-intense models are not without their risks, as we are continually reminded.
One of the big stories of 2011 was the rise of APTs -- advanced persistent threats -- that are causing us to re-think many long-held precepts around information security.  There are new security philosophies emerging; new process and tools -- and new focus areas to consider

As Art Coviello put it so eloquently in his RSA keynote -- "people are the new perimeter".  But how do we arm our knowledge workers to handle information -- in all its forms -- safely?

Rather than scratch our heads and wonder how best to close this seemingly brand-new proficiency gap, I think it's useful to review how earlier "trade" industries -- manufacturing, construction, shipbuilding, etc. -- identified this particular problem, and created the foundational methodologies to manage worker safety in an earlier age.

We often forget than seemingly new problems have sometimes been solved before, just in a different context.

And this might be just such an example.

Going Back
If you've ever visited a shipyard, or other large-scale construction or manufacturing site, you'll quickly realize that they can be very dangerous places -- not only for you, but for the people who work there.
We're usually talking about massive girders and beams, welding, heavy equipment to move it all around, big vertical drops and more.  Or consider what it might be like to work in a factory that makes radioisotopes, for example.

There's always the imminent potential to have a really bad day.
Make any small mistake -- whether due to carelessness or inexperience -- and you could not only take out yourself, you could take out several of your co-workers as well.  Not to mention cause a lot of physical damage.

Over time, these industries learned to take worker (and workplace) safety very seriously indeed.
The motivation was blindingly simple: accidents could be incredibly expensive.  There's economic losses of productivity, various regulatory penalties, costs associate with workers' compensation -- even small accidents can be very costly indeed.

Just like an information breach :)

Their answer has evolved into what I could only describe as a "systems" approach.

One part is careful consideration of tools, equipment and work processes.

Another significant investment is around training, certification and monitoring of workers.
And, finally, a statistical control process (think six sigma!) where even the smallest incident is scrutinized to gain insight on further process improvements.

As part of my routine interactions with IT organizations, I'll occasionally probe as to whether they've invested in each of these "systems" elements regarding information security: worker environment, training and education, and statistical process control.

Occasionally, I'm surprised by the depth of their response.  More often, they're investing in "behind the scenes" improvements (the infrastructure behind the worker environment), and not doing much in the other two areas.

Is it time for that thinking to change?

Back To Our Construction Site
I have an acquaintance who's involved in heavy construction.  I was fortunate enough to pick his brain for a while on how they handle safety on job sites.

He is adamant that no one -- and he means no one -- picks up a tool at the work site unless they've been trained and certified.  No amateurs allowed.  The new people are shadowed for a while by a more experienced worker until confidence is established.

Thanks to the workers' union, all workers are continually trained -- not only about developments in their profession, but new safety techniques as well as reinforcement of existing ones.  On the job site, there are clear and visible reminders everywhere around safety.  He also said that onsite management had part of their compensation either directly or indirectly tied to safety as well, meaning there were usually multiple senior eyes keeping a watch on what people were doing.

When there was an incident of any sort, there were all sorts of forms to fill out, and many people who wanted to ask questions.  Yes, a powerful incentive to avoid accidents, but also the raw material for continual process improvement.

He said tools and work processes were continually being improved -- he could see the changes over the years.  Training and certification has also become more onerous and rigorous.  And financial incentives to maintain a safe working environment were increasingly becoming a part of his compensation.

Does any of this remind you of how IT security might work?  Maybe it should ...

What's Missing?
If we accept that this sort of conceptual model might serve as a blueprint for thinking about information security differently, what might be missing?

First, we're going to have to seriously revisit the topic of worker education, and -- ultimately -- certification.  In many settings, a segmented approach would be indicated based on your role in the organization, and the degree of "information risks" you are routinely exposed to.

My informal survey of existing efforts in most organizational setting tells me there's a *lot* of work to do here.

Second, we're going to have to get much better at keeping and using records.  Any incident -- no matter how small or apparently insignificant -- can be used as input for ongoing statistical process control.  Again, my informal impression is that this information is often gathered, but rarely used in this fashion.

Third, we're going to want to create "information safety" incentives across the organization -- both at an individual contributor and a management level.  Whether these are rewards, punishments or some combination I'll leave as an exercise for the reader.

But one thing is clear -- it's hard to get a meaningful change in daily behavior unless you provide consistent incentives to change.

More critically, we're going to have to organize for success.  If you went to your present organization and asked "who's responsible for this?", you're unlikely to find the resources and alignment you'd need to be effective.  Again, you can find these organizational constructs in the physical world; less often in the digital world.

And, finally, we're going to need a bit of that very rare and precious skill set -- leadership.  Ultimately, the critical ingredient is often having people in a position of authority who can recognize the new challenge, and cause organizational focus to be placed on coming up with better solutions.

Why Isn't This All About Technology?
It'd be great if we could come up with wonderful technology that eliminates all the risks associated with people doing really dumb things, but I'm not holding my breath ...

RSA, as part of EMC, makes some amazing technologies that can help organizations tackle this problem effectively.  They're also providing some useful coaching around what next-generation security functions look like: how they're organized, managed, staffed and so on.

That being said, security functions can often end up isolated from an overall organizational perspective.  I now believe that "worker safety in the information age" is an organizational challenge; it most likely will require an organizational response.

To be successful, I think these security teams are going to need the exec-level "air cover" to align the broader organization -- and their behaviors -- with the ultimate goal: to unlock the potential of information and do so with confidence.

By: Chuck Hollis