Be A (H)App(y) Mom

Now that we Moms are becoming tech-savvy, it would be cool to be conversant with the terms related to gadgets we use. One term frequently bandied around is that of apps. Quite a few people have hazy notions about an app. So, let’s demystify apps today, shall we?

An app or application is basically a software program that can run on your computer, your phone or any other internet-enabled device that are designed to execute a particular task. One good example is the Angry Bird game that you download on your mobile or PC and play. The apps for smartphones actually help the phones to act like microcomputers. Today, there are apps for everything, starting from games, to GPS systems, virtual tattoo parlours, store finder, Facebook for smartphones, and what not!

Though apps have been around for quite some time, the launch of Apple’s App Store for iPhone and iPod Touch in July 2008 established a trend of manufacturer-hosted online distribution for third-party applications focused on a single platform.

Today many apps are offered free while the rest carry a price tag. But remember, ‘free’ doesn’t always mean ‘cheap.’ There may be membership charges as well as uploading and downloading charges. More sinister, there may be cookies attached to free files intended to steal information from your phone or simply crash it.

I can see the question hovering topmost in your mind. Can these apps be dangerous? Unfortunately, yes. The third party apps have become the favourite hunting ground for malicious hackers, and they are now focussing mainly on five popular third-party applications, including:

•     Java Runtime Environment (JRE)
•     Adobe Flash
•     Adobe Acrobat and Reader
•     Internet Explorer
•     Apple QuickTime

With the cumulative number of unique malware samples exceeding the 75 million mark, (McAfee Q4 2011 Threat report), one could inadvertently download a virus or malicious cookie as well while downloading a file or an app.

So how do you use them yet stay safe at the same time? Follow the golden rules:

•     Install mobile security software on your phone. I recommend McAfee mobile security that will not only protect your phone and data, but also scan all apps for authenticity before allowing you to download them.
•     Verify the source of each app
•     Password protect your computer and smartphone
•     Do not allow any app to change your browser settings
•     Install McAfee site advisor on all internet connected devices. This free software informs you whether the website you are visiting is safe or not.

Happy (h)app(y) time, ladies!


By Anindita Mishra

Cloud Meets Big Data In Healthcare: The Importance of ACOs

Many people I meet who work at the intersection of healthcare and technology can get frustrated.

On one hand, the current healthcare delivery system in the US, with many obvious and visible opportunities for improvement.

On the other hand, the tantalizing power of newer technologies: cloud, big data, mobility, etc.

Historically, many people like me have looked at the situation, and tried to figure out why supply and demand weren't getting properly connected. 

The technology is there -- why isn't being consumed?

In a nutshell, my opinion is that the industry wasn't organized for success.  There were inherent structural barriers that inhibited the widespread adoption of the newer technologies and approaches.

But, with the recent rise of ACOs (accountable care organizations) and their brethren, a few of us are extremely optimistic that the next few years will be very different than the past.

A Simplistic Background

In the United States, healthcare is largely a for-profit business: fee for service. 

It doesn't take an MBA to realize that this can lead to some interesting outcomes: a strong financial incentive to offer more services (and more expensive services) to drive revenue, a strong incentive to lower the cost of providing those services as well as a strong competitive ethos in many markets, as -- in essence -- you're competing for patients.

Not all of these outcomes are in everyone's interests -- as individuals, or as a society.

From my perspective, the first wave of change was driven by the large payers -- the health care insurance companies.  Their business model was simple: contract with employers to provide fixed cost healthcare coverage against a variable (and sometimes unpredictable) cost base. 

They, in turn first focused on reducing costs through pricing power, later followed by a more progressive view that healthier employees meant less demand for health care services.

But, in the United States, there's one insurance payer above all others -- the US Government via Medicare and -- to a certain extent -- Medicaid.  Their size means that they have a unique ability to force structural change in the industry.

Two years ago, the Patient Care and Affordable Health Care Act of 2010 was passed by the Obama administration, and -- while certain components are being debated in the US Supreme Court -- a often overlooked part of the legislation is the new bargain with health care delivery organizations.

The incentive is simple: if your healthcare delivery organization focuses on health care outcomes (vs. simple service delivery) and saves the government money in the process, the government shares some of the rewards with you.

Do better than your peers, and you can make a lot of money indeed. 

All of the sudden, big piles of money are on the table that now create powerful incentives for health care organizations to change their models -- and quickly. 

And, in my humble experience, there's no incentive for rapid change quite like the potential of big piles of money :)

While there's definitely speculation as to whether or not this specific legislation will proceed unimpeded, the future is clear: we're heading to a model where healthcare providers will be strongly incentivized for results (efficiency of wellness results) vs. effort (how many services were delivered and their costs).

Structural Change In Health Care Delivery

A significant amount of healthcare services in the US flow through smaller providers: individual practices, modest clinics, regional hospitals and the like.  Now, if you're going to play in this new Medicare game (or any game like it), size matters -- a lot.

•     You have a strong interest in providing cost-effective, shared back-end services, with IT being a hot topic right now.
•     You have a strong interest in aggregating and integrating different components of the overall healthcare delivery model -- from wellness counseling to pharmacy to even providing your own health insurance products. 
•     You aspire to be a "wellness delivery system" as opposed to a traditional hospital, for example.
•     And, above all, you quickly gain an appreciation for the power of predictive analytics to "change the game" as far as modeling outcomes.

Cloud Is Big

I've met with about two dozen healthcare IT organizations, and the conversation is getting far more predictable.

    There is structural change afoot in our industry, driven by new legislation that creates powerful incentives for change.  As a result, we're going from a world of isolated and small IT functions to aggregated and integrated ones, usually through acquisition and/or affiliation.

    We've brought in a new IT leadership crew to set strategy and accelerate the transition.  We need to look more like a competitive IT service provider, and less like a traditional, project-oriented siloed IT shop.

    And we need to do it sooner than later.

Needless to say, we've got a lot to say to the IT teams who are in this situation.  And we expect many more to raise their hands before too long.

Mobility Is Big

The first round of "mobility in healthcare" was mostly around the healthcare providers -- giving them increased access to information and applications as they moved through their workspaces. 

Nothing wrong with that -- and it's still an important topic.

But if your new mission is accountable health care, all of the sudden there's this incredibly strong incentive to extend your "mobility platform" to include your patients as well.  More patient interactions -- at lower cost -- always means better healthcare outcomes. 

In addition to the predictable mobile apps, think about video chat, the usefulness of text message reminders as well as eventually purpose-built sensors that easily attach to mobile devices -- like blood sugar monitors.

Big Data Analytics Is Big

No one -- but no one -- in this industry denies the amazing power of predictive analytical models powered by big data to produce a continual stream of meaningfully superior patient outcomes.  They may use different terms across different specialties to describe the effect, but the basic thought is always the same.  More data and more resources always means better outcomes.

But prior to the rise of next-gen ACOs and their brethren, there were serious structural problems in assembling the data and the resources.

One, clearly, was access to relevant data about the patient.  Not just isolated dribbles of clinical data -- we're talking *all* the data from *any* potential source.  Thanks to privacy regulations, drug and therapy companies can't get to it easily.  Nor can health care insurance providers.  Nor can various government entities.

But the new breed of ACOs (or any other managed care delivery organization) have privileged access and a trusted relationship with the patient. 

I don't know about you, but I tell my doctor *everything* (or should!) because if he or she has more information, they can make better recommendations. 

I, as a recipient of healthcare services, have a powerful incentive to make sure my doctor has free and easy access to anything at all that might be relevant about me and my healthcare.

In essence, the new ACO is an attractive and privileged "assembly point" for diverse data around a patient.

The second was scale.  Doing meaningful work in big data analytics requires a significant investment in both IT resources and some very, very smart people.  Being able to amortize that investment over dozens (or hundreds!) of healthcare delivery points makes their use far more cost-effective.

The third was horizontal integration.  If all you do is blood lab work, all you've got access to is mostly those results. 

However, if your "wellness delivery organization" incorporates the entire value-chain of healthcare services, you've got ready access to a wonderfully rich and easily correlatable world of data sets -- and that's *before* you even start to go outside the organization.

And, finally, strong financial incentives need to be in place to build, produce and act on the insights in a cross-functional way. 

Thanks to the new incentive scheme courtesy of the US Government, that appears to be clearly in place for a sizable population of Medicare recipients.

And if this one doesn't do the trick, I'm sure there will be others.

Do Healthcare IT Organizations Get It?

Yes, but they're all coming at it from wildly different perspectives -- at least, based on my interactions so far.

There are plenty of "we need to consolidate and streamline our IT function to reduce costs" discussions.  A few of these have progressed to value generation vs. simply doing what you did last year for less money.  But not enough.

There are a handful of healthcare delivery organizations who take a strong interest in mobility, but it's almost always pointed at doctors and RNs -- vs. the patients themselves.  I think that should start to change in the next year or so.

And -- wonderfully -- I've now met about a half-dozen very progressive groups who are starting to get the big data analytics bug.  Their passion is contagious -- they're on a mission to change the world using better predictive models.  It's hard not to share their enthusiasm.

To this day, though, I have yet to encounter anyone who can articulate that end-to-end vision around technology enablement in the new world of accountable health care.

But, hey, it's early days :)

By Chuck Hollis

Free Stuff on Social Networks Not Free

In recent years, scammers have flocked towards social networking sites as they have grown and made it easier to access a large number of potential eyeballs to convert into dollars. Brands have found value in leveraging social media to know what their customers are talking about, so, naturally, scammers are doing the exact same thing.

Free iPads and iPhones

Every time Apple unveils a new iPad or iPhone, you can bet there are scammers out there trying to leverage the announcement for financial gain. In the days leading up to and after the announcement of the new third-generation iPad, Twitter users who tweet about the new tablet most likely will receive some targeted Twitter replies from scammers offering the new device for free:

Many of the links are often masked behind URL shortening services. These links actually lead to affiliate pages asking for personal information, such as email address and shipping information. However, some scammers have also begun to send users to instructional videos on YouTube. The videos guide users through a step-by-step process to get their free iPad or iPhone. Scammers then use the video description section to link to the affiliate pages:

Users can report these videos to YouTube by flagging them as inappropriate and selecting the "scams / fraud" option under the Spam category.

Free gift cards

Another common lure that scammers use on social networkers is to offer free gift cards. For instance, any time a user mentions particular brands on Twitter, scammers target them with Twitter replies enticing free gift cards:

Some of the brands presented in these scams include retailers of consumer electronics, women’s intimate apparel, and a large discount department store.

Experimentation

The above set of scams have relied on fake accounts posting links which lead to affiliate branded pages. For example, we saw scammers sending users to YouTube to follow a how-to video (likely a consequence of social networking sites improving their detection mechanisms to weed out direct links to these scams before they have a chance to see the light of day).

Recently, however, scammers are using a new trick to evade detection.

Fake promotional user accounts

Unlike the previous examples, where a Twitter user posts about a certain brand and receives a targeted reply with a link, users are now being directed to fake branded Twitter accounts:

Instead of seeming like a scam link, this message now looks more like it is part of a conversation with an actual (and clickable) brand. In the above example, a user posted about the Macy's brand and, in reply, that user receives a Twitter reply directing them to what claims to be an official account for Macy's.
Read the fine print

Misleading users, of course, is the goal of these scam campaigns. Not only are the brands misrepresented here, but the affiliate programs these scammers are part of state only in the fine print what someone can expect when responding to these offers:

If you are a Twitter user and you receive replies from suspect Twitter accounts promising you something for free, protect yourself and others by reporting the account to Twitter.

By Satnam Narang

Don’t Let Your Data Center Security Get Voted Off the Island

As more and more businesses move towards virtualization, physical data centers are going the way of the Buffalo. Once a data center has been virtualized, an integral part of the network is moved from the physical island of computing resources into the virtualization software.  Inspecting traffic is more challenging when it is self contained in a virtual environment, and as a result, security is all too often voted off the island.

As data center virtualization scales, there are 3 critical security roadblocks your organization needs to address:

1.     Network policy and service level assurance

Once data has been transferred to a virtualized environment, the previous network policies must be adjusted. Typically, network policy configuration is tied to a physical port, but with virtualization, machines move across physical servers and are no longer bound by static policy configurations. This has the potential to cause serious network and security problems, especially for businesses that fall under strict compliance rules.

To combat this, companies must configure their environment so that when virtualized traffic shows up on a port, its policy can be looked at and adhered to properly.

2.     Management blind spots and network outages

The majority of today’s security tools are based on IP addresses instead of identity, which means that application and network activity must be tied back to specific individuals, servers, or devices. In virtualized environments, the physical boundaries once created by the island stacks are no longer there, resulting in management blind spots.

In response, organizations should employ an identity-centric strategy, where IT teams can follow users and applications across data center resources and track back at a granular level if an incident or threat occurs.

3.     Security loopholes and unprotected data

Most traditional security tools rely on physical boundaries, and those boundaries are broken once things are moved out of the data center and into a virtualized environment. While many enterprises are still trying to make do with their old security safeguards, physical environment–based security solutions cannot differentiate between physical and virtual resources.

Instead, IT teams must embrace a new security model that replaces physical trust boundaries with virtual ones, in order to provide seamless, secure user access to applications – anywhere at any time.

Ultimately, in order to fully benefit from the agility and cost efficiency that virtualized and cloud environments provide, enterprises must change the way they think about security. Security solutions have to understand the virtual environment, and policies must migrate with VMs as they move from server to server.

McAfee now offers an enhanced Network Security portfolio to help organizations solve some of the critical challenges of virtualization. Through third party integration, businesses can address the complex needs of their virtual data center environments and create a scalable, available, simple and secure virtual data center that is ready for cloud computing.

To learn more about McAfee’s next generation Network Security platform, read our full whitepaper with partner Brocade, Solving Critical Challenges of the Virtualized Data Center, and be sure to follow us on Twitter at @McAfeeBusiness.

By Tyler Carter

Your New Best Friend May Not Protect You

Your mobile phone may arguably be your new best friend. There are few people, places, or things in our lives today that get as many hours of attention as your mobile phone or is with you as often (and for some of us, that means 24/7). Four out of seven people on the planet have mobile phones, because a phone really is a great companion that brings us into contact with all the actual people we love, media that entertains us, music that makes us feel good, and finances that help us eat.

But unlike a German Shepherd, your mobile isn’t exactly a security device. Certainly, it can help you get help, but we often forget that our smartphones are our most personal computer and are usually with us most of the time. Even though we use our smartphones for way more than just calling people, we don’t protect it like we should. Below are some tips from McAfee on mobile security.

    Lock it: Configure your phone to lock automatically after two or three minutes, and to require a PIN to unlock. And make sure you’re not using a PIN like 1234 or 1111.

    Install trusted apps: Only download from reputable app stores. Third parties are risky. Use crowdsourcing and checking reviews before downloading any app.

    Back up: Most smartphones have the ability to back up wirelessly, locally or to the cloud. Just like your computer, it’s good to do this with your smartphone on a regular basis.

    Update your OS: Operating system updates are meant to patch vulnerabilities in your OS and allow it to play well with other apps.

    No “jailbreaking” or “rooting”: These terms refer to the act of hacking your device so that it can go beyond the intended walls it was designed to stay behind. Those walls offer protection you won’t get otherwise.

    Log out: Just like on a PC, before you close that window or walk away from the device, log out of any websites or programs. And remember, don’t “save” your information so that you can automatically log in the next time—if your mobile is lost or stolen, someone else can easily access your accounts or files.

    Turn off WiFi/Bluetooth: If you aren’t using wireless services, shut them down. Open, unattended wireless connections are easy targets for criminals.

    Don’t get scammed: Any emails or text messages you receive requesting personal information are usually scams. Unless you specifically initiated the conversation, just hit delete.

    Don’t click links in emails or texts: Unless I’m expecting an email from a friend, colleague, or company as a result of an action I’ve taken, I don’t click links, since they can often result in your device becoming infected with malware. And it’s much harder to see if a link is not valid from your mobile device vs. your computer.

    Install mobile security: Comprehensive security is as important and necessary for your smartphone as for your PC and even your Mac. And don’t forget that just like your computer, you need more than antivirus.


By Robert Siciliano

Spring Cleaning Your PC

If your PC is bogged down with useless software and your desktop is jammed with icons and documents, then your PC is next to useless as a productivity tool. Even scarier is the increased likelihood that if you have lost track of your files, you could easily have sensitive personal information exposed without your knowledge.

Begin by emptying your trash, since these unwanted files are still taking up valuable space on your hard drive, then follow these tips for a cleaner, faster machine:

    Organize software: Gather all your software disks and serial numbers, and back them up in two or three different locations. I keep all my software on the original CDs or DVDs, and I’ve also ripped copies, which I save in organized folders on external hard drives. (Ripping is the process of copying audio files, video files, or software to a hard disk.) This includes all your drivers, recent versions of browsers, antivirus and anti-spyware software, and any free applications you use.

    Get Belarc Advisor: This free utility takes a snapshot of your entire system and generates a convenient list of everything that’s installed, including serial numbers. This helps you identify and eliminate bloat—programs with an excess of superfluous features that are unnecessary for users.

    Remove old programs: If you have software that you haven’t used for at least a year, it is time to remove these programs from your PC as they are taking up space and could contribute to a slow down your PC.

    Eliminate clutter and back up important files: Delete files that aren’t important to you and organize the files that you want to save into clearly labeled, easy to find folders.

    Defrag: If you have a Windows machine, find “disk defragmentation” in your programs menu to start this process.

    Upgrade your operating system: Upgrades usually offer new features that can help your machine run smoothly, and often include security patches that keep your computer protected from the latest threats.

    Clear your cache: Clearing your browser’s cache of temporary files and cookies can free up a lot of space on your hard drive. Search online for specific instructions on how to clean your browser’s cache.

    Do a reinstall: Adventurous and tech-savvy types can bypass all of the above and do a full reinstall. This means gathering all your installation CDs, software and files on external CDs or drives and then wiping the hard drive clean.

If you need help identifying problems with your computer, try McAfee TechCheck, a free diagnostic tool that quickly scans your PC to pinpoint possible problems with your operating system, network, applications, hardware, or peripherals.

If you want help maintaining your computer or have more serious issues, check out McAfee TechMaster service, which can rescue an ailing PC or help you set up and optimize a new computer or smartphone. They can also help you set up, troubleshoot, and protect monitors, printers, and other peripherals as well as help you set up a home wireless network—all from the comfort of your home! And McAfee TechMaster is available 24 hours a day, 365 days a year.

So before the summer rolls around, make sure you finish this last bit of spring cleaning.

By Robert Siciliano

 

Variant of Mac Flashback Malware Making the Rounds

Unless you have been living under a nondigital rock recently, you have probably heard of the Flashback Trojan, which attacks Macs. Around April 4 we saw reports of more than 500,000 infections by this malware. Further, McAfee Labs has recently come across a new variant making the rounds. This is no surprise: Whenever a piece of malware or attack is successful, we are bound to encounter copies and variations.

A key thing to remember is that this is a Trojan. Unlike viruses, Trojans do not self-replicate. They are spread manually, often under the guise that they are beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels often include email, malicious web pages, Internet Relay Chat (IRC), peer-to-peer networks, and other means. As of this writing, this Trojan is targeted at vulnerable Java plug-ins related to the CVE-2012-0507 vulnerability. When a user visits a compromised page, it often uses an iframe tag that redirects the user to another malicious page, where the actual exploit is triggered by the malicious Java applet.

OSX/Flashfake (the official detection name) is dropped by malicious Java applets that exploit CVE-2012-0507. On execution, the malware prompts the unsuspecting victim for the administrator password. Regardless whether the user inputs the password, the malware attempts to infect the system; entering the password only changes the method of infection.

The Trojan may arrive as the PKG file comadobefp.pkg and comes disguised as a Flash player installer:

It prompts the user for administrative rights:

Once the malware package is successfully installed, it tries to make contact with its remote sites to download any necessary configuration files:

Another characteristic of this malware is that it checks whether a firewall is installed on the target system. If one is found, it will remove the installation. (Other versions of Flashback are delivered via the sinkhole exploit.)

Infected users unwittingly download a variety of fake-AV packages. To avoid that fate, make sure you are running the latest security software on an up-to-date system, use a browser plug-in to block the execution of scripts and iframes, and use safe-browsing add-ons that help you avoid unwanted or suspicious websites.

My thanks go out to colleagues David Beveridge, Abhishek Karnik, and Kevin Beets for letting me pass along their analysis!

By David Marcus

Utah Medicaid Breach Serves as Another Wakeup Call

An employee of the Utah State Department of technology must have hit the snooze button when he launched a test server that resulted in the breach of 780,000 Medicaid records including over 250,000 Social Security numbers.

The Governor of Utah was quoted in the Salt Lake Tribune saying “Individuals provide sensitive personal information to the government in a relationship of trust. It is tragic that not only data was breached, but now individual trust is also compromised.”

Words like “tragic” are generally associated with death, not data breaches, nonetheless, it’s not good to have your Social Security number in the hands of a criminal. The data breached will most certainly cause thousands of people to suffer from identity theft. New lines of credit opened by the thief will go unpaid and ruin good credit ratings.

While we do not have all of the specific details of the incident in Salt Lake City, it appears that the systems in question may have had the encryption measures required, but that a single weak password may have provided access to these sensitive records. This is another reminder that the failure to implement organizational security policies is, in itself, a weak link in IT security.

Security is the responsibility of the ones who are in charge, those who hold the keys. In my home, it’s me. In your house, it’s you. And you can put all the locks on a house that you need, but if you leave a window open or a thief chooses to look under your doormat for a front door key, he can easily enter and rob you blind.

For consumers a comprehensive antivirus, antispyware, antiphishing and firewall is just the beginning. Make sure your computer us up-to-date with all its critical security patches and your browser is secured too.

By Robert Siciliano

My Thirteen Year Old Is Our “I.T. Director”

I don’t know HOW often I hear these comments when I am out and about:

“My son manages all our computers.”

“My daughter sends my emails for me.”

“My teenage son has installed our security software … and the parental controls.” (No joke!)

So, why is it that parents don’t back themselves? Why do some parents automatically assume that their kids are best suited to these tech jobs?

Now, I know that our children are digital natives born with technology running through their veins. For many of us parents, aka digital immigrants, computers were something we had to learn at high school or university. And the Internet, well this came even later. It wasn’t until the mid-1990’s that most Aussies had some connection to the web.

Like it or not, the Internet is here to stay. While some parents have embraced this others are feeling a little intimidated by how much the kids know, and how much the parents don’t. The kids appoint themselves IT Director and mum and dad just go along with it – because the kids understand how it all works.

Now if you are a parent who is concerned about their kids’ online life but has still supported the appointment of your 13 year old as Chief Technology Officer because you think you can’t do it, I urge you to have a rethink.

You are absolutely capable of being just as IT savvy as your kids. You just need to back yourself and invest some time in the online world. Somewhere along the journey as parents, we stop investing in ourselves. We’re so busy juggling that we don’t have the time to keep up-to-date with the latest developments whether it is movies, fashion or technology.

So, if you fall into this category (and don’t be embarrassed because so many parents do) I am going to set you some homework. For the next two weeks you need to spend at least 30 minutes each day familiarising yourself with your computer and the Internet.

Make yourself a nice cup of tea and get online. Search the web, see what all the fuss is about on Facebook and Twitter. You might know someone who can get you an invite to Pinterest.

And don’t feel guilty about taking the time to learn something new. By investing in yourself, you are also investing in your kids. Because as the weeks pass and your cyber knowledge grows, you will be able to take back some control and appoint yourself as Chief Technology Officer! And then, you can start establishing some ground rules.

Till next time.

Alex

By Cybermum Australia

Android Viruses are the Real Deal

Smartphones now make up half of all activated mobile phones. And as we know, smartphones are small computers, capable of performing most of the same functions as a PC, primarily through the use of mobile applications.

Some claim that mobile malware threats are still too scarce to worry about. But while PCs definitely remain the bigger targets, smartphones are quickly capturing criminal hackers’ attention, with instances of mobile malware increasing by 600% from 2010 to 2011.

CIO.com’s Al Sacco, “a security-conscious mobile beat reporter,” reported on his experience dealing with his first smartphone infection. His McAfee Mobile Security app identified the Android virus on his Motorola Atrix 4G. “Security expert, I am not, and I’m the first to admit it,” Sacco defers. “But I do know a thing or two about smartphones and the mobile landscape, and I can say without a doubt that the Android threat is very real… It’s better to be paranoid about real threats than to shake them off as nonexistent. And that’s a fact.”

“Paranoid” is a strong word, implying mental illness. And I know that isn’t really what Sacco meant. But maintaining an acute awareness of potential threats to your smartphone and taking action to prevent them isn’t mentally ill, it’s just smart.

What’s really crazy is using an Android device without mobile security, because it’s only a matter of time before that device is infected.

By Robert Siciliano

Lean Business in the Connected World

The internet brings a wide spectrum of benefits to the modern business. Connectivity has allowed the smallest firms to spread their message and products worldwide, creating unprecedented opportunity for just about anyone. The cloud revolution takes this connectivity to another level – serving businesses the tools they need to scale indefinitely and spread to a mobile workforce.

All of this of course, costs money. Every business will see opportunity in the connected world, but a smart business will leverage the internet in a cost effective manner. Unfortunately, there are forces working against every business – in fact every person, online. We see this malicious activity coming from many vectors, including the still infamous email spam.

This vector has evolved from its petty roots in unethical advertising – to viruses, malware, and identity theft through the ever-advancing tactic of spear phishing. Spam dominates the volume of email traveling through the internet. From our research at McAfee Labs, we see an average of 80% email coming through as spam. This is simply too much wasteful traffic for a business to process.

No business should have to deal with this traffic. Not only does it drain productivity for employees, but consumes internet bandwidth that has a hard cost associated to it. For many companies, email flow comprises the majority of their bandwidth, even more than web traffic itself. Smart business owners in the modern economy know they need to operate lean, and removing the unnecessary cost of unwanted email is an easy move. By leveraging the cloud, businesses can eliminate this email, along with its associated costs and productivity drains, before it even reaches their network.

According to IDC’s 2011 Cloud Security Survey, migration to the cloud for email security is increasing. The research firm found that “30% of enterprises currently use messaging security software as a service (SaaS), and another 23% say they are in the process of piloting or planning a messaging SaaS deployment in the next 12 months.”1  Businesses with extensive requirements for data control can also deploy a hybrid solution – leveraging on-premises hardware for comprehensive outbound messaging security, while still eliminating malicious email in the cloud.

Be proactive. Don’t let unnecessary costs hold you back. Let the cloud take the hit, not your business.

By Tim Roddy

Positioning the Security Team Through Influence: Part 1

Last week I discussed how information security is broken at the relationship level.  This was illustrated by highlighting some challenging outcomes from the dysfunctional communications between security teams and their business customers.  While several remediation strategies were posed, the essential approach to enhancing the role of security professionals is to enhance their organizational influence.  This article kicks off a series exploring basic influence styles, the associated pitfalls, and guidance for their proper application.

According to Chris Mussel white and Tammie Plouffe, “In today’s highly matrixed workplace, your ability to influence others can be key to your professional success.”   Their article When Your Influence Is Ineffective addresses the challenge of influencing the many personalities which comprise the typical corporate culture.  “The bottom line:” write Musselwhite and Plouffe, “since we naturally default to the one (sometimes two) styles that work best at influencing us, our influencing ability and our effectiveness to influence others will remain limited until we develop influence style agility.”

The lesson highlighted in this article is simple in its expression but complex in its implications – strategy and tactics must guide the application of influence.  Influence styles are a reflection of the influencers and, by extension, their team.  Thus, they must understand the situations to which different styles are applicable. “While the influencer may gain the short-term desired outcome, he or she can do long term damage to personal effectiveness and the organization.”  Just as a poorly used network scanning tools can lead to disruptions of I.T. networks, amateur attempts to influence can result in disruptions in the professional network or long-term denial-of-influence.

We start our exploration with Rationalizing, a style defined by the use of rational and logical arguments.  Its usefulness relies on the availability of reliable data that can be analyzed objectively.

Rationalizing

This style is effective in cultures that value a dispassionate view of problems, a view that rarely dominates corporate decisions.  Influencers that “ignore value-based solutions, or fail to consider the emotions or feelings of others…can be perceived as competitive or self-serving, and may generate a competitive response.”

Forgetting the emotional and political dimensions of any decision will diminish or nullify the power of a rational appeal.  While reviewing network architecture and implementation artifacts for a client, I commented that they lacked information I needed to approve the design.  Informing the security manager of these issues, I noticed a contentious shift in the way he related to me.  Although the engagement ended on a positive note, I had to spend additional time to ensure that I was seen as a trusted advisor.

Success Tip

This style is effective when combined with styles that recognize the political and business decision drivers, such as negotiating and bridging.  Associating mutually accepted metrics with business objectives is one approach to using this style effectively.  Most importantly – always analyze data in the context of the initiatives that take priority for the business.

By Steven Fox

Information Security Within Emerging Markets

I’m kicking off a series of blog posts over the coming weeks and months related to emerging markets. Look for countries such as Mexico, Brazil, Peru, Colombia, and South Africa to be discussed. Later, we’ll explore other countries including those in Asia as well as Europe and the Middle East.

The terms “emerging markets” and their subset “frontier markets” demand a bit of definition before I go too much further. Warning – pretty much every resource has a different list and a different definition.

The simplest way to think about emerging markets is a country with an economy and stock market in the early phases of development juxtaposed with developed, industrialized nations such as the United States, Germany and Japan.  Countries in the emerging markets category generally include China, India, Russia, Brazil, Colombia, Mexico, South Africa, Hungary, Poland, Thailand, Vietnam and about 20 others depending on which list you are looking at.

Frontier markets are a subset of emerging markets that are generally smaller and less liquid. They include: Estonia, Zimbabwe, Kuwait, Sri Lanka, and about 20 others.

I recently wrote an article for (In)Secure Magazine on this topic in which I discuss my personal experiences working in these countries and addressing information security.  I focused on a few areas including threats, trends, workforce, regulations, and infrastructure.

While the threats and trends within emerging and developed markets are very similar, the way those threats and trends are approached can be, and should be, quite different – including the types of security products and services that take priority. Because of finite resources, lacking educational systems, limited regulatory controls, and faulty infrastructure, information security strategies must be “tweaked” in accordance with that particular country’s challenges and capabilities in mind if they are to be successful.

Stay tuned for more country-specific details on this topic here in the blog, and be sure to follow @McAfeeBusiness on Twitter for daily updates on McAfee news and events.

By Brian Contos

Tips to Stay Safe When Holidaying This Summer

Summer’s in the air and I often catch myself humming the Cliff Richards number:

“We’re all going on a summer holiday, no more working for a week or two;

Fun and laughter on our summer holiday, no more worries for me and you….

We’re going to where the sun shines bright; we’re going where the sea is blue…..”

So my tickets are booked, itinerary planned and shopping list ready. All I have to do now is give my customary cyber safety talk to the family. Yup I do that you know, for I worry about my family’s safety 24/7. And if you were anything like me, you too would ensure that your gadgets don’t become the cause for spoiling your holiday. I like to sit around with the family to discuss which gadgets can be taken and which not, allowing the kids to be part of the decision-making so that they realize why we should not carry all our devices when traveling.

Wondering how gadgets can possibly be the cause for any holiday troubles?

•     Loss of gadgets: If you and your family members are carrying a lot of gadgets with you, there is always the fear of losing one or two of them. Holidays are times when everyone is a bit careless and as you are not in your own home, things that get misplaced can get stolen. So it is advisable to limit the devices each one carries
•     Loss of data:Many people like to stay connected even while on the move. They take advantage of free WiFi spots to surf the net, carry out transactions and check mail. These public Wi-Fi hotspots are a hotbed for identity thieves
•     Loss of financial information/credit card details: While booking holidays, hotels etc. check the sites for authenticity and verify with other reviewers and users. Don’t be taken in by offers that sound too good to be true. While on holiday, use of public PCs or free Wi-Fi to conduct financial transactions can lead to loss of financial information
•     Robbery: The moment you share your holiday plans online, you are leaving your home vulnerable to theft. They would have no problems planning out a theft

Mobile phones are no exceptions either. Remember that most of the security concerns associated with laptops and tablets are applicable in the mobile world too. Same goes with handheld gaming devices and iPods. In short, anything that connects to the Internet needs to be protected.

So what safeguards should you take to protect your family and data while on a holiday?

•     Preferably, use hard-wired connection or a personal Wi-Fi hotspot instead of public Wi-Fi. A DSL connection is typically more secure than any free Wi-Fi network
•     Have a strong password, comprising of symbols, letters and numbers, for your Wi-Fi connection
•     Do not make your travel plans public on social networking sites before you leave. Remind children not to share details of the holiday with friends online.
•     Check the privacy settings on each of the gadget so that they are customised to be viewed only by the user during the duration of the holiday.
•     Don’t geotag your photos and customise who can view them if you’d like to share them immediately.
•     Install advanced security software on all your internet-enabled devices. Select software that offers features like remote data access, remote wipe, tracking etc for phones.
•     URLs beginning with ‘https’are safer but not 100% fool proof
•     Turn off cookies and autofill during your holidays
•     Be selective about the apps you download, particularly in the Android market
•     If you think your account, phone has been hacked, change all passwords immediately

So stay safe and have a great holiday. Enjoy!!

By Anindita Mishra

How to Protect Yourself From Malicious Apps

Last year, in order to combat a particularly insidious virus known as DroidDream, Google remotely deleted infected applications from thousands of Android devices. Apps that appeared legitimate were bundled with malware, then distributed via Google’s Android Marketplace. More than 50 infected Android apps were detected and removed. Since then, all app stores have reported infections or leaky applications.

Google recently released a service called “Bouncer” that analyzes apps on the Android Marketplace for known malware, spyware and Trojans, with the intent to protect users before they download a malicious app. Not only does this service analyze new apps that are uploaded to the marketplace, but also existing apps.

In addition, Google has its remote removal capability, which lets them remotely remove a malicious app from your smartphone or tablet. This app removal feature is one of many security controls the Android team can use to help protect users from malicious applications.

You may consider Google’s ability to access your phone without your knowledge or consent to be a privacy violation. First, though, this is included in the terms and conditions to which you have already agreed, and second, Google is doing you a service and protecting you from potential identity theft.

Even app stores that vet their apps more thoroughly than Android are vulnerable to infection so here’s what you can do to minimize your risk from malicious apps:

•     Only download apps from well-known reputable app stores
•     Read reviews and check app ratings before you download an app
•     Read the fine print and check what permissions the app is accessing
•     Install a comprehensive mobile security product like McAfee Mobile Security which not only has anti-malware, but also scans your apps to determine the types and levels of access to your data and mobile functionality being granted.

With better insight, you can take control of your mobile security and data privacy.

Mobile Device Flexibility and Telework in Demand for Millennial Workforce

The results are in:  Four out of five college students want to choose the device they use for their jobs—further validation that the Bring Your Own Device (BYOD) movement is here to stay.

Cisco surveyed college students and young professionals working around the world to determine the influence mobile device protocols, remote work opportunities, and Internet policies have on their employment decisions. It turns out that, even more than salary, flexible device and telework arrangements matter to young prospective employees. They seek organizations that embrace technologies, like telepresence, that support anywhere, anytime collaboration and, with the right set-up, can operate smoothly on personal mobile devices.

But BYOD-friendly workplaces that also support telework aren’t necessarily just perks in the eyes of young job seekers—they’re often lifelines. Digital technology offers one viable solution to the problem of youth unemployment, according to a Civil Society IT blog post by Dan Sutch. Sutch writes that digital technology (and we include telepresence in this category) can allow struggling young people to earn income from multiple employers. The home, or the mobile device itself, serves as the office, and the young worker can coordinate with and produce for several different organizations. The arrangement clearly benefits the employee by enabling him or her to earn money, but it also helps economically stressed organizations that can’t commit to full-time recruitment, Sutch said.

As millennials enter the workforce and demand and rely upon mobile collaboration tools to conduct business, mobile telepresence will play a crucial role. With telepresence and other digital communication modalities, this generation of young employees can enjoy the best of both worlds: the flexibility to work from home as needed or wanted, with access to the world in the palms of their hands. They’ll go local and global all at the same time!

Is your organization ready to support incoming mobile young employees? What challenges might you face in preparing for their arrival and attempting to attract their attention?

By Janet Lyons

Consumer Devices Changing the Public Sector Workspace

The Bring Your Own Device (BYOD) movement is taking hold in workplaces around the world, but some of my recent reading has led me to explore more deeply the impact of this trend on communication and security in the public sector.

An article in Forbes summed it up well: people rely more and more on smaller, mobile gadgets, and they’re using these devices to support telepresence and other collaboration tools to conduct work-related business. Though this embrace of BYOD (also called consumerization) means more flexibility to work from anywhere, more accessibility to coworkers and supervisors, and more opportunities for collaboration, it raises security concerns.

Despite these new worries, the worst mistake an organization can make, the Forbes article said, is not accepting and working to accommodate BYOD. Public sector organizations need strategies in place to support consumer grade and enterprise class devices that enable mobile collaboration. While necessary, these policies don’t always develop easily--accommodating consumerization while still protecting classified information can require an IT overhaul, writes ZDNet’s Dion Hinchcliffe.

According to Hinchcliffe, we are reaching a “tipping point” where IT will shift from controlling all things technology to instead enabling safe information exchange. It will no longer be about tying all devices to one network and governing that network, but rather organizing and managing the cloud and protecting that space from unwanted intrusions, he said.

With the right strategies and support systems in place to promote safe BYOD, organizations can maximize the benefit of technologies like telepresence. The military can safely give each soldier a Smartphone and know the video applications used on those devices can operate without risking national security. Doctors can see patients from their personal devices, saving late night trips to the hospital but still enabling proper, timely care.  And, professors can hold extra office hours, even telepresence-based, recordable review sessions without worrying about room availability or juggling schedules.

Does your organization support BYOD? What challenges does it bring up for you, and what solutions have you found?

By Janet Lyons

A Firewall is not an IPS – Even if it is Next Generation

At my core, I’m a technologist.  So, sometimes when I hear certain marketing buzz words, I cringe.  But there is one term that Gartner analysts have coined that actually makes sense in a world of technology that is changing so quickly and profoundly that simple version numbers cannot capture the advancements.  The term is “Next Generation.”  But, while Gartner has very defined criteria for what can be called next gen, the industry may be using it in a way that’s confusing to consumers.

In my experience, there is a misperception between what’s next gen and what’s actually advanced and different technology, and this becomes evident in my conversations with CTOs and IT professionals.  I often hear them justify that their business doesn’t need a network IPS because they have a Next Generation Firewall (NGFW).  This is where marketing can sometimes negatively influence business decisions and ultimately jeopardize business security.

It’s important that technology officers and influencers understand that McAfee solutions truly fit the Gartner definition, which is “the necessary evolution of network IPS to deal with changes in network communications and applications, and changes in the threat landscape. At a minimum, a next-gen IPS will have standard first-generation IPS capabilities plus application awareness, context awareness, content awareness especially providing full stack inspection. 1”

At McAfee, it’s not a marketing shell game.  The McAfee Network Security Platform v7 truly has next-generation network IPS at the core.  With protocol-based inspection, it provides leading protection against advanced malware, zero-day attacks, DDoS attacks, and botnets. The latest release includes new DoS, DDoS prevention capabilities and dozens of new botnet heuristics to more accurately and confidently identify misbehaving systems.

We take great pride in delivering the best network IPS in the market. Our network IPS is built by an army of the best engineers on the planet creating a solution designed to protect your organization against a variety of threats, and a Global Threat Intelligence team with over 500 researchers responsible for creating proactive counter-measures against the latest threats.  It is that precise level of research and deep understanding of the workings of the “underground” that allow us to provide our customers with real-time solutions to protect their people, assets and reputation.  In fact, in the latest NSS report, McAfee had the most effective solution out of the box.

What is the right solution for your business then? If you only need a firewall that simply monitors for threats and enforces policies when they are detected, then a NGFW may be sufficient for your needs.  Further, if you have highly trained engineers that have a deep understanding of the variety of threats, and know how to create signatures to provide ultimate protection, then NGFW or other IPS solutions may work for you as well. However, if you want a solution that can actually prevent increasingly sophisticated attacks with sufficient intelligence and automation to take the guesswork out of attack prevention and resolution, with application visibility and integrated threat-context – out of the box – then what you really need is McAfee Network IPS.

Get the complete picture by taking a minute to download the paper entitled, “Consolidate Network Security to Reduce Cost and Maximize Enterprise Protection” which describes the McAfee integrated solution for application visibility, reputation-based protection, behavior-based threat analysis and advanced malware detection.

1 Gartner, Inc., “Defining Next-Generation Network Intrusion Prevention,” by John Pescatore and Greg Young, Oct 7, 2011.

By Pat Calhoun

How to Change the Way Business Executives Perceive Information Security Teams

Business people have a conflicted relationship with the IT security team.  One the one hand, they concede the role the team plays to ensure compliance with regulatory mandates and the protection of corporate assets.  On the other hand, the team is often perceived as overbearing and out-of-touch with business needs.  When they don’t understand the needs of business, they are subsequently treated as cultural outcasts.

In her book, 8 Things We Hate About IT, Susan Cramm described common frustrations held by business professionals against IT staff.  These animosities are also directed at the security team.

The security team limits managers’ authority

“When challenged,” said Cramm, “IT justifies red tape as necessary because the business makes half-baked requests and is clueless about enterprise impact.”  IT security is perceived as playing the role of the beneficent ruler that imposes restrictions on citizens to protect them against themselves.

Many companies perceive the information security function as a cost center, which seeks to constrain processes to which staff and management have become accustomed.  The frustration borne from this perspective adds to the cultural divide between these functions.  Rarely is non-security staff engaged in risk control discussions – a lack of interaction that serves to disenfranchise those who will interact with the controls.  This engenders a sense of powerlessness that leads to passive sabotage of initiatives intended to further the business.

Team members are condescending

The arrogant IT professional is a familiar stereotype lampooned in numerous television comedy sketches.  Although most security professionals do not conform to this caricature, the prejudice of business people sometimes leads to a self-fulfilling prophecy.  Ironically, many security professionals feel undervalued by their business counter parts.  Members of the security team “often feel just as frustrated by managers who treat them like servant-genies,” wrote Cramm.

The needs of the business are not understood

A successful business relies on being responsive to a dynamic competitive environment and to the accompanying opportunities.  Al Kuebler, author of Technical Impact: Making Your Information Technology Effective and Keeping It That Way, highlighted three drivers common to all business decisions.

1.     Cost avoidance
2.     Improvement in productivity or service delivery
3.     Increased revenues

The security function, however, focuses on regulatory compliance mandates and minimizing the potential risks to organizational assets.  The manner in which this goal is pursued creates tension in organizations where risk is interpreted as opportunity.  In these instances, the security function is seen as an obstacle to success.

The team proposes “deluxe” when “good enough” will do

Business professionals are apt to use automotive brand analogies when discussing the cost/quality aspect of a solution, e.g. a “Buick” or a “Cadillac” product/service.  If a set of low-risk assets were compromised, the mitigating controls would be part of a Buick solution.  Conversely, a Cadillac solution is appropriate for high-risk assets.  This reflects a cost-benefit analysis of a security vs. the projected cost of a compromise.

A common prejudice against IT professionals is that they will recommend a Cadillac solution when a Buick will accomplish the job at a lower cost.  This stereotype is borne from a tendency to over-analyze a business problem and recommend a solution that addresses all possible implications of an incident.

IT Security projects never end

“It’s not that IT projects are never completed on time,” said Cramm, “it’s that they never feel completed at all.”  She points to a lack of consistency between functional requirements and the features delivered by an IT system.  This problem is perpetuated by the IT team’s expectation that their technical staff have the skills required to elicit business requirements.

Security teams should use compliance mandates as a context for risk discussions and for implementation scoping.  It is easier to market investments focused on high-risk issues over the next two quarters, for example, than to secure budget for a long-term security program.  Linking these control recommendations to compliance drivers allows the security team to address technical concerns while addressing management priorities.

IT Security does not support business innovation

Business is about being responsive.  Change comes in different forms – technological advances, new competitors entering the market or old ones going out-of-business, or the fickle nature of consumers stimulating adaptation.  From a business perspective, innovation must be executed to take advantage of change while minimizing risk.

IT Security is about enabling business while protecting the organization from external and internal threats.  This mission constrains the options available to the business, thus creating a perceived lack of competitive agility.  Separated from the business decision cycle in most organizations, the security function is left to act on incomplete messages from its customer.

IT Security never has good news

“No matter how much you spend or how hard you work, the promise of technology seems perpetually beyond your reach,” said Cramm.  Business professionals are accustomed to realizing measurable benefits from their investments.  They can refer to case studies to support the consistent Return-on-Investment (ROI) for a given solution.  The security function is handicapped by the lack of these success stories.  Their guidance is backed by industry-based practices and regulatory guidance – all external factors that rarely connect with the organizational mission.  Additionally, the outward manifestation of effective controls is the reduction of incidents, not an improvement in measures that are in the forefront of business attention.

While the IT security function is perceived as a cost-center for the company, it is possible to shift this perception by identifying and solving business problems that have an IT component.  These efforts, however, need to be promoted for all the organization to see.  The corporate landscape is replete with budgetary battles between departments.  The Security Assurance story must be told in a compelling fashion that communicates its value.

Lack of political awareness

Many IT people consider politics a “dirty word”.  Business stakeholders, on the other hand, recognize the political realities of the business environment.  They study the political patterns of the company in order to position their departments for success or further their agenda.  While exceptions do exist in highly political environments like the automotive industry, IT Security departments lack the political awareness to function at the same level.

Political awareness can be distilled to knowledge of the following:

• Decision makers and what they care about
• True business drivers behind security investments
• Team dynamics

The security function must understand the goals of those to whom they are marketing.  Given the separation between IT and the business, it is difficult for these goals to be determined without the help of business allies.  These alliances are forged by helping business stakeholders solve problems consistently.  The security team must be able to evaluate the value of different relationships and its ability to reciprocate on the resulting benefits.  Additionally, the team must scope the nature of the partnership in order to optimize its positioning.

By Steven Fox

How to Protect Your Privacy From “Leaky” Apps

Back in 2010, The Wall Street Journal was already warning us about app developers’ lack of transparency with regard to their intentions.

“An examination of 101 popular smartphone “apps”—games and other software applications for iPhone and Android phones—showed that 56 transmitted the phone’s unique device ID to other companies without users’ awareness or consent. Forty-seven apps transmitted the phone’s location in some way. Five sent age, gender and other personal details to outsiders. The findings reveal the intrusive effort by online-tracking companies to gather personal data about people in order to flesh out detailed dossiers on them.”

And since then, our level of engagement with mobile apps has only increased (with over 10 billion apps downloaded), while there has not been a lot of movement to prevent applications from accessing your data.

So what to do? Privacy concerns are justified, but there is a limit to what how this information can be utilized. If you feel the urge to free yourself from data tracking, you could delete and avoid apps, or you could provide false information, but that could violate terms of service and might not be effective, anyway.

When downloading an application, make an effort to consider what you are giving up and what you are getting in return, and to consciously decide whether that particular tradeoff is worthwhile.

You can also use mobile security software like McAfee Mobile Security that scans your installed apps to determine the level of access being granted to each of them. This feature then alerts you to apps that may be quietly siphoning data and enjoying unnecessarily extensive control of device’s functionality and then you can decide if you want to keep the app or delete it.

By Robert Siciliano