There were three major discoveries that really resonated with me after reading the results of the survey.  Honestly, the first part of the survey really just confirmed what we already know in our business:  Almost all security professionals remain concerned about a wide variety of security threats – upwards of 86 percent.  Additionally, these professionals believe end-users are especially vulnerable to attacks and identity theft – with 59 percent of the respondents reporting that their company has suffered a security breach in the past two years.

1. Passwords represent a serious vulnerability

While these general security concerns seem obvious, here’s what the survey uncovered that’s not so obvious:  Security professionals point to weak security and authentication (AKA: passwords) as the underlying issue.  Fifty-five percent of the IT professionals surveyed believe that “one of the greatest security weaknesses may be the continued reliance on the use of passwords for user authentication.”  No matter what we do to try to create strong passwords, there is always a risk.  Like the majority of IT professionals, I too am leaning toward the belief that user name/password authentication should be eliminated for business-critical applications.

2. Password management is a huge IT burden

The survey results make it clear that IT professionals are very concerned about the archaic and insecure nature of the user name/password combination.  It also brings to light that with multiple passwords (56 percent of users), the problems get even more complex – more passwords per user equate to more risk – and more involvement by the IT staff when users forget their passwords and need to have them reset.  Risks aside, provisioning and managing of user accounts significantly increases operational costs – from defining account access and privileges to terminating accounts to provisioning multiple accounts across applications.  It’s a burden and a waste.

3. The Cloud takes the problem to new levels

Then, there’s the growing reliance on the cloud.  Legacy authentication solutions do not play well with the advanced nature of cloud computing.  Plain and simple.  If we want our employees to be able to benefit from time- and money-saving cloud applications, businesses need a better solution.  The ESG survey showed that 46 percent of organizations use between one and five cloud applications, and the number of cloud applications deployed will only grow – the number of sites using between 11 and 20 applications is projected to grow from 14 to 40% over the next 2 years.  The amount of sensitive or regulated data moving between the organization and the cloud is mind-blowing.  And, businesses that do not have adequate access management in place are at increased risk of increased data breaches and intellectual property theft.

These results prove that businesses require strong authentication tools, like single sign-on (which can replace or even eliminate passwords) and multi-factor authentication (which adds an additional layer of secure access for applications). But, the tools must be easy to deploy, simple to integrate and use, and must be scalable.  The team at McAfee has been monitoring the trends and analyzing this business need to assemble and integrate essential identity technology into its portfolio and enhance the Security Connected architecture.  Not only are our cloud single sign-on and one-time password solutions highly effective, but they are easy to deploy – right down to customers and partners having the ability to chat with the McAfee Identity Center of Expertise staffed with experts in identity and cloud security.

Take a look at the ESG report and then consider your options for stronger identity authentication solutions with McAfee.

With SMBs making up 99.7% of all employer firms, it is important that both the private sector and government find ways to help small businesses stay protected. SMBs have become ideal targets for cyber criminals because they store a lot of customer information, possess valuable intellectual property and have budget constraints.

As small businesses adapt to the latest technologies they should also be cautious of potential threats, especially when it comes to the adoption of mobile devices and cloud services. With their sights set on getting the most out of their security budgets, SMBs often lose sight of the importance of a well-rounded security solution.  However, their business, intellectual property and customer data need to be protected as much as that in any large organization.  The focus now is on how information technology helps SMBs protect themselves against potential threats.

What are the growing trends SMBs should look out for?

1. Mobile Device Security

The mobile device has become much more than a device used for communication, it has become a way for people to conduct, manage and support their businesses. By the end of 2013 the number of mobile-connected devices is expected to exceed the world’s population, according to the Cisco Visual Networking Index.

With SMB owners trying to be cost effective, this means more and more employees bringing their own devices (BYOD) to conduct their day to day business. What does this mean for SMBs? With the number of mobile malware exponentially increasing every day, there is more opportunity for cyber criminals to prey on those unprotected devices. This leaves SMBs struggling to maintain security and control over a wide spectrum of devices that their employees use for work.

2. Migration to the Cloud

Another IT trend that serves SMBs particularly well is the migration to the cloud. SMBs can find real efficiencies in outsourcing their IT and communications systems to the cloud. They can reduce costs, improve offerings, eliminate complexity and have less need for on-site IT staff. These are great objectives – as long as security is not sacrificed.

The problem lies within the services that the cloud providers offer. Most do not offer a forensic capability as part of their base offering. This means that if a company’s data stored in the cloud is breached, it will cost the company more time and resources that law enforcement or a security firm use   to trace and remediate the breach.

As the adoption of mobile devices and cloud storage continues to be a trend so will the importance of security. There are several recommendations for SMBs to better protect themselves from cybercrime.

3. Solutions

Security must first become top of mind with SMBs and not just when a breach happens. All companies large to small should implement integrated and connected security system with real-time situational awareness of threats. This means that all phones, laptops, desktops and servers must be connected to allow networks over time to recognize threats before they can overtake the network functionality.

Mobile devices can pose more of a danger than the traditional PC, as they sport location information, are easily stolen, and often contain personal information of not only the owner but hundreds of friends, family and contacts.  These fun, convenient little devices are very vulnerable. Small business owners can take the following precautions to make sure their employees’ devices are secure:

• Educate employees on their role in protecting the organization, its data and brand against theft, loss or malicious use
• Use complex, alpha-numeric passwords
• Have policy controls over memory card usage and encrypt data
• Protect against Trojans with black listing and whitelisting applications
• Install firewall on the mobile device to restrict inbound connections and prevent use of the mobile device as a bridge

When it comes to cloud storage SMBs should make sure their providers offer certain protections even if it is through a third party provider. Also before putting anything into the cloud, make sure the value and sensitivity of the data is understood. Only after there is a complete inventory of the data should SMBs move it over to the cloud.

Not only is it important to make sure that you know what data is going into the cloud it’s equally important that all channels of traffic (email, web and authentication) that move data to and from the cloud are secure.

There is only so much an SMB can do on its own, which is why both the private sector and government need to lend a helping hand. By providing security for not only mobile and cloud platforms the security and IT industries need to keep their focus on innovation. Government can help by  enabling initiatives that will facilitate the sharing of cyber intelligence to the private sector.  This enables smaller companies to access the intelligence (mathematical indicators of threat behavior) protection mechanisms that to date are limited to larger organizations with security budget.  In return, that same intelligence set that can now attach to smaller businesses because the facilitated information sharing can now add to the knowledge that is used to protect the larger businesses,  TO borrow a word from the Department of Homeland Security, this creates an ecosystem, constantly changing and adapting to new threats.

Small and medium businesses comprise most of our network ecosystem, and often harbor intellectual property and personal information just as larger businesses do.  We need to include them in the network intelligence at low or no cost, to help them help us protect our future.

I think people are starting to pay more attention because the media is paying more attention – and focusing on the subject a bit differently than it had in the past.  Today, it seems that instead of focusing on the dramatic after-effects of poor Internet security, the media seems to be staying on top of the trends and reporting the news in a way that educates and prepares the public.  I’m especially pleased because providing proactive education is really the lifeblood of McAfee. 

Then, I got the call to share some of McAfee’s predictions with ABC 7 News, KGO-TV, San Francisco.  It was great.  The reporter, Dave Louie, did a very good job extracting the key points from the Threat Predictions Report, asking very relevant questions, and developing the story around some predicted mobile threats.  You see, according to our researchers, some of the most destructive threats to consumers will hit them where they practically live and breathe:  on mobile phones and tablets. 

The story included excellent background on the rise of Internet threats and then focused on the latest mobile malware and how some very common user behavior can result in the propagation of big problems.  The new target is the mobile device with near-field communication (NFC) that can now be used as a payment device with a simple swipe.  Mobile malware enables the bad guys to then tap into the bank account being accessed by the device – making it easy to steal money and information via tap-and-pay NFC.

And, this same type of malicious code will soon be used to spread the infection whenever it reaches proximity to another mobile device – being called “bump and infect.” The infection just moves from mobile device to mobile device – especially easy to accomplish in very populated places like malls and concerts.  It’s a vicious and malicious cycle.

The ABC 7 news report focused mainly on mobile worms and tap-and-pay, but touched on the McAfee Labs’ prediction around mobile phone ransomware “kits” that allow criminals without programming skills to extort payments from unprotected users. 

Short interviews and news stories like this one provide very easy-to-digest bits of information to help raise awareness about what users can do to stay protected.  To get more details about mobile threats and what else is on the horizon – like large scale network attacks and hacking as a service – take a look at the 2013 Threat Predictions Report.

Cyber criminals are no dummies.  If it is easier to attack from the inside, why not innocuously get inside first, then launch your attack.  Intrusion prevention systems (IPS) are tuned to look for outright attacks in the network flows coming into the infrastructure.  They do not usually look for attacks originating from the inside.  Delivering a malware file, especially to an IPS that is looking for attacks and not file delivering, is not typically seen as malicious.

Delivering an unknown payload into an infrastructure is actually easier than delivering a known payload.  Why?  Most security products focus on finding things they know to be bad – looking for known patterns of malware is exactly what pattern matching is all about.  Recompiling a malicious payload after some minor adjustments often obscures the pattern, meaning the payload is unknown and passes through the defenses.

It pays to be patient.  Security products typically do not have a long attention span.  Though stateful, firewalls hardly spend more than a second making a determination about a flow before moving on to the next flow.  IPS solutions, traditionally, may spend a little more time on flows they examine, but we are still talking about seconds.  So malware that installs, but patiently waits for minutes, hours or even days will typically evade any stateful behavior monitoring by network security.

Taking these things into consideration, not only are targeted attacks becoming the choice for cyber criminals, but delivering a malicious file that can launch its nefarious activities from the inside the defenses is on the rise.  Malware fits this trend, and in fact, the overall threat trends (see the 2013 Threat Predictions, by McAfee Labs) show that malware is on the rise.  Fortunately, paying attention to the trends, McAfee Network Security Platform is poised to defend against malware in ways no other IPS can.  Stay tuned to find out more.

Hackers tend to spend less time on platforms that have a smaller user base, so they can blanket a larger set of users with their attacks. For years, mobile was a minority platform. In 2012 however, this changed forever. India, in May, became the first country where mobile internet traffic surpassed desktop traffic for the entire country[2]. All signs point to the rest of the world following right behind. The U.S. for example, experienced 50% YoY growth in smartphone users, reaching 172 million. China also experienced 50% growth, but trumped U.S. subscribers at a total base of 270 million. Total world smartphone subscribers: 1.14 billion[3].

Mobile officially stepped out of the minority in 2012. It’s not just Apple behind this growth either- Google’s Android platform has grown at nearly 6x that of the iPhone over the 16 quarters since its launch[4]. Normally, I wouldn’t make a distinction between mobile software platforms – they all help connect the world no matter the OS. Unfortunately, the majority of mobile malware is currently found on the Android platform. With explosive growth, the world needs to prepare for this new platform as a point of entry for attackers seeking valuable information.

Smartphones and tablet computers are going to reshape the way we interact with the internet and our information – it’s easy to see how they have already. Stepping into 2013, it’s time to reimagine not just how we work and consume media, but how we view these devices. Gone are the days when a mobile device was only a phone. Now, to our benefit, we have pervasive connectivity not only to people, but to information as well. It’s important that we realize the impact of this change, and take action to protect our information wherever it resides.

In a business environment, the mobile device can create significant vulnerability. Whether a smartphone, tablet, or off-network laptop – likely these devices were not kept in mind when designing the corporate network. Data can be lost. Devices can get infected. Security policies set in place are often bypassed entirely, opening up new holes to network infrastructure. This does not have to be the reality.

Just as advances in mobile technology have connected the world, security technology continues to evolve to bring these devices into the organization securely. With advanced Web Security, devices can be protected on and off network, access to the cloud can be controlled, data loss to cloud applications averted – all encompassing an evolved set of policies that protect businesses in the new reality of computing. Stay safe in 2013. Learn more about our any-device approach to Web Security here.

If you’ve participated in certification programs you’ll want to make the most of your investment. We’ve just streamlined the certification timetable to start and end with the calendar year. So if you have a certification expiring any time in 2012 we have now extended its expiration date to 31st December 2012. You will have been assigned continuing education, which must be completed by this date. On 1st January 2013, you will be assigned new continuing education, which you must finish by 31st December 2013.

Why wait? Complete all your studies before the holidays – log in to the Partner Learning Center now.

I would also like to take this chance to make you aware of our 2013 McAfee SecurityAlliance Reseller Partner program changes.

As your customers move to Cloud, implement mobility solutions including BYOD, and get Big Data working for them, they need open and integrated security solutions to support them. The opportunity for this kind of security sale is huge – and we, together with Intel, intent to take a leadership position. In 2013 we will therefore focus on and invest in partners that share this security approach. Therefore we are updating including the following requirements in our partner program:

1. New annual bookings performance requirement will be added to the McAfee SecurityAlliance Elite partner level.
2. Reclassification of 10 country sets with new certification requirements for partners operating in these countries.

The new performance requirements come into effect on January 1, 2013. All partners will have until March 1, 2013 to meet them.

Please work with your Channel Account Manager or visit the new Partner Portal to find out further details.

Again, we really want you to get more involved and get the latest information.  Please follow me on Twitter (@davidmsmall) and let me know how we can improve our programs.

Most of all I wanted to wish you a Merry Christmas and Happy New Year!

I look forward to our continued prosperous partnership in 2013.

Think about the way you first began using these technologies – was it really for a business purpose? Probably not. You most likely purchased a smartphone as a personal device, and used Gmail as a home email client. So why would you apply your corporate compliance mentality to these devices and services? For many, when the time comes to bring them into a business environment, it is understandably difficult to make the behavioral switch from the discretion used for personal data protection, over to best practices around corporate data protection.

                Classic example – you need to send a large internal presentation to a coworker, but corporate email has an attachment size cap. Where do you go first? Maybe Dropbox, Box.com, or YouSendIt? Easy, cloud-based options. For those trying to keep data in control, this is a nightmare. A tip for any IT manager – use a web security proxy to scan data flowing in and out of the network. Our Web Gateway even includes data loss prevention (DLP) dictionaries to identify and stop sensitive data from leaving the network via file sharing sites, webmail clients, and many other online services. If you want to stop access to those applications completely, or just partially – application controls can set policies to do just that. 

Now, even with adequate web protection in place on the network, should there really be a difference in your personal discretion towards online information? Not really.  

The truth is, all of your information has value to third parties, whether personal or professional in nature.

Take a look at this video which has gained quite a bit of attention lately, showing just how easy it is to find sensitive, personal information about complete strangers:

Nobody wants to be in that situation. Take this as an opportunity to think about how you approach posting information online, whether in a business environment or not. Opportunities to share sensitive information online are readily available at home and at work – often through the same channels.

Make sure you and your business are well equipped to deal with the new era of web sharing. We can help.

Trends in intrusion prevention: The bulk of the discussion around network security focused on improving threat prevention through deployment of network IDS/IPS solutions. Those attending were attempting to make purchase decisions based on a three year horizon. There was a lot of discussion around both vendor viability and investment in roadmap for these solutions. Making the ‘right long term choice’ was top of mind. As a side note, many users are still using intrusion detection vs. intrusion prevention, e.g. they are not automatically blocking threats using IPS. They aspire to do so however, and tend to work with vendors that have mature solutions that can potentially block threats at realistic network speeds.

Trends in firewalls and next generation firewalls: Many of the companies attending the roundtable have mature security practices and teams. They have started to deploy NGFW’s, but these are still primarily deployed behind traditional firewalls to gain additional visibility vs. inline deployments.
Trends in data protection: BYOD and Data Loss Prevention (DLP) were hot topics throughout the night. The discussions centered around what network-level controls can fit into BYOD and DLP strategies.

Overall network security Trends (consolidation, integration)

Attendees continue to be concerned about long term vendor viability for standalone point solutions. They discussed the need to be forward thinking and adopt flexible solutions that can provide long life. And, they discussed the concept of connecting disparate security silos in order to gain situational awareness of network security posture and pro-active threat prevention. Something that McAfee calls “Security Connected.”

I want to thank those that attended. It is rare that such high powered security executives get to meet for information sharing and open and frank discussions and attendees took advantage of every moment and discussion during the night. In all the discussion of integrating security silos, we need to remember to connect the human elements as well. Security Connected indeed.

If you’re terrified by the concept of multitenancy, consider a report released by Forrester in March, 2012 entitled Understanding Multitenancy. One of its conclusions is that a public cloud multitenant architecture can actually be more secure than the typical in-house IT infrastructure. Why?  IT security is mostly perimeter based, making organizations vulnerable to inside attacks. A properly architected multitenant service secures all assets at all times.

If you’re looking at potential public cloud providers to host your sensitive applications or data, here are some issues to consider.

1. What constitutes a tenant? With an infrastructure provider, a tenant is likely a collection of customer virtual machines (VM’s) sharing the providers’ physical servers with other customers’ virtual machines.  With a software as a service (SaaS) provider, a tenant may actually be sharing a single application instance or database with many other tenants. In one case you’ll want to know how VM’s are kept isolated, in another you’ll probably be more interested in how one tenant is prevented from accessing another tenant’s data.
2. Who are the tenants and who are the providers? The answer can be tricky. The multitenant software as a service provider (SaaS) you’re considering may be running its applications on one or more infrastructure as a service (IaaS) providers’ servers, or you may have multiple layers of SaaS, IaaS, and even Platform as a Service (PaaS) combining to produce a single service. You may have to consider the security implications of each.
3. How much security information does the provider offer?  Does it describe its security architecture on its Web site? If you’re talking with representatives of the service are they willing to discuss security architecture in depth? You’d be surprised at how many cloud services insist on remaining very vague about security.
4. What certifications does the provider have? ISO 27001 and, depending on your organization, HIPAA and PCI certification are reasonable indications that the provider is taking the right security measures to protect its tenants.
5. Sometimes the best security is simply living in a good neighborhood. Who are the provider’s other tenants? Are any of them security sensitive organizations in areas like government, finance, and health care? Does the provider accept anyone or does it have a process for weeding out potentially risky tenants? This is important, because a hacker sharing a server with you inside the perimeter firewall may have an easier path to your sensitive applications and data.
6. What measures does the provider take to isolate tenants? At minimum an IaaS provider should separate tenant traffic using VLAN’s and use hypervisor-based stateful inspection firewalls and intrusion detection or prevention to block potential interVM attacks. In the case of an SaaS provider, strong authentication and authorization are essential and data encryption is important. What measures does the provider take to liquidate data that has been released by a cloud tenant?
7. What security visibility does the cloud provider offer? Do you get security and incident reports at the end of the month? Do you get a portal that shows any security  and attack mitigation information? Does the provider have a policy for contacting the tenant if an attack moves past a certain risk or attack level?

As Forrester points out, the multitenancy in a private cloud is not an insurmountable issue for the enterprise, but it is one that you should research very carefully when choosing a provider.

Register and join me this Wednesday, 6/13 as I examine how virtualization and cloud are shaping the latest networking and security technologies. Learn how and why these solutions embrace a new model of deployment to meet the scalability and flexibility demands of private and public cloud environments, and how next generation network security can help your organization confidently benefit from cloud technology.