Almost every modern business uses email to communicate. Ensuring the security of this communication channel is essential to the longevity of any organization and the productivity of its workers. Recovering from a malware infection and subsequent data breach can be difficult – more and more businesses are legally required to disclose the loss of customer-related data, tarnishing their reputation in the process. Customer records sent unintentionally, or simply unencrypted, can be a violation of strict regulations such as HIPAA, PCI, and a host of others depending on industry or geographic location.

Join our webinar, featuring Rick Holland of Forrester Research on April 24^th at 11:00AM PDT for an informative session that will help you craft an approach to email security that is best for your organization. Learn about the new requirements for email security– and stay ahead of malicious actors and regulations that could seriously damage your business.

Register here.

Across the globe, SMB owners have been securing their networks in a variety of ways.  However, most SMB owners using connected office equipment still do not grasp the severity of deploying unprotected devices, and those that do, struggle to implement secure practice for all devices.

The most overlooked office devices that are not typically connected to broader security strategies include copiers, printers, fax machines and multi-function printers (MFPs). In a recent Xerox-McAfee study, it was revealed that 50 perfect of employees whose workplace has a printer, copier or MFP say they’ve copied, scanned or printed confidential information at work. Where does that data go once the job is completed? Where does it go when a copier or printer is recycled or resold? Sensitive employee and company data can fall into the hands of cybercriminals.

Most employee’s think their computers pose the biggest security threat to their company’s network compared to other IT devices, while only 6 percent say it is MFPs. This small percentage is proof that employees simply do not realize their office MFPs really are networked devices that are vulnerable to hacks just like their PCs. Combine these stats with the fact that the average organizational cost of a data breach is $5.5 million and you have a pretty strong argument for taking this warning seriously.[1]

And, what exactly are the repercussions from such a breach? The severity of such breaches range from financial losses to legal consequences to brand reputation damage. With security threats on the rise, SMBs have a growing desire to secure and manage their connected devices.

McAfee recommends that SMBs take these simple steps to protect themselves from being easy targets for cybercriminals:

• Do Your Research: Take the time to research possible threats to all of your vulnerable devices including printers, computers and mobile devices. Do not trick yourself into thinking that cybercriminals only go after the big companies. Look into security products that can help you protect your growing business
• Find Comprehensive, Scalable, Effective Solutions: These allow you to conduct your business under an umbrella of layered protection—covering all attack routes, adjusting automatically as your business grows and maintaining up-to-the-minute technological currency
• Invest in a Cloud-Based SaaS Security:  A complete security framework contains firewall protection to protect against hackers; email security to protect against phishing and viruses; regulatory compliance libraries and encryption to identify and secure sensitive data; email continuity to ensure always-on email service; and web filtering to protect against spyware, malware and the abuse of web privileges

To read or download the full Xerox-McAfee study, click here http://www.mcafee.com/us/resources/case-studies/cs-xerox.pdf

For more information on SMB security solutions, click here http://www.mcafee.com/us/small-business/smb-security-solutions.aspx

Adding in a recognizable pattern or watermark is one way to protect these high value assets. Embedding a text string in the metadata or unique bit pattern anywhere in the digital file is one relatively easy way to apply such a watermark. McAfee Data Loss Prevention can detect on watermarks applied in this fashion and protect your high value assets.

 Digital watermarks are a more sophisticated application of watermarks that stay with the file through any manipulation (e.g., cropping part of an image). Digital watermarks can be either visible or invisible and are embedded in files (e.g., image, audio, video) in a way that is very difficult to remove. If a copy of the digitally watermarked content is later found, the watermark can be retrieved from the copy and be used to determine the source of the work. This technique has been used to detect the source of illegally copied movies.

 Invisible watermarks are particularly interesting. These digital watermarks are undetectable and persist through copying, format changes and image manipulations. To the naked eye, an image that has an invisible digital watermark will not look any different from the original – but with appropriate software, one can tell the two apart.

 Current DLP solutions cannot detect these invisible watermarks. Perhaps the ability to apply protection based on the recognition of an embedded digital watermark is something that should be made available with next generation DLP solutions. With this in place, if someone attempted to steal a digitally watermarked file – either email out the entire file or breaking it up into smaller pieces to copy on to removable media – the DLP solution would be able to prevent that from happening. I’ll hazard a guess that this would appeal to organizations that have a lot of digital media and high-value assets that need to be protected. Now instead of having to go through litigation when digitally watermarked content is found on a site, the data loss can be completely prevented.

 Before I sign off, I have to promote our new social presence. 

• Twitter: Get regular updates on data loss prevention by following the conversation @McAfeeDLP
• YouTube: Learn how to use McAfee Data Loss Prevention  by subscribing to the McAfeeDLP channel

However, an authorized user can extract this information – and into many different formats. Once extracted, this information is constantly accessed and modified and so it becomes difficult to protect this information from data loss once it leaves the ERP system. How can you create policies for a DLP solution if you do not know what to look for?

It is also very challenging to identify what data in an ERP needs protection.  A lot has to do with the complexity of ERP databases and the fact that sensitive data can typically be spread out across many tables in the database. Making it easy to focus protection on ERP data elements that are sensitive would be appealing to organizations.

Until recently, there were no effective solutions in the market to allow an organization to easily identify sensitive data in ERP systems and track this sensitive data once it has been extracted from the ERP. A lot worse, there was no easy way to prevent this potentially sensitive information to leave the organization.

With a goal of reducing the risk of losing this valuable ERP data, organizations have been looking for ways to correlate what a user is doing inside of the ERP system with what that user is doing outside of the ERP system.

This is one of today’s more pressing DLP challenges – and it is being solved for a leading chemicals company with an innovative solution using McAfee Data Loss Prevention and Saviynt Access Manager.  With this joint solution, an organization can identify sensitive information as it leaves the ERP system, dynamically create DLP policies to protect that information, and analyze user activities to detect high risk behaviors. Organizations will now be able to track ERP data seamlessly from the ERP to the various data loss points in the organization’s network.

We’ve got this solution working at a leading chemicals company. You can get more details about this implementation in our December 7 webcast.

McAfee exposed Operation Shady RAT, a massive case of espionage and wealth transfer. The intellectual property and confidential information of companies and agencies worldwide has been stolen by a single adversary over a 5+ year period. This attack was exposed so honest global communities can be aware of the urgency of cross-sector cyberresiliency. The cyberadversaries are agile and fast and disregard the law. They share information with ease and they execute their will upon companies, markets, and potentially entire economies. We lack the alacrity to defend against this threat without public-private collaboration, which begins with global awareness–the very thing we must promote to protect our way of life. It is unfortunate that Mr. Kaspersky takes issue with providing information to the public.

Would it be alarmist to let a bank know that someone has just walked out with a wad of cash while they weren’t paying attention? It doesn’t matter how sophisticated the attack is if it results in material loss. If a bank robber gets $100 million by walking in the front door with a gun, it’s news–not because the attack is novel, but because of its effectiveness. It’s not the sophistication of the attack that’s important, and this is a clear case where technical arguments are preventing some people from seeing the larger, more important picture.

Speaking of technical arguments, apparently Mr. Kaspersky has gotten it in his head that Shady RAT is a botnet. Really? Unfortunately for Mr. Kaspersky, he is getting botnets and advanced persistent threats confused. In this case, the APT should be really be called an SPT (Successful Persistent Threat). It was only as advanced as it needed to be. The impressive thing here was the breadth of targets, the length of the attack, and the amount of data taken, remembering also that we know only of 72 companies/organizations victimized through one command and control server, out of hundreds or more used by this adversary. Quiet, insidious, market-changing threats like these hide in the noise of botnets, “hacks,” and other high-profile or nuisance events.

We invite critics to join with McAfee and our greater global community and focus on what we can do collectively to keep organizations safe from these types of attacks, prosecute and lower the profit model for the adversaries, and to protect our critical infrastructures and way of life worldwide.

Even before the China centered Operation Aurora attack (a.k.a. Google attacks) in which hackers broke into numerous high-profile organizations in the US to steal highly confidential information, I had been warning customers (and anyone in ear shot quite frankly) of the most effective strategies to protect against the deluge of advanced attacks.  Aurora would be the first to use very sophisticated hacking techniques to target high technology companies with high precision. While the techniques used in Aurora weren’t novel, the targets were, and it highlighted beyond the Defense Industrial Base (DIB) that your weakest link is your people.

Night Dragon was another attack revealed by McAfee in early 2011 that targeted global oil, gas, and petrochemical companies. Again sourced from China and targeting sensitive industry specific intellectual property. The techniques used in Night Dragon were far from sophisticated but its use of SQL injection techniques to gain internal access into sensitive internal systems highlighted the fact that this stuff is all too easy if we don’t take security seriously.

What’s Changed?

Motives, pure and simple. These high profile attacks are performed by well-organized, well-funded groups whose interest lay in financial gain, corporate espionage, state-sponsored intelligence gathering, hacktivism and cyber-terrorism.  However, executing systematic attacks has become very easy even for the novice hacker As we’ve detailed countless times in Hacking Exposed, and other publications and talks, this stuff is easy…Always has been, always will be. The harder part is protecting the assets from these threats because all the attackers need to find is one way in – you and I need to plug the 10,000 ways in.

While attackers have become more coordinated, stealthy and focused in their approach, organizational dynamics have changed making them more susceptible to being attacked. Companies are decentralizing, opening offices around the globe and, most importantly, implementing point security products with little or no integration. Also, the traditional, perimeter-centric approach to security is ineffective today because it is designed to keep bad guys out. With over 50% of breaches coming from within the organization, companies need to rethink security and risk management from the inside out. And what asset is more central to the inside of your organization than the database? Nothing.

Use Detection and Layered Protection

To stop advanced attacks, you need a holistic, coordinated strategy that canvasses data in its three states (in motion, at rest, and in use) and protects from the inside out. Historically organizations would secure the network, or the endpoint, hoping threats would be caught long before they reached the database.  Aurora, Stuxnet and Night Dragon are just a few of the recent hack events that highlight how “best practices” security is not good enough. “Good Enough” equals databases being breached.

Before you can ensure proper database protection here’s a few things you need to consider:

1. Know the data repositories in your environment and the underlying infrastructure that supports them such as operating systems and network devices.
2. Discover every instance of database, operating system and network device within your environment hosting database services and their related technologies.
3. Reconcile those assets to provide a relationship between your databases and associated operating systems.
4. Identify and remedy vulnerabilities, misconfigurations of the network, operating system, application, and databases and their supporting infrastructure. 

Once you’ve identified and filled these gaps, the next step is to design the layers of proactive protection and prevention. To counter contemporary attacks, you need to think like a hacker and implement solutions that are strategically located and are delivered in layers. When contemplating layered security you must design the inner layers on the assumption that the outer layer(s) have or can be breached. The inner layer starts with Database Activity Monitoring (DAM) which acts like a video camera on your database, recording every action and access.  Remember, database attacks come from the network, local users (privileged and otherwise), and even from inside the database, but only McAfee’s Database Activity Monitoring product can catch all three.  DAM uses memory-based sensors to catch all three types of threats in a single solution.
Database security transcends the database. It’s about protecting the complete database system and the information contained therein – from every angle. As evidence of McAfee’s total commitment to database security, we have announced our intent to acquire Sentrigo, a leader in database security solutions.  Sentrigo is currently a McAfee SIA partner and we are now taking the next step in our relationship.  This acquisition is a key part of our overall strategy to deliver the highest level of security for our customers.

You need protection from the inside out because “Good Enough” security is certainly not acceptable to me.

When talking about the best practices for IT security regarding mobile devices, it was a fairly unanimous view that security is not a matter of limiting access to devices but instead creating policies and education measures to empower employees. This was echoed and reinforced by Jaime Barnett at McAfee who recently blogged that in order to improve the current state of mobile security, policy must change. As @Andrewsmhay states, many people still see mobile devices as toys and mobile security should be at the forefront of an organization’s mind.

However, answers were less definitive when the chat opened up questions about the effects on the security perimeter and whether there is still a security perimeter with the advent of mobile devices and connections. With the consumerization of IT, the perimeter no longer concerns only device security but also the security management of cloud, virtualization and the transit of data over the Internet in general. Many agreed that the prevention of downloading non-secure apps is a good practice. As mentioned by @joshcorman, perhaps a security score for apps in stores is an effective way to ensure that only secure apps are downloaded. Chat participants agreed that the question of who would score the apps and how the apps would be scored is still unanswered, but as @joshcorman emphasizes, apps will become a huge part of mobile security and the more brainstorming and thoughtful the analysis, the better.

The conversation then turned to cloud security as @Gacevedo brought up the point that devices do not need to hold corporate data now that networks are fast enough to allow for downloading on-demand from the cloud. Although, as @amorguy states, CISO’s may be more accepting of the tangible mobile device over the intangible consideration of the cloud.

At the end of the chat, many great topics and considerations were raised for those working to secure mobile devices. We can conclude from the conversation that policies will need to change and corporations will need to focus on educating and empowering the end user/owner of the device. However, specific questions remain unanswered. With apps constantly changing, will they ever really be fully secure? Will providing education for employees be too expensive? How should policies be structured moving forward? To quote Jamie from her blog post on mobile security policies, “We can’t fix the problem with technology and education is prohibitively expensive, we should be looking at the policy or how we apply the policy. Start with the user.”

At McAfee, we’re working to make BYOC (Bring Your Own Computer) easier for the IT department to support with our enterprise mobility management (EMM) solutions and through our acquisition of WaveSecure, our partnership with Citrix around VDI and our solutions around NAC, IPS,  DLP, encryption, threat intelligence and centralized management with ePO.

Readers, what are your thoughts on mobile security and what do you think are the biggest issues facing corporations moving forward? Leave a comment below and share your thoughts with us.

Additionally, we’ll be hosting this month’s #SecChat on security threats and cyber espionage tomorrow, Thursday, March 3^rd at 11:00am. With threats like the Night Dragon earlier this month, we wanted to kick off the conversation about the latest security threats and how corporations should protect their sensitive data and intellectual property. We hope you can join us tomorrow and look forward to hearing your thoughts.

Logistics: How do I participate in #SecChat?

• Simply follow the #SecChat hashtag (via search.twitter.com or a Twitter client) and watch the real-time stream.
• At 11am PT @McAfeeBusiness will pose a few questions to participants around securing mobile devices using the #SecChat hashtag to get the conversation rolling.
• Tweet your questions, comments, thoughts using the #SecChat hashtag. @reply other participants and react to their comments via #SecChat. Engage!
• #SecChat should last about an hour.

Questions before tomorrow? Feel free to tweet @McAfeeBusiness using #SecChat for more details. Hope you’ll join us!