Mobile and Network Data Security
Threats and strategies evolving with technology
As data security threats evolve with the expanded use of technology, Alaska businesses are incorporating new strategies and solutions to protect their information—whether it’s on a computer network or mobile device.
Data security is a broad issue that involves the actions companies and individuals take to prevent corruption, loss, and unauthorized access of their information assets. These assets could include the personal information of customers, employees, and business partners, as well as strategic corporate initiatives or proprietary information like health records and financial information. “Protecting the confidentiality, integrity, availability, and authenticity of information assets is critical,” says Anand Vadapalli, president and CEO of Alaska Communications.
However, data security isn’t a single action or single undertaking, according to AT&T Sales Director-Security Solutions Terry Hect. Data security is the holistic effort that is utilized to provide an acceptable level of assurance that information or systems remain confidential and unchanged. To adequately protect data, businesses must ensure their information remains private and unaltered. “If bad actors have an objective to impact the operations of an organization, they can steal, expose, change, or destroy your data,” Hect explains. “Lost data is a risk, but I wouldn’t classify it as a ‘security issue’ unless the data is ‘found’ and used/stolen.”
Latest Threats to Security
One of the biggest threats to any business or organization is a “distributed denial of service” attack, Hect says. This attack uses multiple endpoints to bombard the business with so much traffic that it overwhelms the capacity of service, system, or computer network, rendering the network useless. “These attacks can be politically, socially, or criminally motivated,” he says. “The primary way to stop the attack is to move the mitigation to the network provider or other security solution that can redirect and scrub the traffic before it impacts the local asset.”
Mobile security threats are exploding, partly due to the use of open source applications that allow malicious malware to be easily distributed. The impact of threats through mobile devices is just beginning, and it will increase as businesses continue to mobilize their workforce. However, there’s no simple solution to the problem. “We have MDM [mobile device management] tools combined with security features/functions that help, but unfortunately there isn’t a one-size-fits-and-fixes-all solution yet,” he says.
As the threats to mobile and network security increase, the industry is devising new terms to represent changes in the security landscape. Now everyone is buzzing about advanced persistent threats, or APTs, a situation where a threat “actor” employs multiple techniques to gain access to privileged systems. Threat actors use a significant amount of effort to hide themselves on as many different systems as possible, which allows them to remain embedded in the network—even if discovered. “With new software and services come new attack techniques, but, for the most part, hackers try to reuse techniques that work for similar software,” Hect says.
Threats Continue to Evolve
Today’s data security threats look very different than they did five years ago, or even last year, Vadapalli says. Traditional security threats were broadly targeted and less sophisticated. Now, threats are directed more toward individuals and businesses. Attacks can include virus-infested emails designed to look like normal, legitimate emails that employees or organizations see regularly. Attackers may infiltrate businesses and not access any data for a long time or extract data a little at a time for an extended time period. They carry out a carefully crafted game plan to avoid detection, which is typical of APTs.
The reality of these threats makes it important to keep software patches current, utilize the principle of least privilege, harden systems, and proactively monitor the baseline for changes. This is important as new software vulnerabilities are identified for possible exploitation. “Vendors usually protect their products by releasing updates to cover these vulnerabilities,” Vadapalli says. “Homegrown or internally-developed systems and integration programs can be hardened by applying principles of ‘secure coding’ to limit hackers ability to insert malicious codes.”
It’s also critical for Alaska business owners to provide employees with the skills and training to identify information security risks. This can include training on spotting fraudulent emails, malicious websites, and suspicious activity, as well as knowing when to escalate these incidents to their IT experts.
Michael Wheeler, the owner of Alaska Computer Support LLC, is seeing a variety of data security threats targeting Alaska businesses. Malware is a common entry point, with the threats coming in two forms: targeted and exploit finding. With targeted malware, the crook knows what information the business has and launches an attack to get it. Exploit finding malware involves scanning systems with known vulnerabilities for nefarious reasons.
Although security attacks have evolved over the years, the perpetrators are using the same processes, Wheeler says. Only now they’re updating their approach to take advantage of shortcomings in the new hardware and software that businesses are using. As cheaper equipment is being created to meet the small- and medium-size business market, more bugs and issues are being found. And vendors are publishing known exploits with hot fixes and updates, which doesn’t necessarily help. “This makes the job of the hacker easier,” Wheeler says. “A major issue is that hot fixes and updates are never applied.”
Addressing Security Issues
Hackers and cyber criminals can use stolen and unauthorized data in many ways. The type of attack and its purpose typically determine if the data is used for financial or political gain, fraud, or hacktivism (a form of online civil disobedience with the intent of wide-scale Internet disruption or economic collapse), Vadapalli says.
When it comes to data security, hackers and cyber criminals tend not to discriminate, so businesses of all sizes and industries are susceptible to threats. Security breaches don’t take much time or bandwidth to be effective, and any compromised computer system can have value to criminal, Vadapalli says. “All businesses should be proactive in mitigating their information security risk,” he says. “Smaller companies are usually suppliers to larger companies, and if smaller companies are not secure, they provide a conduit to compromise larger businesses—which, ultimately, is damaging to the business interests of both large and small businesses.”
Wheeler agrees. Data security is something that every business needs to carefully consider. “Even if all you use is a smart phone, it is important to secure it with at least a four-digit pin,” he says. “Identity theft is a huge problem, and it just takes a few pieces of information to cause some painful problems for any person.”
In addition, many mobile devices contain saved passwords that could give a hacker direct access to a company’s work environment.
Some of the current methods Wheeler has been using to help Alaska businesses address security issues are cloud base filtering and endpoint monitoring, forced password policies, and remote control of mobile device for remote data wipe. Additionally, his firm has been deploying smarter onsite network firewalls, as well as desktop protection monitoring tools that not only protect the networks but also lower overall monthly IT support costs.
Businesses have many points of concern when it comes to data security, but the same basic rules apply for mobile devices as for office networks, according to Wheeler. “There are layers of protection that ensure systems stay risk-free,” he says. “But at the end of the day, it comes down to physical security management and strong policies that cover items like passwords or lost device reporting.”
Service Providers Offer Solutions
A security breach can be very costly, but a proactive approach is key to long term success, Wheeler says. Therefore, Alaska Computer Support uses a comprehensive strategy to address policies, solutions, audits, and management with its customers. “We take all aspects into consideration to ensure a broad scope of protections while working with our clients’ budget,” he says. “Security doesn’t have to be expensive, but it does require an on-going investment.”
Security has always been about layering technology, Hect says. There’s no magic solution that will protect systems/data absolutely, so businesses need to employ multiple tools and techniques to safeguard their data. Cloud, virtualization, sandboxing, threat analytics/intelligence, application security controls, penetration testing, policies, and procedures are all aspects of a modern security deployment. “It is no longer acceptable to deploy control/visibility [firewalls and intrusion detection/prevention] tools to your gateway and declare yourself ‘protected,’” he says. “You must have plans for how the data you deliver to cloud assets will be protected.”
Hect feels the most important security tool any business can employ is a well-managed network. That’s why AT&T—which has been in the security business for more than fifteen years, offers Secure Network Gateways. These tools allow customers to move their point of presence into the AT&T infrastructure to ensure their data is secure before it is allowed in their infrastructure. AT&T also maintains partnerships with cloud providers to allow customers to extend their private network to cloud providers, enabling them to avoid traversing the Internet to reach Amazon, Microsoft, and other parties to utilize cloud assets. In addition, AT&T uses its network sensors to help clients detect and halt distributed denial of service attacks as they are happening, often mitigating the attack before the customer even knows it occurred.
Alaska Communications offers managed security to small, medium, and enterprise level businesses. Solutions include unified threat management, intrusion and data loss prevention, application control, and anti-spam measures. The company partners with industry leaders such as Watchguard and Checkpoint to provide global cyber security expertise at a local level.
“We listen to customers to understand their needs, and then help design, build, and manage custom security solutions,” Vadapalli says. “We deploy equipment at the customer’s location and remotely manage adherence to client security policies and maintain the equipment and software.”
Freelancer Tracy Barbour is a former Alaskan.
This article first appeared in the November 2015 print edition of Alaska Business Monthly.