An end user survey on personal and business tablet trends

Like smartphones before them, tablet devices are making their way into the enterprise whether IT wants them or not.  They are yet another tool that keeps us connected both personally and professionally.

What’s unique about tablets is that they give us greater computing power on a smaller device that can be just as effective as a desktop or laptop computer. Tablets certainly increase worker productivity, but they can cause headaches for IT departments. Particularly, the comingling of our personal and corporate data is not without risk.

Symantec has developed a short survey to get tablet end users’ perspectives on this trend in business computing. We’d like to learn more about how you use your tablet for work, for personal use and how your employer is managing the growing use of tablets. The quick three minute survey can be found here.

Recently a friend of mine lost her smartphone. She sent out a message to all her friends in her social network about how she wouldn’t have a phone for a few days. She also did the right thing and went to her mobile carrier and reported it lost, turning the service off. Unfortunately though she wasn’t using any smartphone feature to find her phone or remote wipe it. But at least she was able to make sure it had no access to rack up her phone bill.

All good right?

Unfortunately, her smartphone did not require a passcode to access the apps. Ugh. I asked her about this and she replied back that it was no big deal because she didn’t have any really private information on there, and if so, the phone had no 3g access anymore to send anything off of it. Also her password would be required to sync the data off of it.

In a previous post, I discussed the so-called “Requirement 0” of PCI DSS 2.0; that is, responsibility for determining and documenting the scope for PCI DSS shifting from the Qualified Security Assessor (QSA) to the entity. Oftentimes this conversation comes up as part of a bigger discussion around the process of becoming and staying compliant while meeting business, financial, IT, and customer demands. Balancing these can be a daunting task.

Symantec Strategy and Advisory Services has developed a program model for PCI DSS compliance to assist with this. Using an ADTO framework – Assess, Design, Transform, and Operate – it breaks the process into four phases. This model is also a lifecycle as it acknowledges the need to feed data and lessons learned back into assessment, allowing for increasing maturity with decreasing cost over time. The model looks like this:

Let’s dive into the ADTO model and discuss how it can assist with PCI DSS compliance.

The Internet has grown to be one of the most important information and business conduits the world has ever seen.  While it’s brought us amazing, new capabilities over the past 15 years or so, the Internet comes with its downside.  Much like the days when America was stretching itself from the east to the west, the “wild west” was a ripe playground for “bad” people. The same goes for the Internet.

It is a double-edged sword. We have amazing capabilities, but also a perfect landscape for lawlessness.  Hackers and cybercriminals have taken note. Today, they leverage the Internet to target specific individuals or groups of individuals at specific companies, get them to react to an email message thereby directing them to an attacker’s site and silently download malware to begin the process of gaining access and stealing data or IP.  What’s more, they’re automating their attacks. Sophisticated attackers are leveraging the power of scripting tools and computing power to call together vast amounts of computers to aide in perpetrating automated attacks.

Recently, the Homeland Security Department unveiled a new system of guidance intended to help make the software behind websites, power grids and other services less susceptible to hacking. The system includes an updated list of the top 25 programming errors that enable today’s most serious hacks. The list, topped by SQL-injection vulnerabilities, is an attempt to address the root-cause issues behind cyberattacks.

However well-intentioned, this new system will likely fall flat just like the several attempts over the years to legislate security through compliance – the last count was at least seven bills in Congress that would attempt to do so, several of which were re-attempts on previous legislation. There have also been attempts at requiring certification and licensing of information security professionals, which have also not succeeded to date. DoD 8570 is the closest thing we have for mandatory certification.

IT is constantly adapting to new realities spurred by the types of technologies that people are using and bringing into the enterprise environment. One of the most disruptive technologies of late has been iOS devices. These devices are massively popular, and for good reason. Whether you’re a vice president keeping up on the latest sales reports mid-flight via their iPad or a physician accessing medical reports while meeting with his patient, iOS devices can improve productivity.

Platforms such as iOS have been designed from the ground up to be more secure—they raise the bar by leveraging techniques such as application isolation, provenance, device encryption, and permission-based access control. However, these devices were designed for consumers and, as such, security has been traded off for usability to varying degrees. It’s this usability that makes them so popular among consumers.

(Cross-posted from Symantec Connect)

I believe that we have reached a saturation point.  You know how, after heavy rain, the ground can’t absorb any more water and it begins to pool on the ground? We’ve reached that point with security incidents.

The bad guys just can’t pump out new malware any faster. Check out the Norton Cybercrime Index.  The trends for 2011 are pretty much flat. The explosive growth in malware we’ve seen in the previous 10 years is just not sustainable. Maybe new hacker tools will come along, new propagation methods, or more platforms, or more people to infect.  But for now, things are beginning to stagnate.

This is not to say the problem is going away.  There were 286M new malware variants in 2010. 286 million! But even that mind-blowing number reflect a slow down.  It’s more than the year before, but not the 100% increase we’ve reported in previous years.  It’s not like the growth we use to see.

A news article in the New York Post provides a cautionary tale of one of the many reasons properly securing home wireless networks is more than just a good idea. While the story is interesting and makes for good press, it merely scratches the surface of why companies and individuals need to pay a lot more attention to the security of home wireless networks.

While unauthorized use of an individual’s Wi-Fi network to commit serious crimes can put innocent people in the crosshairs of criminal investigations, the implications for the protection of corporate data are significant as well.  If an attacker gains access to a person’s wireless network, corporate systems (i.e corporate-owned laptops and/or desktops) connected to that network can be easy points of compromise and data loss.

Internet connectivity is turning up in every product we see: phones, video game systems, video cameras, televisions, coffee machines, home lighting, vehicle alarms and soon refrigerators, ovens, and heck, maybe toilets.

What a great world it will be when my refrigerator sends me a text message or posts to my favourite social network that I need to buy milk and salami. It will be even better when I can log into my oven and tell it to turn on and cook a pot roast at 350 degrees for 4 hours so I come home to a great slow cooked meal, or when my oven contacts the fire department when it lights my house on fire. I’m sure over time this great technology will be adopted by supermarkets to manage their nationwide chains remotely to ensure proper temperatures are maintained in their coolers and freezers.

(Cross-posted from Symantec Connect)

Technologies such as virtualization and cloud computing offer the potential to reduce costs and improve operational efficiency – benefits organizations can’t afford to ignore. The shift to a cloud-based IT infrastructure is a goal for many, with 75 percent of enterprises at least discussing the implementation of these technologies. Whether you are just beginning to implement virtualization and private cloud computing or are already in the process, here are a few recommendations to give you the smoothest transition possible, based on the results of our 2011 Virtualization and Evolution to the Cloud Survey.