Technology Watch Report Series
Creative Strategies Ventures Corporation
Rancho Carmel Drive
San Diego, CA 92150
Watch Report – Security Series
Report No. 2014-6a-Security
Author - Edward Poshkus, Principal Industry Analyst
Contributorsto the report:
Jeri Trippe, Senior Industry Analyst/EVP
Stan Terepka, Industry
San Diego, CA Los
Tel. 858-675-1425 Tel.
E-mail – Sales@creativestrategiesvc.com Te l.408-348-6143
Subject – Security Report Series:
Topic – Security & Privacy Challenges – Mobility &
BYOD Impacts – Plus Healthcare Sector Impacts
With the massive
yearly growth in smart devices – smart phones, tablets, laptops, ultrabooks, e-readers, portable music devices with
internet access, wearable computers, smart watches, smart glasses plus the attendant explosion of seemingly
unlimited information access points for both consumer and business has created
and is expanding the vulnerability points for data breaches for impacting all
sectors of life. Mobile computing is now used in about 90-95% of organizations.
We – public and private organizations and
consumers – must consider and address security and privacy challenges. The need
to secure information during the current decade has migrated from the typical
data silos in business and in the public sector (local, county, state, and
federal)to the user of any mobile device given the connectivity availability of
any time, any place, and any form factor (think voice, video, data and the
Issues of both (1)
Security – Access and Information Protection and (2) Privacy – Personal
Information Protections with all devices are of concern or should be for
everyone in both the business and personal environments. The data and
information availability via mobile devices is exacerbated by the BYOD
evolution (personal plus organization use) virtually all around the planet.
Information borders no longer exist for us or those seeking to abscond with it.
services create further potential security and privacy “leakage” concerns.
Storage of credit card information and key personnel data on smart phones is an
example of potential risk including identity theft since most do not encrypt
the data either at rest or in transit. Cloud storage of private information is
another issue for security can be very weak. The massive number of data breaches in the
past several years in nearly all business segments including healthcare is
indicative of increasing vulnerability.
Just think, in 2013there were about 1 billion smart phones
shipped, just under 200 million
tablets, and about 300+ million PC
of various form factors. The installed base is massive and expanding monthly.
Security utilization has not kept pace in any environment. Of course there are
some exceptions but should be the rule and not the exception. How many use
encryption for the information at rest or in transit? Do you? Do your
associates? Do businesses? Do your friends? Not many do for in most data breaches
the information was not encrypted.
How many have
difficult passwords versus a 4 digit/character to activate a smart phone or
computing device? Do many use facial recognition on netbooks that has been
available for years and now on smart phone? Special drawing or pictographs can
also be use easily as long as one remembers the flow.
A typical user
according to various pundits may have mobile 3 to 5 devices actively in use. A
smart phone, tablet, notebook, a smart watch and an e-reader is an example for
each of our staff. Other may have many more. Can we protect all of them? Can we
comply with the needs and ever expanding compliance needs? Are Wi-Fi hot spots
we can create secure? The scope increases for some devices are user owned but
also have corporate data on them (BYOD).
Devices a Typical User May Utilize and Own
The current environment
offers a significant and profitable business opportunity at multiple levels.
The needs are not just software but also personnel who understand the issues
and the investment involved to reach acceptable risk levels. A key concern is
defining the acceptable risk level in each sector and information class.
Corporate intellectual property (hard and soft), PII (personal identification
information) or PHI (protected health information) are associated with
differing levels and also from perspective.
Healthcare is an interesting
segment and offers opportunity for products defined or adapted to the special
needs. Fulfilling compliance requirements in Healthcare are a key aspect for mobile
technologies. Healthcare is moving to Electronic Health Records (EHR) and must
contend with HIPPA compliance issues. Sharing of the medical records with other
healthcare providers exacerbates the challenges as the sector moves to Stage 2 of
the Meaningful Use EHR incentive program.
We will discuss the Health Care sector specifically in a later section
of this report.
The global workforce
is increasing becoming mobile. Some estimate close to or a bit above 1 Billion
mobile workers worldwide. Next one can add in the billions of other mobile
users – sophisticated or not with feature phones, smart phones, tablets,
laptops, portable music devices with internet connectivity and other computing
devices. Social media, virtual offices, web conferencing and video telephony
all add to the connectivity explosion that continues and adds vulnerability points
for commercial and personal loss. Global needs must be considered in any
product planning to leverage investment.
The levels of
protection as a function of the risk levels, cost of loss, plus regulatory and
compliance issues is a key consideration in selection of what is needed to
achieve the security and privacy protection goals. Complete security may not be
possible but there are practices that can reduce the risks significantly bit in
transit and at rest.
The more connectivity
we have the more we want but frequently potential vulnerabilities of this
anywhere, anytime, any device access are ignored. The explosion of mobile
devices generates increased security vulnerabilities such as network intrusion,
DLP, device loss, and personal and business data loss. The type and
availability of mobile devices continues to expand dramatically with no slowing
User Connectivity is Location/Sector
Given the explosion
of BYOD, the potential points of attack are virtually anywhere and can occur
anytime. Although business and personal information can be siloed on a BYOD
unit it is not always possible. With the pervasiveness of mobile devices in business,
biz-com (business-consumer), consumer as well as many in the public sector
unfortunately do not have, do not consider or do not rigidly enforce policies
to protect the information flows and minimize data loss potentials.
significant potential profit opportunities for vendors as more major data
breaches and losses are publicized plus the evolution of BYOD in business
requiring security solutions.
The typical Mobile User
Environment – essentially information access– voice, video, data and the
ubiquitous texting -- from any device, anywhere (without the traditional work
boundaries) and anytime - is illustrated above to indicate potential attack
points. Specific connectivity points are not indicated but access includes all
wired and wireless technologies and the more mundane such as portable hard
drive devices including the ubiquitous thumb drives. Not all users have all
devices but it is necessary to view the general scale when assessing dangers
and of course commercial opportunities for security products. This is a
bi-directional “borderless” flow of information 24/7.
In devising the
necessary precautions to meet our goals, the user environment must be
considered global given the reach and ease of use of all communications
technologies is it voice, video, or data. Information storage (cloud vs. on
premise) can add complexity as well.
NOTE –In our previous security series reports we have addressed
potential security issues such as – Cloud; Virtualization; Compliance (GLBA,
HIPPA, PCI and so forth); Blended Threats; DLP; Encryption; Thumb Drives; and
Policy with the explosion of mobile devices. We may touch upon some of the
facets here as we address the increasing global threat profiles for they all
are facets of mobile security.
Privacy is a key
concern for private information flows. Stored data are being compromised in
many areas (financial and personal healthcare examples) despite some search executives saying there is no such thing as privacy and none
should ever be expected. Despite
their opinions – There are questions beyond the function of generating revenues
using collected data for marketing purposes and revenue generation. Privacy
expectations do exist and some are mandated by law as in HIPPA.
The lack of
universal encryption when data is at rest or in transit is addressed by a
relatively small number of organizations. Self encrypting hard drives are
superb but vast amounts of aggregated information is stored in the clear. What
happens when that is shared with third parties? Do they have the same level of
concern as the individual or company that may be compromised? Secure storage and encryption technology is a
significant revenue opportunity across all sectors – private and public.
Are there any
vestiges of privacy left when (1) location based services track user movements,
(2) browser use is tracked and many companies battle any “do not track”
efforts,(3) strict privacy controls by various providers essentially do not
exist, and (4) here is little
oversight for privacy protection. Should there be privacy when a user indicates
“do not track” by adding DNT software to the browser? Should a consumer’s web
search for specific healthcare information be harvested or should it be
protected? An interesting development could be an option to “hide” the specific
health search. Possibly searching through a site such as DuckDuckgo.com that
does not track is sufficient. Should that user’s stated wish be ignored as it
is by many data collection firms or at least be asked to “opt in”? What happens
when an employee’s data searches are harvested from their BYOD? What happens
with losses of private information from data breaches?
Does any user know
or have access to their private information stored by the search engine firms? Do
they have knowledge or any access to the information harvested, stored and sold
by the information aggregators who sell to anyone? Should this be tolerable
with personal health information? Many other questions can be added and feel
free to do so. Each question though could be an opportunity for inventive
In this environment
-- Both privacy and security levels desired must be a decision by the company
and the users whenever and wherever possible. They do tend to be interlocked in
planning but can be addressed separately. We are merely pointing out elements
than can be identified and some solutions are discussed. They are not all
inclusive or exclusive but are talking points for implementation and potential
1. – Connectivity Environment
For the purpose of this paper we do consider both fixed and mobile
connected devices for vulnerabilities exist within both environments. The focus
is primarily the mobile devices aspect for the growing points of vulnerability
and now exposure has few closed boundaries as we experienced with earlier LAN connectivity
for PCs. Emergence of laptops, netbooks, ultrabooks, feature phones, smart
phone and tablets and any device that can connect to the web are the primary
connectivity gateway for ever increasing information flow. We now have to think
in terms of petabits (or more) total information flows in aggregate to and from
billions of devices. Virtually every contact can have potential vulnerability
issues that need to be addressed nearly on a device by device basis.
For example, we now have more phones of all types in the world than the
total population. The mobile phone devices represent about 75% of the total. Mobility
demand has been and continues to be driven by the explosive growth of smart
phones, i.e., Apple’s iPhone family, smart phones by Samsung and from other
global vendors based upon the dominant Android system. Bluetooth connectivity
may add another vulnerability point.
of smart phones continues to increase dramatically and we continue to be
dazzled by the array of mobile devices – tablets, ultrabooks, net books,
laptops, texting devices, readers and so forth -- that we encounter at a
variety of shows during each year such as CES, CTIA, VoIP, Networld Interop and
many others. As the installed mobile base increases, the threat horizon does as
well. Although smart phones may represent over 80% of the current handset
sales, not to be forgotten is the significant installed base of feature phones
with internet access. Feature phones allow web access from the handset and text
messaging capability but do not have the inherent power of the smart phone. IP
voice communications via Skype et al is also another opening for the malicious.
Social media access is another potential vulnerability point. Think about
electronic wallets and the potential loss of personal financial data.
phenomenon (iPAD® family and a host of Android based Tablets and other OS’s)
adds another vector to the mobile device population explosion. Sales forecasts
for Tablets of all types are now approaching 200+ million per year with. Laptop
and desktop computer sales are in the area of 300+ million unit sales (and
up-ticking recently) with the majority being mobile units. Ultrabooks and
netbooks provide a computing option for a light weight portable computing
device that compliments the laptop population and have core computing
capability for business that the tablets do not have. The laptops and tablets
are complementary in many business cases.
E-readers, such as
the Kindle® and others, yield another mobile and web connection venue for all
users’ – consumer and corporate. One subtle security danger point is the thumb
drive connectivity and the pocket hard drives of several terabyte capacities or
more – given the ease of misplacing the devices (we are guilty here for we have
misplaced thumb drives) and the utter lack of encryption use by the vast
majority of users. Other aspects in this mobility environment include the music
players such as the iPOD® flavors and all the competitors given the web
connectivity, sharing, and synchronization factors between devices.
functionality of smart phones, tablets and the blurring of capabilities with
computers have exploded the day to day reach of our un-tethered end point environments.
Further, social networking applications create security headaches for the CIO both
within the corporate campus and externally, especially when more and more
connect from public hotspots or with the BYOD devices at home and then brought
into the business. The avenues for data flow/migration/sharing plus potential
critical information breaches keep increasing daily. An example is the
prevalence of social networking in personal and business environs.
The shrinking sizes
of the devices plus the dramatic capability increases are superb for the
user. We see an amazing array of electronic devices,
computers, smart handheld devices, telephones, transportable storage units,
connectivity possibilities from wireless (3G, 4G, LTE etc and now discussion of
5G), high speed power line and evolving wireless
connectivity possibilities including personal “hot spot” creation extend
information flow through the enterprise, SMB, SOHO, IP and home (now nearly a digital home). Mobile
devices we carry even into our vehicles (think of Bluetooth enabled GPS devices
that enable telephone calls) - all marvelous enablers in our information
focused society and business environments. Use of Bluetooth in the vehicle
creates another security point. This functionality does create problems for the
corporate IT departments as well as private users. How can we ensure security
of information and the integrity of corporate data for the mobile endpoints and
users? Is it possible given the flood of social networking messages? What are
the safety implications of texting while driving or walking into traffic with limited
awareness of the surroundings? Here the use of Bluetooth or Wi-Fi connectivity
exacerbates the loss potential. The connected home is not yet a high visibility
Most enterprises and
many SMBs utilize wireless networks and provide their staffs with wireless
devices of one type or another (vanilla cell phone, feature phone, smart phone,
smart device, tablet, ultrabook, netbooks, or laptops). There are several billion cell phones of all
flavors in use in the world today (along with multiple O/S versions) and the actual
number is probably much higher than estimated given the explosive growth in
China. The demand for sophisticated mobile units seems to expand geometrically.
Growth is projected at 50-100% per year depending upon which pundit is contacted
and which geographic area is studied. The actual growth is probably close to
100% per annum and only mildly curtailed by current economic conditions and
bandwidth capacity. This is reflective of the ever increasing information flow
for business and personal consumption including social networking and
meaningless tweets (billions of messages of all types per day).
are now spread over multiple locations, wired and wireless connectivity,
operating systems, and a vast universe of ever changing devices and added
operating systems. Security issues are increasing in complexity and
sophistication required to prevent integrity of information transfer be they
business, government, social and personal. This does create an immense
opportunity for security software and hardware providers. We further need to
consider the expanding utilization of Unified Communications in our security
The PC environment
is relatively consistent with OS upgrades from the vendors. The eReader segment
has been dominated by the Amazon offerings but now there are a host of
competitive devices. However, in the smart phone universe, operating systems
now include primarily Android and iOS®, each with its own set of strengths and
weaknesses. One concern is the inconsistency in Android OS version in similar
devices which can complicate the security management problem. There are over 1 billion installed using the
The tablet sector is
undergoing a transition as well as more competitors select the Android operating
system to compete with the iPAD universe. Apple currently is the primary OS
force followed by Android based tablets which are eroding the Apple position.
In essence, given
the explosion of mobile and computing devices, bandwidth availability is a
crucial facet to meet the demand for voice, video (streaming at a minimum), and
data demand fosters the evolution from 3G, to 4G and LTE wireless networks to
satisfy the volume requirement. It is not only the wireless bandwidth but
backhaul limitations that are crucial to network expansion. The increasing
messaging, file sharing, video, and so forth strains today’s bandwidth
availability and will continue to do so. Look at the data consumption impacts
on the AT&T and Verizon networks by just the iPhone® users. Usage
restrictions have been being applied as a result of “pipe” limitations and
throughput limitation of the routing infrastructure.
The topic of “Net neutrality” has high visibility in the press and inWashington at times. The move proposed by the FCC to segment the bandwidth for
sale to high volume content providers is viewed by many as a political way to
destroy the internet as we know it today and move away from the egalitarian
design that has functioned well since inception. We can discuss the subject in
private and we will cover the subject in a future report.
The global wireless network continues to respond to demand for high
speed bandwidth and added spectrum to facilitate connecting anyplace and
anytime with essentially any device – either business provided or user (BYOD)
supplied and the consumer environment. The plethora of information access
points are now anywhere in the world and create paths for breaches of personal
and corporate critical information and intellectual property from hundreds of
millions of devices and transfer of petabytes of data annually with no end in
sight to the volumes. The move to more femto and small cells facilitates meeting
the demand is an example. Qualcomm indicates a 1000x in network capacity may be
possible with small cells. (This will be discussed in another issue).
The security focus
and complexity continues to shift as a given end point may be anywhere in the world
driven by the sophistication and ubiquity of mobile devices and massive
population (billions) of transportable information devices. As such, there are
no longer any clearly defined boundaries for management for security issues.
BYOD blends corporate usage/information with private user information creating
policy/concerns at all levels is the laggard in this evolution even as
the capabilities of the devices explodes. Attacks can come from any direction
be they malware, spyware, phishing, spear attacks, drive-by attacks, hacking,
simple device loss/theft, or other modes. In our opinion not enough attention
has be paid by the device providers or by the consumers/users of the devices.
Simple passwords of 4 characters are inadequate but are a minimal start. The ability to remote “wipe” a lost or stolen
device is a strong point in protecting against lost devices ( albeit not
universally applied or enforced), does provides a modicum of protection. The
threats are not merely in the devices but can be attacked as well by the recent
publicized vulnerabilities of some of the consumer “cloud storage” offerings
such as Drop Box and others.
Yet, this ability to
be untethered and to connect anywhere and anytime generates ever increasing opportunities
as well as security issues and threats beyond the potential loss of a device.
The smart phone is a device that can and does hold much of our personal and
business data in a small device and provides data connectivity with web
browsing capability. Both consumers and business users are faced with an ever
expanding horizon of potential attacks and information loss at the desk, home, coffee
shop and virtually any environment. We are ignoring any potential dangers of
location based information flow. Our focus is the connectivity aspects – smart
devices, wire line, wireless, smart devices and transportable information
systems (flash drives or discs). Unfortunately, most of the information flow remains
“in the open” for few users and corporations utilize encrypted communications
other than Blackberry in the past.
Our surveys in the
Home, the SOHO (Small Office Home Office), SMB (Small Medium Business, and
Enterprise environments monitor the awareness and impacts of emerging concepts
plus technologies upon information security and potential and real malicious
attacks. We include the home environment and tele-workers for connectivity
within the home for their information typically flows through poorly (if at
all) secured wireless networks. A further extension is Wi-Fi connectivity (or
femto cells) for the network. (We will do an in-depth study in the future).
The advent of Wi-Fi
and WiMax enabled devices/phones further add to the potential risk of breaches
in the information flow. Recall how often one sees a user studiously tapping
away on a smart phone for email or social connectivity/messaging – both sending
and receiving in a coffee shop alongside those using a wireless connection. Are
those connections secured? They probably are not to the consternation of the
corporate CIO and Senior IT management. Most users seem to ignore the
possibility of a breach/loss. Far too many fail to either enable basic security
programs and firewalls or to keep them updated given the massive increase in
threats each month.
We will discuss the
perceptions and technological needs based upon our user and industry
discussions. We do not intend to
enter into an extensive technology discourse for the merits and ultimate
success in the marketplace is a function of satisfying the user perceptions and
The focal points are
– Connectivity and Security Risks – Wireless
(all flavors including Bluetooth), Wireline, Powerline, Physical networks,
Spyware, Malware, Phishing, Spear Phishing, Rootkits, Theft/Loss, Drive-by attacks,
vulnerability from external data storage offerings.
1A.Threat Issues – Are they
The “Verizon 2014 Data Breach Investigations
Report” results yielded some astonishing numbers from 50 Contributing
Organizations. In the 2013 data base, there
were 1, 367 confirmed data breaches and 63, 437 security incidents. This
represented 95 countries in the global nature of the report. (These are only
the reported incidents).
AND PRIVILEGE MISUSE
THEFT AND LOSS
The breaches can
result from many factors, either internal or external. Much has been written
about hackers and hacking for high value theft and resale and will not be
addressed here. Device loss or theft is another element as are mistakes
disclosing information. Misplacing digital records by insiders or outsiders
working for the business (discs left in a car with unauthorized transit),
through vendors security practices (A Retailer Breach example), and the list
can go on.
More businesses are
increasing their visibility levels in face of the breach notification laws in
at least 46 states. Not all notifications are timely, i.e. a major retailer. A
major telecom had a data breach by one of their vendors but waited over
a month to notify customers. At the opposite end of the spectrum is PF Chang’s
China Bistro notifying customers in a matter of days after the loss discovery.
In the public sector, there were 47,479 incidents with 175 confirmed losses.
Adding to the
difficulty in securing and protecting the PII (personal identifying
information) is a major failure by those collecting, requiring or using the PII
with a cavalier attitude (in the past) for protecting passwords, emails,
financial account information, credit/debit card information, and in many cases
the social security numbers. Protected Health Information (PHI) is another
matter. In the Verizon report data base, healthcare had 26 incidents with 7
confirmed data losses.
Several examples of
data breaches in healthcare are:
a. A northern California hospital where an unencrypted
USB drive with PHI of 34,000 patients was stolen from an unlocked
employee locker. This was a preventable occurrence with proper trading and
b. A massive data breach at UPMC health system
was caused by a hacker and exposed all 62,000 employees PII information
including SS numbers, bank account information, and other private
data. This did not expose patient information but highlights the needs for broad
based security procedure beyond HIPPA needs.
An interesting side
note is thieves can sell a stolen credit card for a dollar or two in the street.
PII can be sold for about $10 while PHI could reach $50 for each record. This
is indicative of the values and importance of consideration of vulnerability
for customer/client records.
Yes, the threats are
real and are occurring continually. One pundit noted that about 90% of
healthcare organizations had at least one data breach in the past 2 years but
did not indicated the type of breach (PII or PHI) or severity. Any methodology,
new, current or emerging in our mobility universe is a strong market opportunity
at multiple levels and across a broad spectrum of sectors.
2. “Connectivity and
If we so desire, we can be connected 24/7 with very few
location exceptions. Cellular, Wi-Fi, Wi-Max, Wireline, 302.11 b/g/n, femto
cells and Powerline are all available for connecting nearly all our devices
including HDTV in a high speed (802.11n) home network or smart home. The
vulnerability accrues from an ever increasing number of entry points. Consumers,
public and private employees all need to increase awareness and practices to
minimize loss risks.
We can synchronize our smart phone, tablet, netbook, laptop
and desktop and spread that information across all devices and any networks we
use and in marginally secure cloud storage. This creates an interesting
possibility to spread malware infections if not careful. Social networking can
further exacerbate entry points and malware spread given a mix of personal and
corporate mobile devices. End points must be the focus to identifying and address
the general risks to create and implement an effective security policy at the
business or consumer perspective. It is a question of scale and education of
the end point connection.
The following table delineates the elements for an end point
policy concerns to formulate a policy. Not all are applicable to each situation
(consumer) but can be used as an educational list for both a business and for
any BYOD application
End Point Policy Concerns
Issues - BYOD
Storage – Corporate and Personal
Brief questions are illustrated below for each aspect in
creating a policy – primarily business with a BYOD policy (over 90% allow or
will allow BYOD). The listing and questions are not all inclusive but are an
indication of considerations.
Applications – What applications should be used, what
should be avoided, what download points are safe, Are they scanned for malware
Agreements – What are the understandings with employees
who have corporate data on their device(s)? Is there a formal (written) policy?
Compliance – This is a function of the industry such as
healthcare – think HIPPA. HIPPA requires native encryption on EACH device for
data that falls under it. There is an alphabet soup of other compliance
Privacy Issues for BYOD – How is corporate and personal
data separated/segregated? What is collected from the devices? What is
Service provision- Is there a VPN? How is business
email treated? Is there software provided? Automatic updates?
Security requirements – Are the requirements
understood? Secure passwords, User authentication, remote wiping, restrictions,
security/malware software, and encryption requirements? External drives and so
Cloud storage – Corporate approved or acceptable cloud
Social networking – Again personal versus private and
how to separate on BYOD devices.
Awareness of key vulnerability/attack points by hackers and
cybercriminals is crucial. Several are:
Weak passwords than can be identified via
Eavesdropping on unencrypted wireless
Unpatched software is always vulnerable
Incorrectly configured network devices --
routers are an example for default setting are not always changed
Attacks on vulnerable databases via SQL
The list can go but this is merely “food for thought”. Given
that the mobile devices have internet connectivity, attacks used on desktops
have in many instances migrated to the mobile arena. Furthermore, connection
via Wi-Fi or Bluetooth can be at risk for the Bluetooth device or Wi-Fi may
have been compromised and can be potentially used for a “man in the middle
attack”. There are a host of buzz words surrounding this subject matter. We can
discuss the points individually by contacting us.
3. Are there security solutions -- Potential Considerations/Responses?
Security issues/threats now emanate from many directions.
The same technology to connect disparate networks, provide seamless interoperability
between systems and converged network management through web connections are used
to create security breaches. Unfortunately
and not especially surprisingly, in our surveys, we find many do not create and
routinely update and follow basic security, risk assessment, and vigilance
policies. We continue to find corporate networks unprotected from something as
basic as identity management (who can connect to the network) to unprotected
wireless access points. This has worsened with the advent of tablets, smart
phones and lack of BYOD policies. Use of cloud storage can create added threat
points if not secure or information is not stored and sent encrypted. Encryption
key management is a problem but can be resolved.
The problem appears to worsen at the Home, SOHO and many SMB
locations but the business and public sectors are vulnerable as well. For
example, in setting up a wireless home network, many do not use even WEP to
eliminate rogue access connectivity. It would appear intuitively obvious this
is a problem that needs to be solved – Is there a plug and play setup program
for the unsophisticated home user? The problem will be exacerbated as more
devices are added to the home network as well as SOHO. A consideration is to be sure to protect both
PII and PHI at a minimum.
The simple use of strong passwords (strong- meaning a string that is
not 3 or 4 characters) can minimize some potential vulnerability. An example
is on-line banking – most users have strong passwords for on line banking on
their laptop or desktop but this does not necessarily carry over to all mobile
devices. Also, we as users seem to have a plethora of passwords. Can I actually
recall each password for my desktop, laptop, netbook, tablet and phone given
that I acquired at different times and some devices limit the password
strength? That is a real problem seeking solution. Do we, as consumers, change
them regularly when not forced to do so by a network administrator? Should
there be single sign-on and dual authentication for all users that is provided
as a service?
Single and dual authentication processes are an excellent
move for accessing corporate information. It is merely one step in the overall
security net. What information can be downloaded? Is it encrypted in transit
and at rest? Can it be wiped remotely if the device is lost? Is it segregated
on the BYOD device? (Please excuse us if this is repetitious but we are advocates
of security at all levels.)
Use of biometrics is a step in the right direction. It can
be a fingerprint reader – it is standard on our company laptops as is facial
recognition but not on all the tablets or smart phones yet. Facial recognition
might be ideal but does have problems at times. Use of graphic motion/drawing
can be useful as a security tool as well. The key is strengthening the device
access point. Mobile security software is readily available as well but few
have it installed. Should it be a requirement for BYOD? Most would venture the
answer is yes but is it actually implemented today? Also, remote wipe software
should be included as well in case the device is lost or stolen.
Security attacks are very sophisticated. No longer is it
simple Spyware. Now it is potentially damaging Malware, Phishing, and Rootkits
that we all face on the smart phones, netbooks, tablets, e-readers and phishing
through Tweets and other social networks. How many smart phones are protected?
How many netbooks/ laptops/tablets/e-readers connecting to public wireless
networks are securely protected from carrying a threat back to their base
network? How many are carrying unknown (to them) threats on the ubiquitous
flash drives or small portable drive many of us carry to a meeting while
travelling instead of a computer? How do we keep from allowing such a threat
from a portable drive or smart phone or tablet to enter the network? We do need
to keep in mind that walking with a flash or similar drive is now part of the
network as is a portable music or video player. This is independent of
information format for we all receive voice, video, and data routinely, any of
which can be corrupted by a security attack. Yes, the statements continue to be
made over and over despite efforts to educate everyone and foster minimal safe
practices including data encryption. DLP (data loss protection) is crucial and
proprietary data loss can be expensive to either the corporation or the
consumer. Think about the consequences of losing an electronic wallet with your
financial data that was not protected by encryption.
Network security and Malware attacks are just one aspect of
this problem. Loss of netbooks/laptops/tablets/smart phones with the attendant
company and personal data losses of confidential information continues to occur
despite the publicity each time a credit card or personal information is lost.
The major concern, given the financial and business exposure, is how to stop
it. Most have no idea they should encrypt with readily available tools. It is
not a panacea but it makes illicit data use much more difficult.
“Cloud Computing and Storage” is another potential venue for
potential data loss. The concepts do require another set of information
integrity and breach protection. There needs to be standards used so that the
users understand the associated risks rather than a case by case or cloud
vendor by vendor approach. There are benefits but we strongly advise caution
when pushing intellectual property into a public cloud. In many cases, each time
data is uploaded to the “cloud” some information remains on the mobile device
with its potential theft. Again, opportunity abounds for hardware, software and
service vendors for those astute in solving the issues but progress is slow and
few universal standards exist in real time user environments. Again, encryption
in transit and at rest is a key deterrent that should be followed.
The thumb flash drive and portable hard drives (a 2+ TB
drive now fits in a shirt pocket) are another risk factor. How do we keep track
of these small tools we use especially traveling? Should we have automatic
encryption for each time we use the device as can be done with self encrypting
drives? How does one keep track of the encryption codes used for such a
multiplicity of devices? We can lock downloads to the device and restrict
uploads today. How large is the business opportunity?
Should a security chip be embedded in every device for
restricting access, encryption, and “wiping” the device if the device is lost
or stolen? This is and will be a key factor in smart phone physical loss. Legislation
for “Kill Switch” to be built into the smart phones is progressing. The size (landscape
of the device) may not permit such a hardware addition but firmware may solve
Some vendor interaction is welcomed such as the fingerprint
reader and rudimentary facial recognition now standard on some laptops and
other devices as a basic protection. Identity management for access is
increasing in corporate networks. Many now will not allow an unrecognized
device – laptop, flash drive, netbook, tablet, smart phone, music player – to
attach unhindered to the network. Some thumb drives offer some levels of
security with the device. However, with an encryption methodology in routine
use by corporations the data loss problem can be minimized. The same is true of
users at their desk or home. An opportunity exists, particularly in the user
environment, for an easy to use and easy to decrypt software packages. They should
be preloaded in new computer and device sales but are readily available with
some self encrypting hard drives.
Note: Potential security risks (and privacy) with respect to
the use of social networking (Twitter, Facebook, LinkedIn and others) will be
discussed in our 4Q security report.
4. Privacy – Can anything be
Security and privacy
issues tend to be interlocking. User education and awareness is vital for
there is no ultimate security for any encryption can eventually be broken. The
key is to increase the difficulty of accessing our information – corporation
and personal – so that it is not as attractive to attack as any information
stored or sent in the clear. This does provide some privacy protection for
personal data as well as corporate. Self
encrypting drives (hardware and software) are readily available. Email and
messages can be sent encrypted. Simply using the encryption capabilities of Outlook
is a start and is available but few users take advantage of this or may not be
aware of the feature.
We also need an
awareness of privacy issues as well despite some executives saying there is no
such thing as privacy and none should be expected. Most users expect some
privacy and at least the ability to “opt in” for broad based disclosure to
protect what personal information they desire. After all, corporations do tend
to protect their information and do have expectations for protecting internal
private and privileged information so why should not a user expect the same.
Are there any
vestiges of privacy left when location based services track user movements? Browser
use is tracked and too many companies battle any “do not track” efforts. Strict
privacy controls by various providers essentially do not exist, and there is little oversight for
privacy protection. Facial recognition and tracking in retail outlets for
determining traffic flows by gender is enabled by our communications technology
but can it go too far if they identified each user personally. Yes, we are
monitored visually on casino floors in Las Vegas but we accept that function
because we know it is there and make the choice it is acceptable or we can
with wearable recording devices are another question? Do you wish to be
recorded anywhere without your knowledge? Could private corporate information
be recorded without someone’s knowledge in a meeting? It is doubtful but may be
feasible. Technological advances are marvelous but at times need some oversight.
There is “Do not Track” software available as well to help
protect our on line privacy. However, it is not 100% foolproof for some companies
and information harvesters try to and do circumvent the feature for their own
benefit. I routinely use DNT software but there are always several tracking
cookies that slip through despite the software. Some vendors do not honor the
“DNT” on the unit. Maybe a national do not track list similar to do not call listing
is needed. Social networking can lead to significant privacy intrusion if the
users are not aware of the vulnerabilities. This is partially driven by user
choice as to what is acceptable or not for posting. Education would seem to
help with some and simply awareness is a major assist.
5. Mobility and BYOD – Healthcare Environment
information is taking a major role in our lives as the industry moves forward
to electronic health records and information sharing with the patients. Healthcare
has its own issues especially given the government “push” for electronic
records. Many vendors to the industry are
competing to store personal health information. EHR – electronic medical
records – need special protection. Should they be able to be harvested for marketing
purposes? Is that compliant with HIPPA‘s encryption requirement?
of healthcare practitioners use their personal smart phones in day to day
activities. BYOD provides choice, impacts efficiency and can reduce costs.
There are concerns. PHI (protected
health information) such as medical record numbers, social security numbers,
and names as an example are not be downloaded to a BYOD. This requires a device
management program to ensure compliance with the HIPPA requirement. BYOD
programs must meet the complexity for practitioners that work with different
affiliations, each which may have different messaging and management systems.
The challenges can
be resolved but a number of criteria need to be addressed. A solution needs to
recognize what information is PHI to control what is downloaded for HIPPA
compliance. Regulatory compliance necessitates audit logs including IP address,
user data, IP addresses, device, and URL accessed. Also needed is knowledge of
the sensitivity and where it is disseminated. All the while, is the need to
provide the practitioner with privacy and security for the personal information
on their device.
tablets as well for work (75%+ is a low estimate) and similar constraints as
the smart phones are in play for compliance. All information in transit and at
rest must be encrypted in any policy.
Key concerns here are:
a. How do users on the network interact with
those outside the controlled network? How to identify and control PHI here?
b. How long can PHI exist on a device? Can it be
deleted when authorization changes?
c. What personal programs are installed that
could impact the network?
Many use cloud
storage for cost savings. Cloud storage utilization can be attractive for the
industry but does have vendor vulnerabilities. If they are “in the cloud” not
all may be compliant with many government regulations. Also security may be
severely lacking if at all. One question is whether or not all records are
encrypted in the cloud storage and when accessed for transit.
The HIPPA Omnibus
Final Rule, finalized in September 2013, makes business associates liable for
data security breaches. The Healthcare organizations should and must have
business associate agreements (BAA) in place. Many cloud vendors were somewhat
hesitant about the rule. Google, Microsoft and Box comply now and more are
being added as a result of the rule.
The need for the
rule addition was evident. Prior to 2013, the associates were involved in over
50% of large scale breaches. In 2013, it dropped to 10-15%.
One example of the
serious problem (now resolved) was in 2011 when a billing contractor for
Stanford University Hospital allowed a spread sheet to be posted on-line and
exposed 20,000 patient health records. It was a year before it was discovered. The
BAA provides an incentive to avoid such occurrences and should be included in
the security policy.
On the patient side
is the portal access to the health care records and healthcare related internet
use. We have the same mobile devices at hand as the healthcare practitioner.
Typically, we as patients may store some of our health record electronically;
use a health app of some type; have tracked and stored health patterns; ordered
prescriptions on line; set doctor appointments; obtained test results; visited
our insurance website; or chatted on line with a healthcare professional.
Some of the practitioner
contact and information flow is via a patient portal. Depending upon the portal
structure and security structure, the communication could be at risk as with a
transaction on line except the loss impact is higher in most cases. Secure sign
on and user authentication must be part of the process but not be overly
complex. Strong design provides confidence to the user and encourages more use
and efficiency for all involved.
exchange (HEI) is growing and that can
aid a patient and physicians using different entities for their healthcare or
the patient requiring assistance when travelling out of the area. In some cases
disparate information systems are in use hampering the exchange. There also are
concerns with the security of public exchanges. The policy to minimize risk is
for a hospital not to import HEI data into the system but view it at the portal.
The government has endorsed a secure messaging protocol – Direct Project – to
push messages and attachments to each other. Direct messaging can be use the
meet some of the Meaningful Stage 2 information sharing rules. EHR requirement
must be met for compliance.
laptops are tablets are routinely encountered in the healthcare arena and there
is an expectation of security and compliance from the patient perspective. Now
enter, Google Glass, for the healthcare arena and within EHR. One company is adding
Google Glass in its offerings so that a doctor can take a picture or pictures
during surgery to send into the patient records, record videos of patient
visits, view patient profiles for all appointments for the week and real time data
streaming of patient visits so the doctor can have anyone (physicians, family,
scribes and so forth) watching anywhere in the world. Is each end point secure?
Is this a PHI that must comply with HIPPA?
Should it be a patient option? How is the data protected and stored in
this worldwide viewing? It raises a few interesting concerns about privacy also
for it appears to be very invasive of patient privacy and EHR.
Just think - Do you
want your corporate personal financial and health data to be stored in the
clear (not encrypted)? How many of us would want our medical records
electronically stored or electronically transmitted in the clear? Are all
tablets being used in HIPPA compliant sectors truly secure and compliant? Is a
4 digit password secure and hard to break? Should it be stronger and how to
ensure it is? An interesting opportunity exists in this vertical market. Many
practitioners use mobile devices for personal and professional needs. Nearly
90% use their own smart phones. BYOD
increases efficiency and can reduces costs but there are issues in what can and
cannot be done and compliance must be absolute.
Security awareness and actions to prevent losses/breaches of
corporate intellectual property (all types), data and personal information (PII
and PHI) requires effort on multiple levels. No element – vendor, corporation, health
care provider, business user or consumer - can abrogate their responsibility
for prevention and protection by trusting it is “taken care of” by someone
else. We do have techniques and technologies available than resolve many of the
potential weak points in this data anywhere, anytime and any device world.
a. Vendor Level -- Regrettably, the security and threat
mitigation seem to remain low on the radar screens of many hardware and
software vendors. Many are increasing efforts but it is insufficient at this
time in our opinion. Provision of full disc encryption and fingerprint readers and
or facial recognition for access with all hardware seems to be the ideal
target. Transition to such an environment will take time but does need to be
expedited. Software to “wipe” a stolen device is available but most do not include
it with the hardware and the third party push is somewhat limited in the
secondary market. This is shifting with laws being passed to include “Kill
Switches” in all new smart phones. Meanwhile download a third party app for
b. Corporation – The corporations are being bombarded with a
plethora of consumer devices brought into their environments, many times ad hoc
without concerns for security of personal devices. Security procedures from the
past are no longer sufficient for the network is no longer closed. Our surveys
indicate activity is improving but many organizations in our sample universe
are doing very little to ensure security policies are dynamic and up to date.
Even device loss protection can be an afterthought. Further, encryption seems to
be an afterthought in far too many cases. Why is data kept in the clear and
then have to explain major data breaches by their staff or third party who has
the information? Failure costs are high?
c. SMB – The small business universe can be vulnerable for
they generally do not have the personnel resources to fully address the
problems. Here the hardware and software vendor can provide direction and
solutions if they target this sector.
d. Business User – Given our mobility, each user needs to
understand and act upon the security policies of the business and suggest
changes based upon their experiences. One cannot assume “corporate” has the
complete solution. Device loss is a key concern and the company must have the
ability to wipe the device once the business user provides notification of the
loss. This can be difficult with BYOD for personal privacy and personal
information loss becomes a concern. All information on portable devices – thumb
drive or pocket hard drive – must be encrypted for it only takes a few moments
e. Consumer – Our surveys indicate the majority of users do
not secure their home networks very well – a relatively simple action to remedy
but is too often ignored. Personal devices are being used for more vulnerable
and valuable (V²) applications – i.e. online banking for convenience with one
line passwords are vulnerable for theft. Also encryption is lacking in most
consumer computing devices. Unfortunately, most only pay lip service to
security until a device or personal information is lost.
f. Possible steps – With a few steps we can readily layer
security protection for many devices, be they laptops, netbooks, smart phones,
held computing devices and others.
Ensure a STRONG password is used and change it
regularly. Do not write it down if at all possible and keep it separate from
the device/office locale. Use two factor authentications wherever feasible.
Use full disc encryption as much as possible and
include encrypting portable devices and cards. If using Windows one can use the
built in BitLocker or use third party products. Encryption software typically
Device loss, misplacement, theft – There are various
approaches and products one can use. The first is a product that will lock and
wipe the device remotely. Another is to use a service to label the devices with
a return program. Others are services to track devices (GPS location) or spying
systems that activate when a device is reported lost or stolen.
A finger print reader integrated on a laptop or netbook
provides a higher level of security. There are also third party devices we have
used that work well and resolve the legacy issue. Just be sure to activate the
device with two entries in case one finger is wearing a band-aid.
5. Biometrics for end point access security
(could be part of added step for sign-on) seem ideal. However, initial
applications of facial recognition on the laptop did not perform consistently
but does offer an intriguing possibility. (I have problems with facial
recognition on this laptop and I am sure others have similar experiences).Most
new devices today have a camera of some type so it may be feasible. After all,
there is some testing now with use of recognition technologies to track
shoppers and then deliver ads to their devices.
6. Be aware of the concerns with unprotected hot
7. Use “do not track” software at all times.
8. Be aware of opt out versus opt in features
and capabilities and use them to have some privacy protection. Keep in mind
most trackers seem to always us opt in as a given.
9. Use available email encryption routinely.
10. Just ask what damage can be caused if
critical information is not secured or what would be lost. Would you want your
personal health records stored in the open?
g. Given the
popularity of Android based devices (and the many flavors of the OS in a 1
billion plus installed base) a separate commentary may be helpful when
considering vulnerabilities issues or end point policy.
1. Device lock/access – Use a password and
consider an app that may allow a gestures to unlock
2. Install remote wipe software to use in case
of theft or loss of the phone to delete the data. It may also be used to locate
a device as well.
3. Install mobile security software for it is
readily available from multiple sources.
Back up the smart phone regularly to ensure you will not lose your
data. There are apps readily available.
4. Download an app to lock the device after a
specified inactive time period if not already on the phone as an added
5. Restrict your app purchases to a recognized site, preferably Google
Play to minimize download risks
h. Just be aware of
potential risks/vulnerabilities when using any mobile device.
i. Understand the
increased impacts in the health care sector with increasing EHR utilization and
its attendant security needs at all levels from provider through patient
especially with the smart phone.
Recommended Client Actions
1. General Considerations
We strongly urge our readers in all sectors to closely
review their current security policies and procedures, risk assessment, and
threat mitigation policies to ensure they are in place for all users with company
provided device and BYOD. Mobile security should be a critical strategic and
tactical focus. The internal IT staff must have the capabilities for this
environment which differs
from the company owned devices. BYOD is expanding and nearly
90+ % currently accommodate BYOD or plan to.
Knowledge is no longer stored in a central secure repository
but is as mobile as any individual and their devices. Be very aware of
vulnerabilities in storing unencrypted information and have policies for what
is stored and accessed in the “public cloud” or on mobile storage devices such
as thumb and flash drives. Cloud storage is useful but needs awareness for the
or if the data is stored off shore where local policies may not be as robust.
Consider storing HIPPA or other compliance centric information in the private
not public cloud. Personal and business
data must be separated on the devices for both security and privacy needs.
Review the security/privacy policies and procedures
routinely so that threats can be assessed and preventative actions taken to
minimize operating risks. Elements of the policy should include data and
information flows; the network from the core to the end points; the overall
infrastructure design; application use and deployment; encryption; compliance and
of course people and access provision and
authentication. The policies should be as clear and straightforward as
possible for complexity will reduce utilization and increase trust in the
2. Where are the revenue potentials in this arena?
Revenue and profit opportunities abound throughout all
market segments and can be serviced in many cases by the core products
provided. At the chip level, security and encryption algorithms can be included
in the hardware and/or firmware in future devices. Can current firmware be
adapted or modified for the installed base? Can near communication be made
Hardware, software, apps, special devices, dual memory
capability to store personal versus business or compliance data on BYOD, self
encrypting capabilities for in transit and at rest, holograms, expanded
graphics, and improved biometrics are some examples that come to mind.
All offer discrete opportunities for all steps in the supply
chain including system integrators and VARs. Another possibility is resolving interconnectivity
issues between healthcare providers who use different email, business processes,
software, and so forth as we move to Stage 2.
In the healthcare markets, in addition to the thoughts
listed, there are device and software potentials in addressing (a) The
tremendous increase in reports/paperwork/electronic records due to the ACA requirements
– Is there a simple way to complete the documents for the practitioner to
improve their efficiency?; (b) Compliance reporting and security for PII and
PHI; (c) security for core to endpoints (both internal and external) including
mobility; and (d) products and systems for the small practitioners. Support,
security expertise, and training appear to offer added revenue potentials.
Our report clients are strongly advised to look closely at
the potential revenue streams via applying their internal competencies or
through strategic alliances to maximize global revenue streams.
Feel free to call us to discuss your ideas/concepts for future products
under a confidentiality agreement or for a detailed unbiased product assessment.
Ed Poshkus, Principal
Report No. 2014-6a-Security
Availability - 06-15-14
Contributors to the report:
Jeri Trippe, Sr. Industry Analyst, EVP
Stan Terepka, Industry Analyst
there are questions about the content, contact
Ed Poshkus, Principal Industry Analyst, - email@example.com
Jeri Trippe, Sr. Industry Analyst, EVP - firstname.lastname@example.org