The name of the sender seems vaguely familiar. They point to enough facts in the case that you have no reason to believe that the email isn’t legitimate. And just like that, you’re hooked and being reeled in. The email was an attempt to get you to reveal a piece of information that is considered intellectual property.

These attempts are not unusual. Law firms today are facing more sophisticated attempts to lure employees into revealing information that will allow them to gain access to the network and steal large amounts of intellectual property.

The typical phishing attack involves a mass email that is sent to hundreds of thousands of email addresses trying to get access to information like email addresses, passwords, social security numbers and more. You may have been the recipient of a phishing email from an attacker posing like your banking institution and asking you to verify your online password.

Attackers that are more sophisticated utilize a similar method but target specific organizations to gain access to confidential data. This is called spear phishing. While spear phishing targets a specific individual, whale phishing is yet another sophisticated method that targets specific individuals in high ranking positions. The attacker in this case is looking for information from managing directors, partners and other top executives. But what makes these spear phishing and whale phishing attempts possible?

Today’s attackers have greater access to information than ever before thanks to the broad adoption of social media. An attacker can scan a managing partner’s Facebook page and then send an email that references a recent vacation or even that partner’s family. It is social engineering at its finest and makes phishing an even more prevalent threat.

What best practices can your firm embrace to safeguard its employees against these targeted attacks? Here are a few recommendations we provide our customers to ensure that they address all components in the security ecosystem: people, process and technology:

• Educate your employee base not to click links within emails. Even if the URL is for a trustworthy organization, the user should type it in manually into a web browser.
• Create security policies across your organization and ensure these policies are monitored and enforced.
• Utilize content filtering solutions. In fact, 80% of threats today are still web-based. Web and email content filtering solutions will prevent malicious links from coming through the network. Often organizations that are implementing filtering technology, simply are not using best of breed solutions that are enterprise worthy.
• Prepare for the worst – attacks are inevitable – so have an incident response plan in place.

By preparing your firm and its employees for spear and whale phishing scams, you can help avoid becoming big game. Do you have other questions or concerns about protecting your organization’s intellectual property?  Drop me a comment below.

In this week’s issue of the Roundup, we’ll take a look at some hot mobile stories impacting companies today, from BYOD policies to mobile security concerns.

Let’s hit the road:

Windows tablets set to cause more device confusion
As we discussed last week, tablet computers are soon expected to take the place of desktop and laptop computers as the primary device for businesses. Tablets are already entering the enterprise via BYOD initiatives and being acquired and distributed to employees by companies themselves.

Unfortunately, the different operating systems being run on tablets cause problems for IT departments within companies, which struggle to manage and secure the disparate devices. And it’s about to get worse.

InformationWeek recently reported that a new army of tablets and other mobile devices that run Microsoft’s Windows 8 operating system will hit the shelves in 2012. The devices are expected to start at $300, which could help them take market share from more expensive Apple and Android tablets. The proliferation of these devices could mean yet another disparate tablet for IT departments to agonize over.

Cyber crime skyrockets, gets social and goes mobile
2011 was a bad year for cyber crime. According to a recent study released by security company, Symantec, and featured in an article by PC Magazine, cyber crime jumped in 2011.

During the last year, Symantec blocked 5.5 hack attempts, which was an 81 percent increase from 2010. They also identified 403 million unique malware variants.

Perhaps the most startling statistic was the increase in mobile attacks, which grew by 93 percent in 2011. The Android operating system being the most frequently targeted.

The study reported that malicious spam decreased in the past year. However, these attacks appear to be evolving instead of disappearing, as hackers moved to social networks for more targeted and frightening attacks.

BYOD policies apparently passé
Bring your own device (or BYOD) is all the rage in enterprises today. Ultimately, employees want the same advanced functionality at work that their mobile devices deliver at home. Companies have been willing to allow employees to utilize  personal devices on their networks because they deliver advanced capabilities and increase the productivity and agility of the workforce.

Unfortunately, it appears that companies have been leaping into BYOD without planning ahead. According to a recent article by FierceMobileIT, a new report shows that two-thirds of the respondents allow BYOD in their enterprise but don’t have a BYOD policy in place. As a result, 25 percent of those surveyed have been the victim of a hack attempt or malware on their device.

For IT decision leaders looking to embrace BYOD, the article gives some good tips on how companies can protect themselves and their employees.

Does your company have a BYOD plan and policy in place?

Within the information security domain, we’ve begun utilizing various business intelligence (BI) tools to visualize/analyze, and in general, begin dealing with the “Big Data” challenges that are currently facing our federal and corporate information security communities. While Big Data, Digital Decay and the hazards of data retention are interesting discussions, this post isn’t a piece on analytics. This is about the data destruction issues in the modern age of solid-state media. Furthermore, if you believe your organization doesn’t have solid state drives (SSDs) and flash media in production, you may consider speaking to your SAN admin or virtualization guru to confirm your assumptions.

As the resident security guy, lately I’ve been having a number of conversations with customers about data destruction. Before I go much further in depth, let me say that we primarily work with federal government customers and have deep ties to the usual suspects whom you might assume would have more than a passing interest in information security. Knowing this, we can also state with a certain amount of veracity, that many of our discussions have relevance to national security.

So let’s take a look at data destruction in the old days and today, and discuss some best practices and tips.

Data Destruction of Yesterday

In the old days, data destruction was “easy.” I grew up during the days of boot disk destruction where we would create a DOS or *NIX boot disk, load the requisite kernel data destruction apps (such as DBAN), make certain the floppy had a bootable sector and off we went.

For magnetic media such as hard disks, the standards were consistent: overwrite the drive a number of times, execute the built-in secure erase command and destroy or degauss the drive.

Magnetic media has a particular method to the data destruction and what we as practitioners would do is use some disk scrubbing utility (DBAN, srm, shred, PGP) to wipe either the file or the entire disk via the Gutmann method, or something along the lines of the Airforce System Instruction 5020.

Below is a screen shot from the PGP 10.x client with file shredding capabilities on OSX.

There were a number of clear-cut options of how to execute a data destruction process:

A) Single file overwrite with an option to overwrite with random data 1-35 times
B) Whole disk overwrite with an option to overwrite with random data 1-35 times

To quote Gutmann’s original paper, “A good scrubbing with random data will do about as well as can be expected.”

Lastly, there was arguably at least one other effective method of data sanitization:

C) Degaussing via some specialized hardware

Degaussing requires the termination of the disk itself, which magnetically destroys the media, as well as the drive motor. How?  By rotating some multi-K gauss field co-planar to the chips and a multi-K gauss perpendicular alternating field. The point is, you put a hard drive in or on the device, it creates a magnetic field and ruins the media and the drive heads.

Data Destruction in the Present Day

Presently, we have a plethora of cheap, high-density disks that happily respond to the usual ATA and SCSI destruction commands.

We tend to use these plentiful disks as backend storage, and for any system that requires rapid response or quick boot times, we use SSDs or disks, which don’t require any moving mechanical components. And with that, the fun begins.

When presented with some data destruction questions from one of our more interesting clients, I was forced to dig into whitepaper land. Short of incinerating a USB memory stick, I had never attempted performing data destruction on solid-state media, and it is most certainly an animal of a different color.

Also worthy of note: All of the above data destruction ideas (Gutmann, AF, etc.) are irrelevant, as SSDs do not play by any of the old rules. Per the Wei whitepaper, the above methods of data destruction are either ineffectual, falsely effective (showing destruction successes with full simple recovery possible) or a waste of energy.

According to the whitepaper:

“None of these solutions are satisfactory: Our data shows that overwriting is ineffective and that the ‘erase procedures provided by the manufacturer’ may not work properly in all cases.”

So what does work? Scrubbing. For details on how SSDs read/write, please read the summary of University of California’s whitepaper here.

“Programming individual pages is possible, so an alternative is to re-program the page to turn all the remaining 1s into 0s.”

And what is the net effect of using an only marginally effective data destruction method on the SSDs? The eventual destruction of the disk OR a heavily increased latency of the read/writes—meaning, you ruin the disk.

“Overall, we conclude that the increased complexity of SSDs relative to hard drives requires that SSDs provide verifiable sanitization operations.”

For the layman, this translates to what exactly? Overwriting doesn’t work.

So based on this perspective, we have a few take-away points for your organization to keep in mind when considering data destruction:

• Right now, there are few, if any, controller based integrated provisions for performing data destruction operations on SSDs
• Traditional hard disk or file-based destructions do not work. Read the source document and make operational decisions based upon these findings
• Do not consider decommissioning SSDs and releasing them into the public domain. If you can handle the degradation of speed, consider using FDE on all SSD endpoints, devices and drives

In summary, unless there is a large crucible with which you can melt your SSDs, we recommend reviewing and revising your organization’s data destruction policy with regard to SSDs.

Let’s take a look:

What’s a laptop?
It’s not hard to imagine today’s children looking quizzically at a record or cassette tape since they fell out of favor decades ago. Now, desktop and laptop computers could be running the risk of joining that illustrious list of archaic technologies.

According to a recent Forrester report, 375 million tablets will be sold globally in 2016. Forrester analyst, Frank Gillett, expects these tablets to conduct a hostile takeover of the workplace and replace the desktop and laptop computer as the primary device in enterprises. However, Frank predicts there will still be room in the enterprise for the old standards to tackle creative work and other tasks that require more computing muscle.

With tablets taking over the office, IT professionals need to prepare for the strain on the data center and ensure their security is up to snuff.

Google Drive gets the green light
According to USA Today, the long awaited debut of Google Drive has finally arrived!

Google’s cloud-based data-storage solution will enable users to store large files and access them from any web-connected device. This is an attractive option for consumers and small businesses looking to gain access to videos, pictures, documents or any other data from anywhere at any time.

Google isn’t the first and only player in the space. Startup company, Dropbox, is already offering similar cloud-based storage solutions. However, Google’s pricing for Drive appears to be a bit more aggressive and business friendly.

Hacktivists top the network security terror charts
According to a recent survey by security vendor Bit9, IT security professionals are nervous about being targeted by hacktivist attacks in the next six months.

An IDG article about the survey results quotes some interesting statistics. According to the article, the survey found that 64 percent of the responders expect their companies to experience a cyberattack in the next six months. Also, 61 percent of respondents thought that hacktivists would be the ones responsible. The survey was taken by 2,000 IT professionals.

Despite only being responsible for a small percentage of last year’s cyberattacks, hacktivists stole the most data of any group.

Is your organization concerned about attacks by hacktivists? What is your IT staff doing to secure its network?

Let’s hit the road:

Excuse me, is your shoulder ringing?
The connection between humans and machines might get a little closer if Nokia has its way. CNN reported last week that the company has submitted to the U.S. Patent and Trademark Office a way to use magnetic ink for tattoos that would “ring” when cell phones receive incoming signals. The ink would interact with a specific electromagnetic field emitted by mobile phones. There was no information available about how to turn the tattoo off when going to bed for the night…

Using phone line “fingerprints” for security
You know how you can usually tell when a caller is from Maine or Georgia? It turns out that the same kind of distinctions are possible on the background noise for that phone call, which opens up new possibilities for security.

TechnologyReview.com reports that a relatively new startup company, Pindrop, is working with “several top banks” to process recordings of customer calls to flag possible fraud cases. Vijay Balasubramaniyan, CEO of Pindrop, says, “We can identify whether a person is using a landline or cell phone, or when a call which was supposed to come from a mobile in Atlanta comes from a landline in Nigeria.”

Apple security requirements limiting some apps
Within heightened scrutiny coming from Congress on privacy issues, Apple has begun to reject applications for iPhones and iPads that access the UDIDs (unique device identifiers) distinctive to each device. The company told developers six months ago that it was going to make the change, but it appears Apple is moving up the implementation of the policy because of pressure from the media and lawmakers.

The perfect example of this was back in the 90’s and early 2000’s when the traditional personal computer was making tremendous strides not only in chipsets, motherboards, memory and drives, but with the implementation of graphic cards that grew by leaps and bounds. Gaming was in its height and it was all about the experience you would receive as an end-user while playing your favorite graphic intensive game or looking at your favorite 3D models.

In today’s high tech industry, we are constantly striving for the perfect gaming session or that perfect Google Earth session where we can see our house from “outer space.” This user experience is now demanded in the virtualized desktop environment. In the age of virtual desktops where the traditional PC at the work place is slowly disappearing, the end goal is to have that perfect end-user experience that we had in the previous two decades, but on a machine that doesn’t exist physically before our eyes.

Virtual desktops have grown tremendously over the years and continue to lead the way in the technical field not only on the commercial side but the government side as well. There are several developments that are contributing to this growth and ensuring continued expansion.

One such protocol that enables this perfect virtualized end-user experience is Teradici’sPCoIP that works with VMware View. PCoIP technology allows all enterprise desktops, from task workers to power users, to be centrally located and managed in the data center, while providing the remote user with an exceptional user experience. The PCoIP protocol compresses, encrypts and encodes the entire computing experience at the data center and transmits it, ‘pixels only’, across any standard IP network to stateless PCoIP zero clients. Your data never leaves the data center.

The PCoIP protocol is implemented in silicon for hardware accelerated performance, and in software in VMware View. It supports high resolution, full frame rate 3D graphics and HD media, multiple large displays, full USB peripheral connectivity and high definition audio, all connected over the corporate local area network (LAN) or wide area network (WAN).

When tuned correctly, PCoIP allows for an exceptional end-user experience thus pushing forward the virtualized desktop infrastructure (VDI) implementation through the company or government agency. Once end-users see that they can watch many different formats of video, browse 3D data and view precision graphics, there is no turning back.

VDI is here to stay and will improve as the technology gets better. As the end-user experience advances, we will see more demand for this new form of computing and employees will be screaming for more. So, sit back and enjoy the next wave of computing with a PC that does not exist right in front of you.

In light of these pressures, we have partnered with leading technology manufactures such as Cisco Systems®, Dell®, EMC®, HP, McAfee®, NetApp® and VMware® to provide solutions that enable government agencies achieve their goals. These partner relationships are key to our success, which is why we are honored to be recognized by CRN as one of the 2012 Tech Elite 250.

The CRN 2012 Tech Elite 250 list represents an elite group of IT Solution Providers that have made a significant investment in training and education to earn the most technical certifications in the areas of data centers and infrastructure.

In compiling the list, CRN editors worked with the UBM Channel research group and a team of outside experts to define the most customer-beneficial technical certifications in the IT channel. These technical certifications have enabled solution providers to deliver premiere products, service and support to their North American customers.

To be included on this list is an honor and we remain committed to working with our partners to deliver best-of-breed technology solutions.

In this week’s edition: surgical robots that give us the creeps, a telecom company that has to compensate hacking victims and a new tech innovation that will enable people to avoid scrubbing behind their toilets, where hands were never meant to go.

The doctor-bot is in
The Economist reported earlier this month that a new robot-assisted surgery device, dubbed “the Raven,” is preparing to invade operating rooms. This is the first such device to use open-source software. The Raven was originally developed by the U.S. Army as a prototype for robotic surgery on battlefields. It comes with a price tag of $250,000, which is considered relatively inexpensive by robot standards.

While there are hurdles keeping it from use right now in operating rooms – regulators have not yet approved its use, and the company that holds patents on the current ruling robot surgeon, the da Vinci Surgical System, could file a legal challenge – there is a computer simulation of the Raven that is currently available.

Dutch telecom offers to compensate victims of e-mail hacking
Royal KPN NV, a leading Dutch telecommunications company, is offering compensation to subscribers affected by a days-long hacker attack this month that disrupted their e-mail services. More than 1,200 customers have applied for the compensation; KPN has rejected about 200 of the claims. The company also plans to form a cybersecurity unit and name a chief cybersecurity officer.

But can it do windows?
We’ve all seen the robot vacuum cleaners that propel themselves around obstacles, such as chairs and tables. The (U.K.) Register reports that iRobot, makers of the Roomba, have introduced a new device that operates around the throne. The iRobot Scooba 230 is designed to, among other things, clean the floor behind the toilet! The water-pumping, squeegee-wielding robot is tiny, about half the size of a new iPad, but unlike the device from Apple, still works when exposed to water.

For long-time players in the space, the answer was clear. For the rest, Intel’s CTO, Justin Rattner, stated that security was job number one. The immediate play was a tight integration of security technologies into the silicon, which is one of the many “holy grails” (or perhaps banes) of information security.

For years, various trusted platform module (TPM) technologies supporting digital rights management (DRM) initiatives and data-centric controls were built into chipsets and then integrated into a variety of systems.

The concept is somewhat elegant on paper: a virtual secure sandbox for cryptographic keys, SSL certifications, biometric data, AV hives and other controls that would allow for secure and trusted hardware level access on the integrated chipsets.

The whitepapers were compelling, but the industry had some technical challenges and philosophical issues that slowed adoption. Regardless of the various issues, Moore’s law drove the industry onward and Intel was no stranger to the technology.

After a bit of time, and many low vocalized rumblings, the industry is finally getting to see some of the fruits of the acquisition. The following is from a recent announcement from Xerox and McAfee:

“A new survey commissioned by Xerox (NYSE: XRX) and McAfee, reveals that more than half (54 percent) of employees say they don’t always follow their company’s IT security policies (33 percent) or aren’t even aware of the policies (21 percent) – leaving the security of customer credit card numbers, financial reports, and HR and tax documents at risk.”

Their partnered proposed response? Embedding McAfee technologies into Xerox devices.

While the article isn’t specific about what we can expect to see, one can certainly extrapolate that this integration may mean EPo, AV or even DLP style technologies resident in printers, scanners and fax machines.

Within the next decade, the advent of IPv6 and household appliances being issued networked interfaces could lead to refrigerators that keep tabs on milk-freshness and thwart the next malnet (thank you Team Cymru!) that cuts our power and defrosts everything in our freezer.

While this is spoken tongue-in-cheek, the fact of the matter is that as more and more critical systems convert into “green” appliances, our WiFi-enabled, smart-grid connected power meters and radio-frequency identification (RFID) capable edge devices will all carry some critical personally identifiable information (PII) and require continuity of operations. This in turn will require the vendors to integrate security solutions tightly into the firmware/hardware of the systems they provide.

However, telemedicine implementations aren’t only changing the face of medicine in doctor’s offices and patient’s living rooms. Video teleconferencing (VTC) solutions are also affecting the delivery of care for larger healthcare organizations, such as hospitals and healthcare systems.

If you’re a hospital in an inner city or multicultural area, there’s a good chance that someone will enter the ER in need of help that doesn’t speak a language that the ER staff is familiar with. In the past, someone would have to try to figure out what medical emergency was afflicting the person or track down an interpreter, whether it was a hospital staff member or a patient’s family member.

However, the presence of VTC solutions in emergency rooms provides a much faster and simpler solution. By delivering a professional interpreter into the ER via video, the patient can explain their symptoms to doctors and receive the care they need faster and more effectively.

Another example of increasing the speed of care via VTC is telestroke programs. When patients are suffering from a stroke, time can literally mean the difference between life and death.

For patients suffering from a stroke caused by blood clots, there are clot-busting medications than can be administered quickly to save the life of the patient. However, not all strokes are caused by clots, some are caused by bleeding, and it can often take a specialist to know the difference. By delivering specialists to the ER via video, the hospital can hasten the delivery of care and save lives.

Delivering more rapid care to patients is just one of the many benefits telemedicine brings to hospitals. The healthcare field is constantly shifting and changing. With new treatments and techniques constantly being identified and put into practice, it’s essential that hospitals keep their medical staff informed of the latest advances.

Telemedicine and VTC are being used today to train doctors, nurses and other medical professionals at hospitals. Telemedicine solutions can deliver live surgeries and demonstrations for hospital staff to view. They can also be used for interactive courses and training sessions. And while these education sessions are conducted, they can be recorded for future use.

Telemedicine solutions are not just for conducting appointments and check-ups. The innovative use of VTC solutions for telemedicine implementations is expediting care, improving quality of care and saving lives.