Defining an enterprise mobile device passcode policy can be surprisingly difficult. Security managers must attempt to reconcile two opposing goals. They must:

• Create a passcode policy that is strong enough to protect the device if it is lost or stolen, while:
• Not annoying users with needless length or complexity

These goals are hard to reconcile because mobile devices like smartphones and tablets are personal, portable and convenient. Employees use their devices in places they wouldn’t use a PC: in the car, during their kids’ football game, and during (shall we say) otherwise unproductive periods of the day. It’s tempting to simply duplicate existing network security policies. The rationale goes something like this: smartphones and tables are nothing more than small PCs with antennas, so the password policies should be the same as for PCs. It’s easy to think that, but it’s the wrong attitude.

This whitepaper will describe the passcode policy Andrew recommends for mobile devices that comply with NIST’s e-authentication Level 1 guidelines as described in Special Publication 800-63, “Electronic Authentication Guidelines”. The policy is reasonable, employee-friendly and highly usable, but strong enough to protect your company’s data. To cut to the chase, here’s what it is:

• 8-digit numeric PIN
• Simple PINs disallowed
• Automatic lock after 15 minutes
• Grace period of 2 minutes
• Automatic wipe/permanent lock after eight wrong tries
• No expiration

Click here to read the whitepaper.

Last week I hosted a webinar called “5 Data Security Predictions for 2011.” The webinar was my first of many for Perimeter. It was lots of fun. I received some excellent questions from the audience. And I was gratified to see that we had several hundred registered attendees, too!

For those of you who couldn’t make the webinar, you can click on this link to view the replay. But if you are allergic to multimedia, I thought I’d summarize the topics I covered in the webinar here. Last week’s webinar had three goals:

• To take a look back at the key security trends from 2010
• To summarize the three most interesting security events of the last year, and the lessons we learned from them
• To predict five data security trends for 2011

This post covers the first item on the agenda: looking back at 2010.

2010: The Year of Living Dangerously

With many apologies to the actor formerly known as Mel Gibson, 2010 extended and deepened four trends we’ve seen in previous years. These should seem familiar to you, but there are a few twists that make them worthy of comment. In 2010, we observed:

• Multiplying threats. It should come as no surprise to astute security professionals that malware has continued to proliferate. As with previous years, the number of circulating malware samples increased, by some counts, by a factor of 10 over the previous year. McAfee, for example, estimates the the number of samples has exceeded 50 million. Other AV vendors have reported similar figures. The reason for the increases is simple: attackers are creating malware in smaller “batch sizes” (but with a larger number of batches) to evade detection by anti-virus engines. We are getting close to what I call “designer malware”: one signature, one victim. It’s not hard to understand why that strategy would work for the bad guys: if you can create unique malware for each victim, you can slide under the radar screen of the AV labs because the prevalence is nearly zero.  The low-and-slow attack vector for modern malware is a difficult challenge for everyone in the industry. And it is clearly successful. From Perimeter’s perspective as an MSSP, we have been tracking nearly 25 botnets that we’ve observed in action inside our customers’ networks. We expect to track more incursions in the future.
• Migration of malware to the web. Hand-in-hand with the explosion in malware samples is the change in attack tactics. Instead of mailing infected attachments to their intended victims, the bad guys are much more likely to send e-mails with hyperlinks in them, which they then induce the recipient to click on. When clicked on, the link leads to a site that dynamically generates “drive-by” malware that is custom-made for the victim. Again, this goes back to the “designer malware” comment in the previous bullet. Some of the vendors I’ve worked with in the past (like WebSense) have noted the movement of malware away from e-mail and towards the web. As an MSSP with content filtering services, we’ve noticed it too. What it means for our customers is that web content-filtering becomes a lot more important than it used to be. Keeping inbound web traffic free from malware becomes as critical for security (indeed, more so) than the outbound stuff. Never mind whether Johnny in Accounting is spending too much time on ESPN’s website — you should care just as much if he’s getting 0wned when he goes there.
• Mobile security fears. From the iPad to those newfangled Android devices, every enterprise I’ve spoken with is worried about what modern Post-PC devices will do to their security posture. The urgency stems from two sources. First, managers want to know how to apply security controls to consumer-grade gear being brought into the workplace by employees and executives. They want to know what kind of password and data protection policies they need, and how to apply them to gear that isn’t named BlackBerry. Second, companies have concerns about the iPad in particular, because of business initiatives outside IT. Both scenarios are equally important. You can read about my perspective on Apple devices in this Forrester report, which I wrote last summer, and in press accounts of it here and here.
• More compliance pressures. Compliance and security are often conflated, but it’s best to view the kinds of security activities enterprises do for compliance purposes as a kind of tax they have to pay to stay in business. And every year, the “tax rate” goes up. For example, with the passage of the HITECH provisions of the American Recovery and Reinvestment Act (ARRA) of 2009 (aka “the stimulus bill”), health care Covered Entities (hospitals and providers of medical care) and their Business Associates (insurers, and other partners) are subject to more stringent rules on what they must do to safeguard personal protected health information (PHI). For retailers, recent revisions to the Payment Card Industry’s Data Security Standard (PCI-DSS) means that businesses that accept and process credit cards must tighten up their wireless networks, manage their server log files better and audit their web-facing applications. And in the banking sector, new rules from FINRA around social media means that employers must monitor their employees’ use of Facebook and other outside websites.

All four of these trends are top-of-mind concerns for just about every security professional and CISO I speak with. What is most interesting for me, as an observer, student of security and CTO is the mix of concerns. Threats and compliance pressures are perennial concerns: they are always with us, and always need tending to. The attackers won’t stop brewing up increasingly lethal doses of malware for consumption by the unwitting, and the auditors won’t put down their clipboards. But the new evergreen issues on this list — mobile security, and the increased lethality of web content — could cause rapid shifts in company security postures very quickly if they aren’t dealt with. How we respond to these two issues is the key.

And on that note, we’re at a good breaking point for this post. The next posts will summarize what we learned from 2010′s three most interesting events, and offer predictions for  2011.

Red Flags is relatively new legislation designed to prevent identity theft by having companies implement formal, written programs to identify the warning signs, or “Red Flags” of identity theft. Many organizations are pushing back on the FTC saying they should not be required to comply. To date, I have heard of no group or company being given an exception. The American Bar Association (ABA) has recently filed a protest to the FTC on behalf of lawyers stating that they should not have to comply. The regulation states that all “Creditors” which are essentially any company who defers payment must comply. Obviously that is most companies, large and small.

Financial institutions are also required to comply, but their date did not change from the original November 1, 2008 date. According to Gartner, most of these organizations were already close or had policies in place anyway. So this is of greater impact to non-financial institutions right now.

If you’d like to learn more, click here to view a webinar I hosted in May about ensuring Red Flags compliance.

Credit card issuers will also be able to get at least partial reimbursement for reissuing credit cards and fees associated with customer fraud and losses.  This is good news because over 600 banks have already reported losses associateed with the Heartland breach.

This is one of the first signs of real “teeth” in the PCI DSS.  Card brands are taking these breaches seriously and placing the blame and responsibility at the feet of those at fault.  I think this is a good move for VISA.  Until now, PCI was beginning to look like a way to hide from responsibility and fend off lawsuits.  With this move, it just may move in the direction of compelling merchants and processors to take data security seriously for the purpose of eliminating consumer fraud.  Lets hope anyway.