Ben Whorten of the Wall Street Journal suggests, in his BizTech blog posting, that the iPhone adoption will be based on business culture. Ben may be partially correct. But, when it comes to enterprise infrastructure, "chic" doesn't get the PO signed.

The dynamic struggle between productivity and security is sure to come into play in the decision to support the iPhone on the corporate network. Ben appears to believe that the IT crowd bans technologies on the grounds that it enables the "goof off" factor, while employees interested in using the iPhone believes that the iPhone will make them more productive. There is an element of truth in both of these viewpoints, but Ben overlooks a much larger issue central to the decision to support anything on the corporate network: compliance.

Ever since the Sarbanes-Oxley act of 2002 changed the regulatory climate of business, the CIO's purchasing decisions have been heavily influenced by the vendor's security practices. Public companies generally must comply with a minimum of three different regulations, and many of the associated compliance requirements apply to the company and all of its supply chain.

Additionally, the consequences for failing an audit are not to be underestimated. Aside from the serious costs involved and the long term consequences of having to endure more frequent and exacting audits, there is jail time to consider. It's enough to give any CIO pause. In Ben's defense, he does make a practical point -- businesses already invested in RIM's Blackberry phone are the least likely to make the switch. This is just economics, plain and simple. Without a solid ROI plan, no sane business manager would be willing to overhaul existing infrastructure to make the switch to iPhone when the current system already solves the problems, especially in a tight economy. But, Ben also says that the switch will "hinge on culture." While culture is a critical component to the success factor of a company -- just ask Google -- the majority of CIOs can't afford to nuke their existing infrastructure simply because the next cool widget to hit the market supports business email.

Ben's points about the cultural beliefs that skew corporate buyers away from the iPhone missed the most surprising element of Apple's strategy to capture market share in the enterprise: it is relying on Microsoft for security. No one else seems to see the irony in this that I do. For years, Apple's marketing has hammered on Microsoft's products as bloated and full of security holes. However, Apple obviously realized that in order to enter the enterprise market they had to do something drastic. Evidently, the need to pump up iPhone sales was enough to get Apple behind Microsoft's Exchange ActiveSync. And remember, ActiveSync is more than just a method to deliver email to a handheld device; it is also Microsoft's conduit for delivering security configurations.

Apple builds their revolutionary device to be compliant to Microsoft's handheld information security platform? And they say politics makes strange bedfellows!

Look what I found in my inbox. Yes, its phishing circa 2004.

I am responding to the email for your auction which was posted on eBay. I believe i emailed you a week ago regarding this sale, and my interest in it.

Please confirm that it is the same auction with the one posted on eBay link:

http contact-member.1sta.com/ <http productionscout.com/mambots/contact.ebay.com/aw-cgi/eBayISAPI. dllSignIn .php>

I am very interested in this auction and ready to complete the deal as soon as possible.Hope to hear from you soon!

Sincerely,
Gene Holingsworth

(Note: URLs changed so people won't feel compelled to click on them)

Maybe the old skool tactic is working again? Seems that everything works in cycles, so you never do know.

While most consumers knock on vendor doors to raise awareness and demand better security, PayPal is flexing their muscle in a different way. They are going to force their users to only use approved web browsers. While this may seem disruptive, it is actually a rather old technique used by software vendors. Every piece of software you buy today, consumer or enterprise, comes with a list of approved and required components. If the user chooses to use a non-approved configuration, the vendor denies support. This is a natural progression of the Internet. Providers of services need not only protect their bottom line by making such demands, but also in the long run will protect the consumer. That is exactly what PayPal is doing and this is good business for everyone.

The next disruptive technology to hit consumers and enterprises will be the single site browser. This will be web browser-like client software that can do nothing but be used for a single website. Think of this as traditional client/server application. If you need to use your financial system, you launch browser X; then if you need to use the ERP system, the user launches browser Y. At the outside of the spectrum, this feels like a 10-year step backwards in user productivity and IT operations management. In all likelihood though, what we will probably see is still a single browser, but one that is intelligent enough to lock all network traffic to single known and trusted site. In this scenario, the user would need to logoff and switch context between system X and system Y; all the while the browser ensures no errant information gets transmitted to any other system.

Can it be pulled off? Given the very open nature of the Internet and HTTP, it's rather easy to impersonate web traffic to look as if the user is using Internet Explorer instead of Firefox. Exactly how and if service providers act on this initiative will be interesting to watch. We do already have one other service for comparison. iTunes from Apple is essentially the same situation. If a user wants to use the iTunes music store, they need to use iTunes. So far, that limitation hasn't seemed to limit Apple's revenues.

So what about the openness of the Internet? What about the market created by browser wars? Are we going to see fewer browsers? Look at this way, the more we demand features and functionality, the more the market will evolve.

nCircle is at RSA this week and we have remote control helicopters. Lets face it, people like to get free stuff at conferences. So come by the booth and learn how to get yourself one of these very cool RC helicopters.

And while I have your attention, we also have two employees speaking this week.

When: Friday, April 11 at 9:00 AM - 9:50 AM
Title: Using Game Theory to Outmaneuver Your Opponent
Location: GREEN ROOM 102
Speaker: Tim Keanini

Technology Showcase Presentation
When: Wednesday, April 9 at 11:30 AM
Title: Effective Scanning for Production Web Applications
Location: Booth 2603 (lower right corner of the show floor)
Speaker: Tim Erlin

In Newsweek, Daniel Gross said there is a growing "crisis of confidence" when it comes to Wall Street. The evidence is readily available - the fall of Bear Sterns, the sub prime mortgage mess and consumer confidence declines to new lows. For the second year, Audit Integrity provided their annual data to Forbes and they have likewise published the data as the "most trustworthy companies". Audit Integrity claims to have an objective means of analyzing a company to deliver an accounting and governance risk score. What that means is simply stated something like, "those companies that play by the rules and take few risks when it comes to creative accounting get a higher score". The higher the score is supposed to equate to a higher level of trust.

While it's the market data that gets the majority of the headlines these day, it's the use of the careful words now being used that gets my attention. Words like: confidence, trust, trustworthy, fear. Sound familiar? They are the exact same emotional words we use in information security.

And while this blog isn't intended to discuss financial market stability, it is about risk management. For us in the information security world, open your eyes; there is a giant event happening outside the bubble of your office. Trust is at an all time low. If you've been in any services oriented group, infrastructure or operational setting for a while you've probably already witnessed what happens when trust is lost - its never regained to the levels it was once before.

To accept a vendor's information security practices, is to some degree to say, "I trust you". Is that an accurate use of what just happened? Or, are you as the person held responsible for ultimately keeping your company's information secure, actually thinking,

"Our information security due diligence process that took months (and way too much money) derived some kind of fallible rating that didn't fall into the bottom of the failure category. As such, we can do business, but I'm going to hand over reams of documents and disclaimers to some legal team which now has the job of limiting our risk by contractual risk avoidance disclosures".

We don't enjoy apathy or lackluster personal performance. And we don't relish the requisite current toolset either. Yes, we have regulation. Yes, we have defined standards and we also have auditors, reports, disclosures and exceptions. And yes, we are suppose to use all that to provide the business guidance in determining the best route to deliver the upside, reduce risk and keep costs down.

While Audit Integrity's list of the America's Most Trustworthy Companies might seem hard to grapple for an information security professional, the idea itself provides hope to this infosec person that, one day I might see a similar list of the America's Most Secure Companies. Though, infosec still has many years of maturity before we can start deriving standards based scoring anywhere on par with the financial models. Hopefully, though, we can learn from this crisis of confidence and not repeat history.

Undoubtedly you've heard about the iPhone SDK. While Apple DDoS's their own developer site with thousands of people trying to download the SDK, enterprise security managers are bracing for round 2 of iPhone security vs the yearning corporate executive.

Putting myself in its proper place

Lets face it; the shiny objects at todays town hall meeting wasn't the Exchange integration or the remote wipe feature. It was all about applications and their sheen. Salesforce.com, Electronic Arts, Sega and AOL all orchestrated today's focus away from enterprise security and into Apple's foray of cool. Lets also face it; enterprise security is only fashionable for a very small target audience. I'm in the minority.

Obviously, though, the minority does have a voice with Apple. The engadget live blogging of today's events show Phil Schiller taking the stage at 10:04AM. By 10:19AM he was done demonstrating all the enterprise integration and security. The enterprise voice lasted 15 minutes; the SDK and iPhone apps from 3rd party developers went on until 11:03AM.

Does Apple really get it?

Does Apple really understand what it takes to sell something to an enterprise? An enterprise has tens of thousands of IPs, hundreds of network ingress and egress points, thousands of ways for intellectual and private property to be absconded. Let us not forget the deluge of regulations, oversight committees and conformance to hundreds of international governance restrictions. For most enterprises, they are not running in a resource positive mode with overflowing headcount sitting idle, eager to consume another mobile device. In order for the iPhone to make headway in the enterprise it will have to up heave an existing technology. The most likely candidate for the smartphone junk drawer will be Windows mobile device, not the blackberry.

The RIM is here to stay

Phil Schiller's slide showing the 'old' Exchange integration vs the new method clearly was meant to show ActiveSync's dominance over GoodLink and Blackberry. Both of those 'inferior' technologies require an intermediary server, whereas ActiveSync is a direct push technology. However, the Blackberry enterprise managers look at it quite differently. They see the Blackberry Enterprise Server not as a stumbling block, but as a full-fledged necessary component of the overall mobile device risk management solution.

Apple trusts Microsoft?

How many Mac vs PC advertisements have you seen? Isn't the PC bloated, a Petri dish of viruses and represents everything uncouth? But here is the catch, while we wallow in wait for Apple to release the nitty gritty of how the iPhone enterprise security controls function, Phil Schiller shows a slide that's right out of the Microsoft ActiveSync security deck. Could the iPhone's enterprise security offering be nothing more than adaptation of the Windows Mobile security options? If that is the case, Apple in some strange twist of events, will be relying on Microsoft for security conformance.

Whatever might happen, myself like hundreds of other security managers reached out to our user base today. We all sent the predictable email out to the entire company reminding them that despite today's town hall meeting, the iPhone still is not yet an approved device (not yet).

I ripped this blog title off from CSO Online.

In December of 2006, I predicted that we would see a nationally recognized information security rating system come to fruition in 2007.

In today's financial markets investors rely on analyst reports and metrics. Often time simply referred to by the company providing the metric - Moody's, Morningstar, Fitch and others. As an investor, these rankings and metrics generally weigh heavily in decision factors. However, we have no security index or rating systems. If as a consumer, you had a choice to take a loan from two companies with varying different security index ratings, you might think twice. Would you want to risk your personal information being negligently handled in return for a lower rate or take a slightly higher rate knowing your information is safer?

Well, 15 months later, Moody's will be announcing their own Vendor Information Risk Rating Service soon. That according to this article in CSO Online.

As a security manager, I can't wait for the day when this tactic is mainstream. The amount of time, resources and lost opportunity given to individually assessing each vendor security practices drives me nuts. Lets hope Moody's does this well. Even more so, lets hope that every independent and trusted rating company jumps on the bandwagon to drive competition in this new marketplace.

(This is part of a regular series where I discuss free information security products, tools, methodologies, hardware, etc. For a description of this column and to read other Free Lunch menus, check out the category archive)

The onslaught of bots and spammers gave birth to a new tool to differentiate human from android. Alan Turing would be proud to see just how much technology we have devised. One such technology is that of the CAPTCHA - it's the text and numbers graphic we need to input in order to sign up for a service or make a comment at a blog. ReCAPTCHA takes this technology to solve more than one problem.

On May 24th 2007, Carnegie Mellon announced a new method to improve its methods of transforming written text into its digitized form. ReCAPTCHA's motto "Stop Spam. Read Books", describes it best. The idea is simple and elegant. Using the familiar CAPTCHA system, it presents the user both a known and unknown CAPTCHA graphic. The user, not knowing which is which, enters the text for both. If the user correctly solves the CAPTCHA then the CMU system gives a high probability to the letters in the unknown picture. While digital scanners and OCR have advanced, there are still cases where humans are needed to translate graphics into text. ReCAPTCHA is one method to solve this problem.

Besides helping out the CMU book digitization project, ReCAPTCHA has a unique technical upside - nothing is stored on your server. Many of the existing CAPTCHA systems require a server-side process to generate and store graphics. Instead ReCAPTCHA uses a public/private key system with client-server architecture to track challenges and tokens.

Product Rating

Features:
Ease of Use:
Documentation:
Community:
Overall:

Overall, ReCAPTCHA is an interesting implementation of CAPTCHA systems. While its use may not be directly apparent in your security architecture, consider using it anywhere you want to increase the likelihood of there being a human at the other side of the conversation. nCircle recently implemented ReCAPTCHA on our blog and I'd recommend others to do the same.
Enjoy the free lunch.

Additional Resources

What is CAPTCHA how does ReCAPTCHA work

ReCAPTCHA API documentation

ReCAPTCHA and CMU Press Release

Sarbanes Oxley, ISO 27002, GLBA - what do they all have in common? Yes, each contain, at least in part, an information security standard or regulation. From an applicability perspective with respect to business size, relatively few small or medium size businesses are directly mandated to conform to these or other standards and regulations. Even though it is the upper end of the medium size business and large business throughout, which are affected by mandated standards, the smaller companies are still being affected by a trickle down movement.

The trickle down effect was originally coined as a marketing term to describe the availability of consumer goods among socioeconomic classes. As new, highly desired, products were put in the market, their initial high price tag meant only those with discretionary cash could afford it. Eventually, overtime the product becomes more penetrated into all markets as the price drops. Thus trickling down to its full market reach. Those familiar with Reagonomics will find the term "Trickle-down economics" one of common rhetoric - providing more working capital to the top tier businesses trickles cash down to the lower working class. Many other trickle down models have been explored; one, which seems to be in play today, is that of information security.

The typical profile of an nCircle customer is one of a multinational, global enterprise as well as local, state and federal government agencies. These are the entities for which regulation like SOX, FISMA and GLBA are targeted. It's also the same subset, which employ standards such as COBIT and ISO 27002. Each of our customers has lengthy contractual security agreements that each of their vendors must adhere to. These in turn, have been driven by their required regulations and standards. nCircle likewise returns the effort by ensuring its vendors employ meaningful security measures. The outcome is a security trickle down affect.

Selling to these enterprise and federal organizations have altered the way my team addresses security at nCircle. While our strategic and tactical methods for controlling risk met every stipulated requirement, we lacked organized and fresh documentation. Today, our policies, procedures and records are much better kept. We have an official InfoSec team, executive approved SLAs and up-to-date standard procedural documentation.

What's more interesting are the ways in which our customer's requirements influence nCircle's vendors. Any potential vendor to nCircle must disclose their information security practices to us. We take a graduated approach depending on what information the vendor may have access to. Depending on what risk the vendor might pose to us, and likewise to our customers, the third company must answer anywhere between 20 and 100 questions before they are evaluated by the InfoSec team. We are proud to see these vendors step up their own information security practices to meet our requirements.

While it might be hard sometimes to look beyond the security breaches of Fortune 500 companies and federal agencies to see that security is moving in a positive direction, the same is still said of the Reaganomics era. The actions of our customers, of nCircle and of our vendors when it comes to driving information security can, by some degree, be attributed to a trickle down effect. There is no doubt in my mind that a handful of our vendors would be left behind if it weren't for them wanting nCircle's business. The technical tools, policies and procedures that a company uses to reduce risk is still a valid competitive value add. Security is getting better and one driving factor is that of a trickle down effect.

MacWorld recently published an article stating that analysts have exaggerated security concerns of the iPhone. Some of the statements in the article regarding the security of the iPhone and the overall security of mobile computing deserve further commentary. While I for one have taken it "on the chin" for not jumping on the I-Heart-The-iPhone bandwagon, the purpose of this follow up is to set a stage for an open discussion on overall smartphone risks to the enterprise.

(Those statements printed by MacWorld and in the voice of Andrew Jaquith are quoted below).

Policy Always Includes Security

"There are reasons not to support the iPhone - you don't want to support IMAP or the flavor of VPN that the iPhone uses - those are policy decisions," said Jaquith. "Security is not the reason."

Policy, whether it be directly related to security or not, must always include risk and thus security. It may be policy that your supported IT applications don't include specific types of VPN or email connectivity by IMAP, but to completely take security off the table when talking policy is shortsighted.

Sensitive Data is on the Device

One argument researchers have against the iPhone is that it has no data security features. Jaquith counters that the iPhone does support SSL and TSL and there is little sensitive data on the iPhone that needs to be encrypted.

When it comes to information security, its far better to assume that the iPhone will enter the enterprise network and users of all types will store sensitive data on the device. When looking at the iPhone from a non-business perspective, users are sure to store private data on the device for the purposes of reducing their own life's complexity. Items such as an ATM PIN, passwords, social security numbers, voicemail password and more are all commonly found on cell phones. Let us not forget the Paris Hilton incident years ago when the data on her Sidekick was stolen. Turning the perspective to using the iPhone as a business enabler, certainly the email and contacts of any business are confidential and may be considered competitive information. Its certainly better to assume data encryption be required, than to learn the hard way later.

Gartner's Dulaney pointed out that the iPhone doesn't have remote wipe (the ability to wipe the phone's data if lost) and it doesn't have a firewall. Again Jaquith said it just doesn't matter because of the type of data the iPhone has on it and none of the iPhone's processes require open TCP/IP ports.

How does the lack of having listening ports on a device equate to the lack of remote administration tools being less of an issue? Gartner is correct here; the lack of any centralized and remote policy enforcement of the iPhone makes it considerably less of a valid option for enterprise smartphone usage. Furthermore, when examining the currently released landscape of iPhone vulnerabilities, all exist in the MobileSafari web browser. A client-side exploitation does not require the device to have open ports nor will a firewall provide any mitigating factors.

Security Thru Obscurity

The Yankee Group also contends that opening any needed ports to allow email connections not going through VPN can be done on non-standard ports, minimizing any risk.

Moving standard services to non-standard ports is not an accurate risk reduction methodology. Discovering IMAP bound to an odd port is an extremely easy job for free tools readily available. Scanning all 65,000+ ports takes less than a day and once you have the data, it's just as easy to redirect all your remote attack tools to a different port.

Custom Apps and File System Access

In addition, all custom applications that run on the iPhone are web-based, and users do not have access to the underlying file system.

Due to a great desire for an iPhone SDK, Apple instead chose to deliver a fully functional browser called Mobile Safari. According to Apple, this permits developers to write full Web 2.0 AJAX applications. The downside is that third party security vendors also can't deliver the applications that the enterprise desires, namely integrated applications including AV, AntiSpyware, data encryption and firewall. Furthermore, access to the file system on an iPhone is now relatively easy. If you have physical access to the device, one can run a free tool called Jailbreak. We also recently discovered, from the research by Charlie Miller and his team at ISE, that all applications run as root. This means once an application becomes exploited, the injected code snippet has access to all applications and data on the iPhone.

Summary

"Security worries about the iPhone are overblown," said Jaquith. "To boost employee productivity, enterprises would be better served thinking about how to accommodate the iPhone. It's the best phone and iPod I've ever used."

The iPhone and all smartphones on the market today are incredibly powerful devices. These pocket computers rival computing power of the most powerful devices just 10 years ago. Security worries about any smartphone device should not be taken lightly. While the iPhone may just be the latest device to hit the market, how the enterprise decides to take full advantage of mobile computing is much more an important topic.

To learn more about my top list on managing smartphones, read my prior post on "Supporting smartphones in the Enterprise".