9 September 2009 by Jeff Hayes.

One truly meaningful use of modern cellular networks, aside from gaming, sports scores and TV streaming is mobile telehealth.

Sensors are placed near or on individuals with medical conditions and updates communicated via the cellular network to a location that will record, analyze and act upon, if necessary. For example, regular communication of a person’s blood pressure taken every couple of of hours for a week.

The authenticity, integrity and confidentiality of the data path must be guaranteed. This raises the need for secure communications for mobile telehealth devices.

One must question the current security model followed and implemented by the mobile teleheath device manufacturers. Some will take it serious, others will not.

Posted in Remote Access, Privacy | Print | No Comments »

26 June 2009 by Jeff Hayes.

I have worked at home for part of each week for over ten years. I have never had any guidance from my employer on security practices, mandates or recommendations (less the case where I am the employer or part-owner). I think I do a pretty decent jobs at securing my home and mobile computing environment.

I was interested in how I fared after reading a recent article entitled Seven Deadly Sins of Home Office Security. Let’s consider them:

1. Failing to physically secure the office.
2. Failing to install the most basic computer security measures.
3. Forgetting Wi-Fi security.
4. Failing to separate your business from your home.
5. Failing to remember your office is a place of business and is held liable as such.
6. Forgetting to back up data.
7. Failing to consider bigger business continuity issues.

Probably my biggest mistake, according to this list, is separating my business from non-business activities as it relates to my computer. For me, who works in a small business environment, my business is very much part of my life and working at home is what I do.

If I want to watch a Netflix streaming video on my computer, I will do so without hesitation.

I back-up regularly but probably not regular enough. I am thinking strongly about a remote backup system to bolster my business continuity posture.

This list is a good checklist. But the better solution is for the management team to insist upon a prudent yet reasonable approach to remote and home computing with clear policies backed by consistent audits and enforcement.

Posted in Physical Security, Remote Access, Privacy | Print | 1 Comment »

26 March 2009 by Jeff Hayes.

I am a telecommuter. Over the past 13 years, I have worked some of the time out of my home office, in some cases 100 percent of the time. For the past three years, it has been at least 75 percent of the time, going into the office twice a week on average to coordinate face-to-face with my colleagues.

About 15 years ago, I worked for a mid-sized company that had a dual-authentication policy for remote access – clear text dial-up with SecurID one-time password authenticaton. At the time, we were on the leading edge.

Aside for the SecurID token, in all my professional working life, I do not recall ever being given a remote computing policy by a company I worked for. However, as a security professional, I have realized the importance of following sound practices. I have taken matters into my own hands. Some of the thigs I have done and encourage thers to do are as follows. Some of them were addressed in a recent CSO article, 4 Telecommunicating Security Mistation.

• Careless use of Wi-Fi and accessing unsecured networks — if you hav a wireless routers (most homes do), make sure it is secured using modern technology (WEP does not count). Make sure you change the default settings and try to make the configuration as obscure as reasonable. My SSID is not HayesWIFI. I actually prefer using a wired connection.I have this fobile that that integrated Wi-Fi radio a few inches from my head, if giving me brain cancer.
• Letting family and friends use work-issued devices — an easy rule for every one. This computer or these computers that belong to dad or dad’s work, mom or mom’s work, spouse or spouse’s work are for his use only. Avoid the plea to allow your family memebers to use the laptop for a school presentation …   even if it is just “this one time only.” Let all know that dad cannot risk anything happening to it as it might impact his ability to earn a living. Lock it down (Kinsington locks) and make sure you use timeout passwords.
• Altering security settings to view Web sites that have been blocked by the company — never a problem for me as I have never had a corporate-assigned policy on my laptops. If you do have one, then regardless of how unreasonable the policy is, accept it. If you feel the site or sites are blocked and you have a business need to access them, make your case.
• Leaving a work-issued device in an unsecured place — whether it is a laptop/notebook or PDA, make sure it is phsically secured. It does not belong for any length of time on the passerger car seat (theft), kitchen counter (food and liquid), unattended in the back yard (theft, sprinklers, weather), in the bath room (duh).
• Backup the hard drive on a regular basis — this will help or hurt you more than anything. I had a hard drive fail…really fail. Luckily I back up the hard drive regularily:  for me, every couple of weeks. I also use a USB thumb drive for backing up certain items; for example, things I am working on presently, prior to having emailed or distributed to others. I guard the thrub drive and the USB hard drive as I would my laptop — as something more important than the cash required to replace the hardware. If you company supports a central backup, use it. If not, consider a third-party online backup solution. They cost $50-75 a year. Well worth it.

I love working form home. I tend to work more hours, as I am always at work. But it is worth it to me. A few simple rules can help preserve that flexibility while securing the computing and networking processes.

Posted in Remote Access | Print | 1 Comment »