Welcome!

Cloud Expo Authors: Jason Bloomberg, Torben Andersen, Elizabeth White, Adine Deford, Sergio Varga

Related Topics: Security, Wireless, SOA & WOA, Web 2.0, Cloud Expo

Security: Article

Online Holiday Sales Have Begun: Have You Secured Your Enterprise Network?

Do employees really need access to the corporate network via their smartphones?

It's that time of the year again. The flood of email alerts showcasing online holiday shopping deals fill the inbox at your office PC, laptops and wireless devices as merchants attempt to lure online shoppers to "click and save" while supplies last. In fact, reports show that this year's "holiday shopping" deals have already started as retailers attempt to stretch the holiday shopping season - to begin even earlier than Black Friday.

According to a recent report in Time, Booz & Co. chief retail strategist, Thom Blischok states. "We're not going to see a huge increase in sales growth for Black Friday this year....What we do expect is a lot of ‘showcasing' on Black Friday. Shoppers will check things out in stores, electronics especially, but then purchase online on the Monday after. Cyber Monday sales will explode this year."

While this is good news for merchants, it can become a virtual nightmare for corporate network administrators. With millions of online shoppers turning their office PCs, laptops, and wireless devices into online shopping carts, they hog valuable network bandwidth meant for corporate applications such as e-mail, SAP, Salesforce, and other business-critical applications.

The onslaught of personal smartphones and tablets connecting to corporate networks fully capable of performing browser-based shopping are further affecting normal business operations. According to ABI Research, more than 36 percent of consumers own at least three wireless devices. eCommerce merchants now alert wired consumers with daily deals almost instantly via mobile marketing. This surge has placed greater demands on network monitoring solutions as the mobile device market continues to grow at an astounding rate of five billion subscribers worldwide.

Most organizations allowing employee-owned devices onto their corporate networks (73% according to Aberdeen) find it not only drains their bandwidth, but also opens up severe internal security threats to proprietary information stored on the network. Employers assume this as increased productivity for employees armed with mobile devices and cost savings for hardware not purchased by the corporate office as most employees (54 percent, according to Yankee Group) demand to use their own devices at work.

According to IDC Research, however, 30-40 percent of Internet use in the workplace is non-business related. Vault.com found 37 percent of workers admit to surfing the Web constantly at work for personal interests. This underscores the need for mobile device traffic monitoring. How can network admins monitor employee internet usage and take corrective action?

Companies can easily set guidelines for network traffic monitoring to safeguard against employees armed with BYOD - especially during high traffic holiday shopping/sale months - in a few easy steps.

MAC Addresses and Mobile Devices
The old and sort of cumbersome way is to monitor the unique MAC addresses that are used by each smart mobile device that accesses an Ethernet network. The 6 byte (i.e., 48 bit) MAC address is generally in two parts: The first 3 bytes are the MAC Address vendor ID generally shared by hundreds or even tens of thousands of devices produced by the manufacturer; the second set of three bytes are unique to the device.

A 48-bit Ethernet MAC address has two components, each of which is 24 bits:

*24-bit Organizational Unique Identifier (OUIIEEE regulates the assignment of OUI numbers. Within the OUI, the two following bits have meaning only when used in the destination address:

  1. Broadcast or multicast bit - indicates to the receiving interface the frame is destined a group of end stations on the LAN segment.
  2. Locally administered address bit - normally combines OUI and a 24-bit station address. This is universally unique; however, if the address is modified locally, this bit should be set. Some vendors like Apple set this bit automatically.

Generally, the MAC address is not changed by the end user, thus dynamic IP addresses are often not used to track or report on mobile phone devices. Organizations using NetFlow and IPIX can in fact track these MAC addresses.

MAC Addresses and NetFlow
Traditional flow data (e.g., NetFlow v5) exports IP addresses, but not MAC addresses. NetFlow v9 and IPFIX introduce the ability to export any information on the router including MAC address.

A reliable Network Traffic Analyzer can be used to report to report on NetFlow and IPFIX. The NetFlow Analyzer should offer a filtering architecture to allow traffic analysts to include or exclude portions of MAC addresses. If the administrator wants to narrow a particular vendor (e.g., 00.00.0c) or the iPhone (e.g., 60:33:4b, 64.b9.38, etc.), a reporting tool can filter on these vendor IDs. Once vendor IDs are added to the report, the type can be changed to view different reports. For example, the top domains these mobile devices are visiting can be obtained if the router, switch, or firewall exporting the NetFlow or IPFIX includes URL information. The IT manager can often click on the domain (e.g. facebook.com) and look at URLs visited with mobile device.

Tracking BYOD
By forcing users to authenticate all devices onto the network and agreeing to an operating system scan, network administrators can maintain an active inventory of who (i.e., username) authenticated onto the network and with what type of device. Detailed reports can be run on the volume of iPhones, Androids, Blackberries, iPads, etc. that have authenticated onto the network. Since the MAC address is obtained from every authenticated device, it can be cross referenced with the NetFlow and IPFIX received to look at traffic patterns. This is a much more scalable solution and less error prone approach than the traditional track-down-all-the-mac-addresses approach.

Smartphones: Network Security Challenge
Allowing smartphone access to corporate resources often requires adapting new corporate mobile strategies and policies. Many companies provide VPN access to the corporate network from computers when working remotely. While VPNs offer a secure connection by encapsulating data, many smartphones don't support them (e.g., iPhone). This is partly because the hardware doesn't have the processing power to keep up with encryption processes on-the-fly. Due to pressure from management and remote users, VPN enforcement is often lax. Most employees obtain corporate access from any public network, which includes public places like local coffee shops. This opens Pandora's Box when it comes to security threats.

Smartphones are an ideal tool for cybercriminals to push their malware, viruses, worms and other threats onto corporate networks. With many important titles, email addresses and phone numbers sitting on just about every network-capable mobile phone, stealing confidential emails or pushing botnets onto the company network is easier with traditional security measures put aside in favor of easy remote access. With smartphone synchronization, infection can easily migrate onto a PC - a Trojan horse method that infects the PC could provide access to the corporate network. On the other hand, the data carried on smartphones can be targeted through malware on PCs.

Direct Attacks on the Mobile Phone
Some employees try to increase the security of their phone with special anti-theft software or by encrypting their memory card. These solutions are aimed at making data protected from physical attacks. However, those are done by pickpockets, who are less interested in the mobile phone content than reusing or reselling the device.

Cybercriminals do care about sensitive information stored on smartphones, but they don't need physical access to the phone to retrieve it. Rather, they will exploit any vulnerability - for instance in the phone's Web browser (such as the WebKit vulnerabilities on Android phones) - or use social engineering tricks to install malware on the phone. Once the phone is infected, it's easy for the cybercriminal to access any data on the device. In those cases, the locks are useless and the memory card is dynamically decrypted when used.

Businesses must add employees to the corporate network easily and cost-effectively while maintaining desired security levels and remote management capabilities. Traditionally, the RIM BlackBerry Enterprise Server (BES) has been the gold standard among organizations with corporate-liable policies, providing sophisticated security and management capabilities.

However, smartphones like Androids and iPhones are becoming more popular, and some organizations feel obligated to embrace these as part of the employee-owned smartphone strategy. These are also supporting minimum security requirements, like timed-lock and remote wipe in the case of a lost or stolen handset. Some mobile apps, like Touchdown for Android, provide Exchange ActiveSync capabilities that support security policies to ensure security of the corporate data on the smartphone. Clearly, organizations need to rethink their mobile Smartphone strategies and take into account the proliferation of employee-owned smartphones.

Setting up single sign-on is another strategy that could be implemented on corporate networks. However, as of today, it's not supported on the iPhone. Whatever the decision, a careful evaluation of mobile devices accessing the network needs to be executed.

Ultimately, the question is: Do employees really need access to the corporate network via their smartphones? If they are provided access, then IT must secure the network to make sure the onslaught of online holiday shopping and sales offerings don't turn the season to "nightmare" before Christmas for the network bandwidth.

So, this holiday season, stay safe out there and don't forget to drive safe - on the road and in cyberspace.

More Stories By Michael Patterson

Michael Patterson, is the founder & CEO of Plixer and the product manager for Scrutinizer NetFlow and sFlow Analyzer. Prior to starting Somix and Plixer, Mike worked in a technical support role at Cabletron Systems, acquired his Novell CNE and then moved to the training department for a few years. While in training he finished his Masters in Computer Information Systems from Southern New Hampshire University and then left technical training to pursue a new skill set in Professional Services. In 1998 he left the 'Tron' to start Somix and Plixer.

Comments (0)

Share your thoughts on this story.

Add your comment
You must be signed in to add a comment. Sign-in | Register

In accordance with our Comment Policy, we encourage comments that are on topic, relevant and to-the-point. We will remove comments that include profanity, personal attacks, racial slurs, threats of violence, or other inappropriate material that violates our Terms and Conditions, and will block users who make repeated violations. We ask all readers to expect diversity of opinion and to treat one another with dignity and respect.


@CloudExpo Stories
“We help people build clusters, in the classical sense of the cluster. We help people put a full stack on top of every single one of those machines. We do the full bare metal install," explained Greg Bruno, Vice President of Engineering and co-founder of StackIQ, in this SYS-CON.tv interview at 15th Cloud Expo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
AppZero has announced that its award-winning application migration software is now fully qualified within the Microsoft Azure Certified program. AppZero has undergone extensive technical evaluation with Microsoft Corp., earning its designation as Microsoft Azure Certified. As a result of AppZero's work with Microsoft, customers are able to easily find, purchase and deploy AppZero from the Azure Marketplace. With just a few clicks, users have an Azure-based solution for moving applications to the...
SYS-CON Events announced today Isomorphic Software, the global leader in high-end, web-based business applications, will exhibit at SYS-CON's DevOps Summit 2015 New York, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. Isomorphic Software is the global leader in high-end, web-based business applications. We develop, market, and support the SmartClient & Smart GWT HTML5/Ajax platform, combining the productivity and performance of traditional desktop software ...
The cloud is becoming the de-facto way for enterprises to leverage common infrastructure while innovating and one of the biggest obstacles facing public cloud computing is security. In his session at 15th Cloud Expo, Jeff Aliber, a global marketing executive at Verizon, discussed how the best place for web security is in the cloud. Benefits include: Functions as the first layer of defense Easy operation –CNAME change Implement an integrated solution Best architecture for addressing network-l...
“In the past year we've seen a lot of stabilization of WebRTC. You can now use it in production with a far greater degree of certainty. A lot of the real developments in the past year have been in things like the data channel, which will enable a whole new type of application," explained Peter Dunkley, Technical Director at Acision, in this SYS-CON.tv interview at @ThingsExpo, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
The BPM world is going through some evolution or changes where traditional business process management solutions really have nowhere to go in terms of development of the road map. In this demo at 15th Cloud Expo, Kyle Hansen, Director of Professional Services at AgilePoint, shows AgilePoint’s unique approach to dealing with this market circumstance by developing a rapid application composition or development framework.
The major cloud platforms defy a simple, side-by-side analysis. Each of the major IaaS public-cloud platforms offers their own unique strengths and functionality. Options for on-site private cloud are diverse as well, and must be designed and deployed while taking existing legacy architecture and infrastructure into account. Then the reality is that most enterprises are embarking on a hybrid cloud strategy and programs. In this Power Panel at 15th Cloud Expo (http://www.CloudComputingExpo.com...
"BSQUARE is in the business of selling software solutions for smart connected devices. It's obvious that IoT has moved from being a technology to being a fundamental part of business, and in the last 18 months people have said let's figure out how to do it and let's put some focus on it, " explained Dave Wagstaff, VP & Chief Architect, at BSQUARE Corporation, in this SYS-CON.tv interview at @ThingsExpo, held Nov 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
The move in recent years to cloud computing services and architectures has added significant pace to the application development and deployment environment. When enterprise IT can spin up large computing instances in just minutes, developers can also design and deploy in small time frames that were unimaginable a few years ago. The consequent move toward lean, agile, and fast development leads to the need for the development and operations sides to work very closely together. Thus, DevOps become...
"Our premise is Docker is not enough. That's not a bad thing - we actually love Docker. At ActiveState all our products are based on open source technology and Docker is an up-and-coming piece of open source technology," explained Bart Copeland, President & CEO of ActiveState Software, in this SYS-CON.tv interview at DevOps Summit at Cloud Expo®, held Nov 4-6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Verizon Enterprise Solutions is simplifying the cloud-purchasing experience for its clients, with the launch of Verizon Cloud Marketplace, a key foundational component of the company's robust ecosystem of enterprise-class technologies. The online storefront will initially feature pre-built cloud-based services from AppDynamics, Hitachi Data Systems, Juniper Networks, PfSense and Tervela. Available globally to enterprises using Verizon Cloud, Verizon Cloud Marketplace provides a one-stop shop fo...
SYS-CON Events announced today that Windstream, a leading provider of advanced network and cloud communications, has been named “Silver Sponsor” of SYS-CON's 16th International Cloud Expo®, which will take place on June 9–11, 2015, at the Javits Center in New York, NY. Windstream (Nasdaq: WIN), a FORTUNE 500 and S&P 500 company, is a leading provider of advanced network communications, including cloud computing and managed services, to businesses nationwide. The company also offers broadband, p...
The Internet of Things is not new. Historically, smart businesses have used its basic concept of leveraging data to drive better decision making and have capitalized on those insights to realize additional revenue opportunities. So, what has changed to make the Internet of Things one of the hottest topics in tech? In his session at @ThingsExpo, Chris Gray, Director, Embedded and Internet of Things, discussed the underlying factors that are driving the economics of intelligent systems. Discover ...

ARMONK, N.Y., Nov. 20, 2014 /PRNewswire/ --  IBM (NYSE: IBM) today announced that it is bringing a greater level of control, security and flexibility to cloud-based application development and delivery with a single-tenant version of Bluemix, IBM's

SYS-CON Events announced today that IDenticard will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. IDenticard™ is the security division of Brady Corp (NYSE: BRC), a $1.5 billion manufacturer of identification products. We have small-company values with the strength and stability of a major corporation. IDenticard offers local sales, support and service to our customers across the United States and Canada...
SYS-CON Events announced today that AIC, a leading provider of OEM/ODM server and storage solutions, will exhibit at SYS-CON's 16th International Cloud Expo®, which will take place on June 9-11, 2015, at the Javits Center in New York City, NY. AIC is a leading provider of both standard OTS, off-the-shelf, and OEM/ODM server and storage solutions. With expert in-house design capabilities, validation, manufacturing and production, AIC's broad selection of products are highly flexible and are conf...
Leysin American School is an exclusive, private boarding school located in Leysin, Switzerland. Leysin selected an OpenStack-powered, private cloud as a service to manage multiple applications and provide development environments for students across the institution. Seeking to meet rigid data sovereignty and data integrity requirements while offering flexible, on-demand cloud resources to users, Leysin identified OpenStack as the clear choice to round out the school's cloud strategy. Additional...
DevOps Summit 2015 New York, co-located with the 16th International Cloud Expo - to be held June 9-11, 2015, at the Javits Center in New York City, NY - announces that it is now accepting Keynote Proposals. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long development cycles that produce software that is obsolete...
“DevOps is really about the business. The business is under pressure today, competitively in the marketplace to respond to the expectations of the customer. The business is driving IT and the problem is that IT isn't responding fast enough," explained Mark Levy, Senior Product Marketing Manager at Serena Software, in this SYS-CON.tv interview at DevOps Summit, held Nov 4–6, 2014, at the Santa Clara Convention Center in Santa Clara, CA.
Mobile commerce traffic is surpassing desktop, yet less than 20% of sales in the U.S. are mobile commerce sales. In his session at 15th Cloud Expo, Dan Franklin, Segment Manager, Commerce, at Verizon Digital Media Services, defined mobile devices and discussed how next generation means simplification. It means taking your digital content and turning it into instantly gratifying experiences.