How Trustworthy are Mobile Apps or Applications ?

   Have a look at the the permissions being asked by these Andriod Apps. What do you make out of these snapshots? Which App is more secure - not from the point of view of security for the App but security for the user who downloads and uses them. The one on the extreme left(first one) is likely to have more access to your device than the other two. The makers would argue that these permissions are required for the features and functionality of the App. The question here is who will decide how much permission is required and who will guarantee that these permissions would not be abused. The one on the extreme right-bottom is more trustworthy as it requires no special permissions. But how many of us really pay any attention to such details?

    Unlike the applications on a Desktop, with mobile apps it is difficult to find what they are really doing behind the scenes. The situation is compounded by the fact that the mobile devices contain enormous amount of personal, sensitive and financial data. The email apps are always online.The device is always connected to internet in most cases. The passwords and others credentials are just there begging to be stolen away.

   Personally i prefer to use my browser on my mobile to access the various web sites and web applications rather than download an App. Re-entering usernames and passwords every time you access an web application or a website should not bother you if your are worried about safety of your data and online identity.

    Having written what i wanted to convey, i would like to clarify that i am not aware that the above mentioned Apps are untrustworthy in anyway. I just picked them up for an illustration.

Next 5 biggest Info sec challenges

In my previous post I had listed the biggest 5 challenges. The challenges listed in this post are the next  five.

6.  Formulating and Enforcing data classification data destruction policies

Data discipline in terms of classification and management which would include labelling for archiving or disposal/ destruction is still quite casual by end users who generate documents. Though most users understand such policies for hard copies or physical documents and implement them to a large extent, they fail to do so for digital data. Duplicate and uncontrolled versions  of unstructured data(e.g word documents) lead to quite a few embarrassing situations.


7.   Consolidation and leverage of user initiated software systems

In a reasonably big, diverse and geographically wide spread enterprise the local IT people tend to design and use their own software tools. In such cases the overall organisation requirements  are not the issue but day to day task achievements are the goals. Consolidation and control of these from an ISMS point of view is often overlooked by central IT management. The local IT people also resist such attempts most of the time.

 8.   Disposal of old and decommissioned IT assets

Not much thought is given to old and decommissioned systems and they become a sore point. This happens despite having policies and regulations on the subject. 

9.   Individualistic continuance of IT initiatives and their management

Continuous dependence on such individuals would definitely lead to security issues in future. Processes should be evolved for managing these systems and after giving due credit such  individuals  should be taken away from these projects.  

10.  IT asset ownership issues

This topic continues as a thorn and requires resolution by regular education and awareness  programs.

What is a "Good and strong" password and other questions.

1. What is a good password?

There is a vast difference between a "good and strong" password and a "complex" password. 'Ab%98@#k*t5z' is a very complex and strong password but is a bad password because it is very hard to remember. However, 'Blacck>Mang0s' is a strong as well as a good password because you can easily remember it. It is strong because it is of sufficient length and is a combination of lower case, upper case, special character and numerals. Passphrase or related characters like above would be good.The other requirement is that of sufficient length, 10 or more characters.

2. Can  a Antivirus product detect all malware in existence?

This is simply not possible techinally, whatsoever the vendors may claim. However, some poducts may be better at any given time. The detection rate of even the best product may be not more than 85%.


3. Which is best anti-virus?

For commercial software go by the existing market reputation. But, be careful, a recently reported news mentions about an emerging antivirus product which induced malware and subsequently cleaned them to generate a good scan report. If you are using freeware then check for the reputation or popularity. Download these from a trusted source.


4. Is  an Antivirus still required if a firewall is used and vice versa?

Both have a different but comlimentary fuction. You require both to safeguard your computer. If a malware is able to breach your firewall then at least the Antivirus would have a chance to detect it.


5. What if the AV has not detected the malware and someone is remotely controlling or using my computer?

If your are a normal user then nothing much can be done except to attempt manually cleaning the offending software. The best option would be to go back to a previous checkpoint, or reinstall the OS after you have taken a backup. Before such a step, take a chance with the free tools i have listed on the right side of this post. Experienced users can use the tools mentioned in my prevoius post.


6. Enabling all the Browser security features has blocked my critical banking and email site?

There is no absolute '0' or '1' answer to this question. Depending on a users requirements and his web browsing habits he may have to customise the settings slowly over a period of few days. Disabling java may have led to your bank account page being rendered useless. You need to figure out this and enable java specifically for this site.

More Free Security Tools for Adventuorous Windows Users

I have listed some free and safe Windows tools or software to ensure safety of your computer, Internet surfing  and in general Information security, in my previous post. In this post i would list out some tools for people who are not averse to slight advanced approach.

1.  The first of these is the "msconfig" tool bundled with the Windows operating system. Just type msconfig in the run box and you see a window opening. Take sometime to familiarize yourself before making any changes.



2. Netstat is another wonderful command line tool for network statistics.Use these tool to investigate network connections, listening services, exe files associated with the running programs and many more.




3.   Systinternal Tools.  Check them out on live.sysinternals.com

4. 'nbtstat' in command prompt
5. 'net' commands in command promt
6. Windows TaskManager
7. Use regedit.exe to play around. Warning: some amount of familarlisation is required before you modify entries.
8. Use 'Windows Firewall with Advanced Security'. Run the command wf.msc to configure the Firewall.
9. Additional resources can be found on the following links

• http://www.sans.org/security-resources/sec560/windows_command_line_sheet_v1.pdf
• http://www.sans.org/security-resources/winsacheatsheet.pdf
• http://www.sans.org/score/checklists/ID_Windows.pdf
• http://blog.securitymonks.com/2009/08/15/whats-in-your-folder-security-cheat-sheets/
• http://packetlife.net/library/cheat-sheets/
• http://www.sans.org/security-training/course_sums/1482.pdf