Daily Archives: March 21, 2019

Managed Google Play earns key certifications for security and privacy

Posted by Mike Burr, Android Enterprise Platform Specialist

[Cross-posted from the Android Enterprise Keyword Blog]

With managed Google Play, organizations can build a customized and secure mobile application storefront for their teams, featuring public and private applications. Organizations' employees can take advantage of the familiarity of a mobile app store to browse and download company-approved apps.
As with any enterprise-grade platform, it's critical that the managed Google Play Store operates with the highest standards of privacy and security. Managed Google Play has been awarded three important industry designations that are marks of meeting the strict requirements for information security management practices.
Granted by the International Organization for Standardization, achieving ISO 27001 certification demonstrates that a company meets stringent privacy and security standards when operating an Information Security Management System (ISMS). Additionally, managed Google Play received SOC 2 and 3 reports, which are benchmarks of strict data management and privacy controls. These designations and auditing procedures are developed by the American Institute of Certified Public Accountants (AICPA).
Meeting a high bar of security management standards
To earn the ISO 27001 certification, auditors from Ernst and Young performed a thorough audit of managed Google Play based on established privacy principles. The entire methodology of documentation and procedures for managing other companies' data are reviewed during an audit, and must be made available for regular compliance review. Companies that use managed Google Play are assured their data is managed in compliance with this industry standard. Additionally, ISO 27001 certification is in line with GDPR compliance.
Secure data management
With SOC 2 and SOC 3 reports, the focus is on controls relevant to data security, availability, processing integrity, confidentiality and privacy, which are verified through auditing reports. In managed Google Play, the data and private applications that enter Google's systems are administered according to strict protocols, including determinations for who can view them and under what conditions. Enterprises require and receive the assurance that their information is handled with the utmost confidentiality and that the integrity of their data is preserved. For many companies, the presence of an SOC 2 and 3 report is a requirement when selecting a specific service. These reports prove that a service company has met and is abiding by best practices set forth by AICPA to ensure data security.
Our ongoing commitment to enterprise security
With managed Google Play, companies' private apps for internal use are protected with a set of verified information security management processes and policies to ensure intellectual property is secure. This framework includes managed Google Play accounts that are used by enterprise mobility management (EMM) partners to manage devices.
Our commitment is that Android will continue to be a leader in enterprise security. As your team works across devices and shares mission-critical data through applications hosted in managed Google Play, you have the assurance of a commitment to providing your enterprise the highest standards of security and privacy.

Facebook stored hundreds of millions of passwords unprotected

Company admits to mistake and says it has no evidence of abuse – but the risk was huge

Facebook mistakenly stored “hundreds of millions” of passwords in plaintext, unprotected by any encryption, the company has admitted.

The mistake, which led to user passwords being kept in Facebook’s internal servers in an insecure way, affects “hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users”, according to the social networking site. Facebook Lite is a version of Facebook created for use in nations where mobile data is unaffordable or unavailable.

Related: Facebook's security is so bad it's surprising Zuckerberg hasn't deleted his account

Continue reading...

Why Take the Risk? Addressing Privacy Concerns with an MSSP

One concern that often arises when a company is considering hiring a Managed Security Service Provider (MSSP) and outsourcing their security functions is the risk of allowing a third party to monitor and take care of sensitive data.  For many companies, this can be a source of great anxiety.  Allowing a third party to access sensitive organization data and customer Personally Identifiable Information (PII) begs the question, what exactly is my MSSP monitoring?

While it is always a risk to give your data over to another entity, it is important to know that MSSPs will protect your privacy at all costs and are only interested in monitoring the security of your organization.

Let’s start to address the concerns by taking a look at what MSSPs are not monitoring:

What an MSSP is not monitoring:

A responsible MSSP places a high value on protecting client confidentiality and is primarily concerned with protecting the integrity of the client’s network infrastructure and data. As such, even if the ability is there, the MSSP staff does not review browsing activity or history, email content and recipients, or database information, ensuring full privacy for your executives.  MSSP personnel strictly adhere to confidentiality agreements and act professionally.  If sensitive information is seen, it is not discussed.

There are ways to ensure confidentiality is maintained, including detailed service level agreements (SLA) and statements of work (SOW). These are essential when transferring risk to an MSSP and can offer legal protections to a company in the event of a data breach.

What an MSSP is monitoring:

Typically, an MSSP will aggregate logs and events from multiple systems and sources within the client’s network infrastructure to a security information and event management (SIEM) system.  Those logs and events will come from infrastructure components like firewalls, endpoint security applications, and operating systems.  The SIEM will be configured with alarming rules that will generate alerts from incoming logs for the MSSP personnel to investigate and act upon.

Why partner with an MSSP?

Cost Advantage

Contracting with a third party to handle your organization’s network and information security has significant advantages, especially for small and medium-sized businesses that may not have the budget for a dedicated in-house information security team.  In fact, hiring an MSSP over an in-house staff is a way to make the most of your money by gaining access to 24/7 expertise without the burden of finding and retaining staff during the massive cybersecurity skills shortage.

Business Advantage

When you partner with an effective MSSP, they will provide monthly reports that not only improve visibility into your security posture, but also act as a tool to justify and build budget for future security needs.  This allows you to map your security objectives to the greater business objectives, which in turn helps get leadership on board with your efforts.

Technology Adaptability

A quality MSSP will be technology agnostic, with the ability to adapt to your current infrastructure, technology, and existing applications that you’ve already invested time and budget into.

Access to Expertise

Perhaps the largest benefit of contracting with an MSSP is the level of security expertise the MSSP can provide.  A quality MSSP will be staffed with security experts who are highly skilled in network and information security, organized to detect, analyze, respond to, report on, and prevent cybersecurity events.

Ultimately, when you engage the services of an MSSP, you receive peace of mind knowing that not only is your data protected around the clock, but your privacy is also prioritized and maintained.

Don’t settle for any MSSP; follow our Comprehensive Guide to find the right one for your needs.

The post Why Take the Risk? Addressing Privacy Concerns with an MSSP appeared first on GRA Quantum.

Return to Workplace: Ready to Relaunch Your Career

By: Sheetal, Application Developer & Majy, IT Support

McAfee offers a new program that offers professionals who dedicated extended time to their families the chance to reignite their passion for the technology industry and relaunch their careers.

Sometimes, it’s necessary to put your career on hold to raise kids, care for loved ones or serve your country. For many, it can be daunting to reenter the workplace after time away. That’s why McAfee designed its Return to Workplace program.

Launched in India in 2018, the 12-week Return to Work program offers training, support and resources for those who are looking to reenter the technology field and put their careers back on track.

Read Sheetal’s and Majy’s stories about how McAfee’s Return to Workplace program helped them build the skills they needed to reenter the workforce and come back strong.

Sheetal’s Return to Workplace Journey – Application Developer

To pursue my love for technology, I moved to Bangalore to complete my engineering degree in computer science, and I found rewarding work as a Quality Auditor. In 2015, I added another momentous title to my resume—mom. I gave birth to my first child and took my maternity leave; however, family circumstances extended my break.

Returning to Tech

Three years later, I was finally ready to get back to work, and I anxiously began my job hunt. It wasn’t as easy as I thought it would be, and I had a few concerns to say the least. Not only did I fear I’d be behind in the fast-paced technology industry, I also feared I wouldn’t find a supportive workplace as a single mom.

All Thanks to McAfee

As a single mother, McAfee allowed me to balance both my career and my family by giving me flexible work hours, technical mentoring, soft skills training, sessions with the HR team and several other resources to sharpen my professional skills. It helped me build my confidence over time, and today, I am working as a part of the application development team, assuring that the business works efficiently as possible.

McAfee has offered not only me, but a number of other wonderful women, a second chance to resume their careers at their own pace, without having to give up time with their families and children.

Majy’s Story – IT Support

Passionate about technology, I pursued my education in engineering at Calicut University and began my career soon after as a software engineer. I loved my career and the people I worked with—it’s what got me out of bed and excited about each day. Eventually, my reasons to start the day shifted when my husband and I were blessed with our first child. I decided it was time to put a hold on my career, to be there for my son and spend quality time at home during those early development years.

Facing Fears About Getting Back to Work

My son was growing up right before my eyes, and as he became more independent, I considered returning to my career. Even though I was eager to get back to work, I feared I wouldn’t find a company that allowed me to manage both a fulfilling career and raising a child at home—or if my skills would still be relevant.


Discovering McAfee Was the Best Thing Ever

McAfee’s Return to Workplace initiative completely blew me away. With the working environment that McAfee offered me, which was flexible and encouraging, I absolutely could not miss this opportunity. McAfee offered me several avenues to learn and brush up on my technical skills. They even provided me with a technical mentor! Having access to my mentor created a safe environment where I could ask my technical queries without feeling the pressure of asking the wrong question. In addition to this, the host of online courses I could leverage was an advantage for me. Ultimately, McAfee provided me with an environment where I could learn and grow without feeling intimidated. This was empowering and gave me the push I needed to successfully complete the program. McAfee was my natural first choice for returning to work and I couldn’t have been happier to accept a full-time position.

For more stories like this, follow @LifeAtMcAfee  on Instagram and on Twitter @McAfee to see what working at McAfee is all about.

Ready to relaunch your career? Get the resources you need at McAfee. Apply here.

The post Return to Workplace: Ready to Relaunch Your Career appeared first on McAfee Blogs.


IN BRIEF: In recent year, we have seen a tremendous increase of mobile applications across many countries – It is like everyone want to come with a mobile application for many reasons. On the other hand, the rate of fake and malicious mobile applications is rapidly growing posing major security risk to mobile users.

 Mobile application developers are now facing threats to customers and application data as automated and sophisticated attacks increasingly target the owners, users and data of mobile applications.

Apart from jeopardizing our privacy from unprotected Application from various application developers, Criminals are also developing mobile applications with malicious intentions putting thousands of users who download them to fall victims of cybercrimes.

It is prudent to secure our mobile devices with security solutions – Sadly, A recent test of anti-malware apps available in Google Play showed that most are not, in fact, worthy of the name and, indeed, the space they take up on the Android device.

Independent testing outfit AV-Comparatives threw the 2,000 most common Android malware samples seen in the wild last year at 250 security (and, as it turns out, also “security”) apps that were available in the Android store in January of this year. Only 80 apps passed the organization’s most basic test – flagging at least 30 percent of the samples as malware while reporting no false positives for some of the most popular and clean apps in Google Play.

Crucially, only 23 apps passed the test with flying colors; that is, they had a 100-percent success rate at detecting the malicious code.

So, what are those purported anti-malware solutions that failed the test up to? You may have guessed it – for the most part, they’ll only foist ads on you. Put differently, instead of keeping you safe from pests that are banking Trojans, ransomware and other threats, many of the fake security apps will apparently only pester you with unwanted ads, all in the name of easy revenue for the developers.

Indeed, some of the products are already detected, at the very least, as “potentially unwanted applications” by at least some reputable mobile security solutions and are likely to be booted by Google from the Android store soon.

In many cases, the apps’ “malware-detecting functionality” resided in their comparing the name of a package for any given app against the AV apps’ respective whitelisted or blacklisted databases. This way of determining if a piece of software is safe or not, can, of course, be trivially easy to defeat by malware creators. Meanwhile for the user, it creates a false sense of security.

The fact that many ad-slinging apps are disguised as security solutions may not be a revelation for you. After all, ESET malware researcher Lukáš Štefanko warned early in 2018 about dozens of apps that professed to protect users from malicious code, but were instead only vehicles for displaying ads.

Meanwhile, a number of products that scored poorly in the test were deemed to be the work of what AV-Comparatives called “hobby developers”. Rather than focus on producing quality security software, these software makers apparently produce a variety of apps that are only designed to generate ad revenue for them. Still other developers “just want to have an Android protection app in their portfolio for publicity reasons”, wrote the AV testing outfit.

In addition, user ratings and/or download numbers are not necessarily something to go by. “Most of the 250 apps we looked at had a review score of 4 or higher on the Google Play Store. Similarly, the number of downloads can only be a very rough guide; a successful scam app may be downloaded many times before it is found to be a scam,” wrote AV-Comparatives, adding that the ‘last updated’ date isn’t a reliable indicator, either.

All told, the results can be understandably disheartening. On the other hand, they’re another reminder of the need to stick to reputable products with proven track records in mobile security.