Apr 8

I have written many times before about the importance of end-to-end security across all types of networks. With the state of security today, protecting your data at all points on the network is crucial. Well Fortinet recently just introduced a new vulnerability management solution for medium to large corporate businesses. It is called the FortiScan-1000B. It helps businesses maintain security across their network by integrating all the crucial points in a network security policy. It integrates the following features: industry and federal compliance, endpoint vulnerability management, network-level vulnerability management, and patch management and remediation.

In 2008 Fortinet purchased the security company named Secure Elements. They’ve used the assets from this purchase to leverage technology in the new FortiScan-1000B. It uses the software solution from Secure Elements as the basis for its new solution. It also uses the vulnerability scanning feature from its own FortiAnalyzer solution. These features help security administrators stay compliant with SOX, PCI-DSS, GLBA, HIPAA, etc.

You can read more about this new device at FortiNet’s website.

Posted in Compliance, Data Protection, Encryption | No Comments »
Sep 16

The prevention of data leaks today is a main concern for most IT administrators. Data leaks expose confidential information of companies, employees, and clients. It can effect credit ratings, press coverage, reputation, fines, and overall business. So it is no wonder that preventing the loss of data is a high priority for IT professionals. One of the main methods for preventing data leaks is through backup encryption. There have been many laws written that protect the identities of consumers and force businesses to be proactive by enforcing fines on violations.

For violations of data loss that was not encrypted, companies are forced to report upon it. Thus, encryption is crucial, not only to remain compliant, but to prevent data leaks from occuring. Businesses today rely on their network infrastructure and most of their data resides on their central server mainframe. Because many companies back up their central mainframes with backup tapes, it goes without saying that there is confidential data on those tapes. This is why encrypting those backup tapes is important to data security. Many companies transport those tapes to offsite locations for disaster recovery purposes. This transport poses a security risk due to the fact that the data leaves the secured server room and is often exposed to the general public during travel. Backup tapes can also touch many hands during the process. Using backup encryption can help protect the data no matter where it is.

As with all data loss prevention, there is always a bit of risk management involved. There is a balance to be looked at between the encryption of confidential data and the overhead cost of implementing it. Data that is not confidential or business critical does not need the same backup encryption levels that other more private information does. It is important to identify what data requires backup encryption and what data does not. Also, data that goes offsite should always be encrypted due to the higher risk. Other files such as operating system files, temporary files, or disaster recovery start-up files do not need encryption applied to them.

It is also important to take a look at older data that resides on tape. Making the move to backup encryption is important. But unlike most upgrades, you can’t just ignore the data that resides on your old backup system or tapes. This data can be just as valuable to theives as your most recent backups. That is why it is paramount to encrypt the data located on all your backup tapes and not just tapes used in the future.

Backup encryption is a key part of your solution to protecting your network’s data. Make no compromises when it comes to data loss prevention.

Posted in Compliance, Data Protection, Encryption | 2 Comments »
Sep 4
When Sarbanes-Oxley was introduced back in 2002 everyone scrambled to get their business and IT infrastructure compliant. Today, the trouble isn’t with getting your policy model compliant, it is with maintaining that compliance that you initially set up.

IT is a field that is constantly changing and thus your IT policy and structure in your business will change and expand constantly. Putting the documentation and set of controls in place to ensure improvement is the first step to ensuring
that your compliance efforts are not too rigid. In order for businesses to stay competitive, they must have the ability to be flexible. If your set of controls is too rigid, then you will hinder your company’s flexibility. Having a set of documents that states processes and controls will make it easier to maintain and follow order when introducing new policies and models for your IT infrastructure.

One way to ensure compliance is to monitor legislation and stay on top of new regulations that are set in place so that you can make adjustments to your internal policy. Document these new regulations and then make adjustments accordingly. Organized documentation is one of the more difficult but crucial keys to maintaining compliance.

Change control policies must also be set into place and documented. Having a change control structure in place will ensure a sort of checks and balances in your business and IT department. Having change control policies documented will also ensure that you will have the right documents to show in the event you are audited.

Risk management is something that many IT managers deal with on a day to day basis. Taking into account risk levels with new regulations and new technology will help you decide the best course of action. As always, the documentation of this will help you get a better grasp of the scope of the project or policy.

Sometimes maintaining compliance is more about policy management and documentation that it is about actual network security. But both of them go hand in hand. The technical geek inside of us all wants to just focus strictly on the actual security technology that underlies every compliance regulation. But the truth is that documentation and change control processes is what drives it all. Without the policies in place to maintain compliance, security goes out the door.
Posted in Compliance | 2 Comments »
Aug 27
So I was reading more on the latest information about the number of security breaches this year. I was reading an article by George Hulme over at Information Week about why additionals laws are needed for data protection compliance, particularly in the health care industry. HIPAA policies are beginning to be enforced, but it will be awhile before we start seeing accurate reports on the number of security breaches.
There has been better security compliance over the last few years, but there is still much more work that needs to be done. There are many industries that need the same type of attention applied as has been done with the financial quarter. Hulme mentions about how the Health Care industry is so far behind financial industry compliance. I believe that part of this reason is because the health care industry is generally behind the financial industry when it comes to technology.

While there have been strides made in the health care industry with HIPAA policies, there is still a ways to go with enforcement and auditing those standards. It was only last year (2007) that the Department of Health and Human Services conducted its first audit. As always with audits, it will take a little while until all the kinks are worked out and they can really be accurate with their final reports. This can clearly be seen with the financial sector’s lastest report from 2008’s security breach numbers; and SOX auditing has been around longer than HIPAA policy auditing.

The health care industry also reaches sectors where network technology is underutilized. This makes it hard to give accurate numbers on data breaches due to malicious software and attacks. Many private doctor’s offices don’t invest much of their resources into technology and because many offices are making a big push for technology, other offices don’t feel the need to make the push themselves. Often what causes a practice or company to upgrade their infrastructure is when their competitors or partners improve theirs. With much of the industry lagging behind, there is still a large portion that uses paper records as their main data repository method.

Many private practices also outsource their patient management systems to third-party companies. This means that patient data is crossing more networks and is thus exposed to more hands, eyes, and network nodes. All this adds to increased security risk while at the same time makes auditing across seperate networks difficult. Many of these smaller practices and health care providers don’t have a full-time IT staff and so security is not looked at as an ongoing chore as it should be.

So while adjustments have been made to increase security and privacy, there is still a lazy approach to enforcement in the health care industry. More laws are needed to enforce HIPAA policies otherwise this trend will continue.
Posted in Compliance, Data Protection, Identity Theft | No Comments »
Aug 25
Multi-factor authentication has been around for a while now, but has been gaining in popularity dramatically in recent years. Multi-factor authentication is the act of utilizing multiple methods of authentication to access specific data on a network or website.

With so many ways to capture a user’s password, multi-factor authentication is a way to secure data with more than just a single username and password. If that username and password is compromised,
then the attacker will still need additional information to access the confidential data or website. Multi-factor authentication doesn’t necessarily mean just adding on another username and password prompt. It can be a security question or code request as well. For example, once a user logs in with their username and password, the website also asks them for their mother’s maiden name that they entered when originally setting up their account. This additional prompt can hinder an attackers attempt at accessing their account. Should they already know the username and password, they will also need to know the user’s mother’s maiden name as well.

To add further security to multi-factor authentication, one-time passwords may be added to the mix. A one-time password policy is the technique of using a token or other method that will generate a new password every minute or so and only the server knows what the password is at the minute. The user then uses the password shown on the token as a second authentication method. After the user uses that password, the password is reset again and that password is never used again. This is a very secure method that prevents many types of intrusion. If an attacker was able to capture the hash from the authentication transaction, by the time they get done decrypting it, the password will have changed to a different one.

Another technique to multi-factor authentication is the use of biometrics. Biometrics is the use of some type of scan mechanic on the user’s body such as a finger print or eye retina. Adding multi-factor authentication where the second factor of authentication is something specific to that user adds a much deeper level of authentication that is much more secure. Adding a layer of security that is something of “what the user knows”, “who the user is”, or “what the user has” makes it hard for someone other than that user to access the data.

Multi-factor authentication is being used by more companies every day. It is especially popular online with websites. Compliance acts are also another reason for its growing usage. Compliances acts such as Sarbanes-Oxley require financial institutions to utilize some sort of multi-factor authentication when offering online account access to their customers.

Expect multi-factor authentication to become the standard method of authentication in the future. Whether it is just an additional strong password policy, the use of a security question, or biometrics, additional security is a must when securing data that is confidential.
Posted in Compliance, Multi-factor Authentication | 1 Comment »
Aug 7
More and more people today are taking their banking online. Some 42% of internet users do their banking online. Considering that this number is growing every year, banks and credit unions are looking at their online banking security and making sure that they are able to provide safe interactions with their customers. For those that don’t do their banking online claimed that their main reason for not doing so is the lack of online banking security. One of the reasons why they feel insecure about banking online is because of misinformation and not knowing the correct information on internet security.

A study from the University of Michigan by Atul Prakash looks at design flaws that many banking sites have today that fail to protect users who don’t know the basics about internet security. It looks at design flaws rather than actual application vulnerabilities. Design flaws are different from application vulnerabilities because they are based on decisions that were made when designing the website. Many of these decisions that the designers of banking sites have made promote insecure user behavior and because many users are uneducated about basic internet security, these flaws can be taken advantage of.

Some of the flaws of online banking security that were noted were things such as being able to access the site by using insecure HTTP, being redirected to an untrusted site, low security password thresholds, and emailing confidential data to users. These are all flaws that have been found that if a user is unaware of the risks that these designs pose, can lead to confidential data being leaked.

As far as user password information goes, many of the sites involved in the study don’t require password restrictions for users. Having low quality passwords invite themselves to being disclosed by brute-force attacks. But it is also noted that with the introduction of phishing sites and keyloggers, having a strong password doesn’t protect against those and many banks find it to be just an inconvenience for their users to force strong passwords. It is also claimed that by enforcing a ‘three-strikes’ lockout policy when incorrectly typing in a password makes brute-force attacks on low quality passwords unrealistic. But the study finds that even enforcing a lockout policy is not enough if low quality passwords are allowed. Parallel dictionary attacks can be used if a list of usernames are available where a string of authentication requests are run across all the usernames using common passwords.

The study also mentions websites that break the chain of trust. Often times bank websites will redirect to other websites without notice. Regardless of whether these sites are secured by using SSL, many times the certificates used are not affiliated with the bank at all and there is no way for the user to tell if they are still on the banks website or not. This makes it hard for even a knowledgable user to know if they are on a phishing site or not.

As mentioned, other sites present secure login options under insecure webpages. While their site may offer secure logins via SSL and HTTPS, that same webpage may be available insecurely under an HTTP version. While redirection to a secure page may occur, if the user had already entered in credential information under the insecure page, their credentials are at risk of being compromised.

For more information on this online banking security study, you can visit the following page: Analyzing Websites for User-Visible Security Design Flaws
Posted in Compliance, Encryption, Internet | 7 Comments »
Jul 30

The Sarbanes-Oxley Act (SOX) is one of the most comprehensive compliance acts to ever affect corporate business. Because today most information in a business is stored and sent electronically, the IT department must create an encompassing security policy to ensure that their company is compliant with SOX.

The security policy must govern everything from network security, to access controls, logging, encryption, and alerting. These policies and guidelines must be documented and the IT department must be able to display these documents and show that these policies are in place and being used in the event of an audit.

Because a lot of data today is transferred via email, it naturally plays a very large role in ensuring that your company is compliant with SOX. So much data is transmitted via email network protocols today, yet it remains one of the most insecure realms of the network. This is why IT professionals must pay close attention to how emails are sent and received on their network.

SOX requires that all malicious emails are seized both inbound and outbound on the network and removed before any internal data is compromised rather than just alerting IT staff as violations occur. Email security compliance includes every aspect of your email system and email must remain secure at all points of transmission. This means that emails that contain financial information must be encrypted during transmission to the recipient as well as have access controls in place while the emails reside on a local system for storage.

Anti-spam and anti-phishing systems must be in place and integrated with your email system. The system must be configured to prevent emails detected as malicious from reaching workstations on the network.

Email archiving is also required for Sarbanes-Oxley Act compliance. All emails must be archived so that any email received by the company’s system can be retrieved at a later date. Emails should be archived prior to being received by the client to ensure that information is not deleted or removed from the system before archiving can take place.

It is important that if the Sarbanes-Oxley Act affects your company, then not only should your IT staff become familiar with SOX, but the whole staff should be trained on the basics of what SOX compliance is required of them. As an IT professional, your network security policy should be well documented and enforced.

Posted in Compliance | 1 Comment »