Apr 8

I have written many times before about the importance of end-to-end security across all types of networks. With the state of security today, protecting your data at all points on the network is crucial. Well Fortinet recently just introduced a new vulnerability management solution for medium to large corporate businesses. It is called the FortiScan-1000B. It helps businesses maintain security across their network by integrating all the crucial points in a network security policy. It integrates the following features: industry and federal compliance, endpoint vulnerability management, network-level vulnerability management, and patch management and remediation.

In 2008 Fortinet purchased the security company named Secure Elements. They’ve used the assets from this purchase to leverage technology in the new FortiScan-1000B. It uses the software solution from Secure Elements as the basis for its new solution. It also uses the vulnerability scanning feature from its own FortiAnalyzer solution. These features help security administrators stay compliant with SOX, PCI-DSS, GLBA, HIPAA, etc.

You can read more about this new device at FortiNet’s website.

Posted in Compliance, Data Protection, Encryption | No Comments »
Mar 18

Social networks today, such as Facebook, MySpace, and LinkedIn, have been growing at a tremendous rate. It has recently become the target of IT professionals as a security threats on company networks. Not only is it seen as a contributor to productivity loss, but it is also a security threat for data loss and data compromise. It is a great tool for hackers to use to gain entry to corporate networks where these social networks are used. These networks have built up trust with their users and these users take them into the corporate networks with that same level of trust. So those applications that can pose a security risk at home will pose an even greater threat in the office.

So IT professionals are taking a much deeper look into social network security and their corporate networks. They are finding that not only does the issue come from the 20-somethings in their network, but a growing population of older individuals are venturing into social networking. The problem is that many of the older individuals may not be as savvy as the younger generation when it comes to network security common sense.

An ethical hacking firm, Netragard, claims that they can gain access to any data at any corporate network very quickly. They claim to be able to do this through social networking sites. They offer their services for a fee to prove this claim and offer ways to help improve social network security and how to curb its threat on your corporate environment. Regardless at legitimate their claim may be, it is still an alarming statement that should be taken seriously.

Social network sites are great for helping people with similiar backgrounds meet and stay in touch. The problem for corporate users is that inside large enterprises where no one person knows everyone in the company, it is easy for someone with a fake ID to establish trust with individuals in a company due to the basic fact that they claim to be a colleague. From there it is a simple matter of setting up a phishing scheme. The problem with this form of attack is that there is no evidence of a breach and not log of what data was even stolen.

With these new methods of data breach that social network security brings to the table, it is imperative to take a new approach to network security than was taken in the past. IT professionals can no longer look at networks in a segregated way. There is no longer a boundary between the corporate network and the internet. They must be treated as one and have a policy that encompasses them both. Also, when introducing new technology into a network environment, you must look at where that technology stands from a security stand point and in what ways it increases your security risks. Create a security policy that includes social network sites. Prevent the access to these sites from inside the corporate network and also have a company policy about what employees are allowed to say about the company whether they are currently on duty or not. Finally, be sure to run penetration tests from both inside and outside the network and be sure that the tests included some form of social engineering. Hackers don’t have any boundaries, so chances are that if a tool that follows rules is able to break into your network, it will be even easier for a hacker to do so.

Posted in Data Protection, Information, Social Engineering | No Comments »
Mar 13

Part of anyone’s network security fears has to do with losing data due to deletion. Whether those deleted files are gone because of a malicious act or some accidental mistake, it is bound to happen. Or there is the simple fear of losing data due to a crashed hard drive. It all happens and you just need to be prepared for it.

I have done quite a lot of file restoration in my day. I’ve seen numerous hard drive crashes, but I’ve also had to deal with needing to recover files after a hard drive has been reformatted with Windows reinstalled on it. It is not an easy task, let me tell you. When you need to restore deleted files that were on a hard drive, those files aren’t necessarily gone for good. There are many ways you can restore them. When you tell a file to delete on your computer, technically your computer never actually erases or deletes those files. It only marks that space on the hard drive where the file existed as available. The computer then knows that it can then writes files to that location again at a later date.

When you go to reformat a hard drive, the computer goes through a process of “zeroing out” all the sectors on the hard drive. When this is done, it becomes much harder to restore files. Most software is unable to restore deleted files after that. Fortunately when I’ve had to restore deleted files, I have come across a handy piece of software that I’ve been using. It is called, quite simply, Restore Deleted Files. This piece of software allows you to do so much more that more other software programs that allow you to restore deleted files. With this software, you can restore deleted files from the recycle bin, recover your files after a hard drive crash, and even restore a hard drive after it has been reformatted with Windows reinstalled on top of it!! Not only can you restore a reformatted hard drive, which most software fails at, but it can go a step further and restore deleted files after you went ahead and reinstalled Windows!

This is a very easy software program to use. I highly recommend it even if you don’t have to restore anything at the moment. You will never know when you might need it. It has saved me numerous times. Be sure to check out this awesome piece of software called Restore Deleted Files. You can download it right from the website.

Download it now!

Posted in Data Protection | 1 Comment »
Mar 10

More and more people and businesses are taking their work and information with them on the road and being mobile. The use of wireless technologies such as WLANs and wireless 3G cellular networks is everywhere. It is estimated that about 90% of laptops in use today are capable of Wi-Fi usage.

The increase is wireless usage and demand has not been met however with an increase in security. Outdated security policies and protocols are in use in today’s wireless networks. New attacks are emerging, but most of the security measures taken are more of a reactive approach versus being proactive and releasing new security protocols to prevent these types of attacks.

Most companies that utilize WLANs in their infrastructure fail to realize that a security policy overlaid with security measures is needed to protect the network. Many companies simply implement WEP for security and then forget about their wireless security needs. Most security threats today come from inside the network. So a security policy must stress the importance of security over wireless technology to their employees. Security training should take place and it should give the employees a basic understanding of what is at stake and the realistic threat that a wireless network can pose if not secured properly. Then the system administrators can concentrate on updating their infrastructure to meet today’s wireless security demands.

Posted in Data Protection | No Comments »
Sep 16

The prevention of data leaks today is a main concern for most IT administrators. Data leaks expose confidential information of companies, employees, and clients. It can effect credit ratings, press coverage, reputation, fines, and overall business. So it is no wonder that preventing the loss of data is a high priority for IT professionals. One of the main methods for preventing data leaks is through backup encryption. There have been many laws written that protect the identities of consumers and force businesses to be proactive by enforcing fines on violations.

For violations of data loss that was not encrypted, companies are forced to report upon it. Thus, encryption is crucial, not only to remain compliant, but to prevent data leaks from occuring. Businesses today rely on their network infrastructure and most of their data resides on their central server mainframe. Because many companies back up their central mainframes with backup tapes, it goes without saying that there is confidential data on those tapes. This is why encrypting those backup tapes is important to data security. Many companies transport those tapes to offsite locations for disaster recovery purposes. This transport poses a security risk due to the fact that the data leaves the secured server room and is often exposed to the general public during travel. Backup tapes can also touch many hands during the process. Using backup encryption can help protect the data no matter where it is.

As with all data loss prevention, there is always a bit of risk management involved. There is a balance to be looked at between the encryption of confidential data and the overhead cost of implementing it. Data that is not confidential or business critical does not need the same backup encryption levels that other more private information does. It is important to identify what data requires backup encryption and what data does not. Also, data that goes offsite should always be encrypted due to the higher risk. Other files such as operating system files, temporary files, or disaster recovery start-up files do not need encryption applied to them.

It is also important to take a look at older data that resides on tape. Making the move to backup encryption is important. But unlike most upgrades, you can’t just ignore the data that resides on your old backup system or tapes. This data can be just as valuable to theives as your most recent backups. That is why it is paramount to encrypt the data located on all your backup tapes and not just tapes used in the future.

Backup encryption is a key part of your solution to protecting your network’s data. Make no compromises when it comes to data loss prevention.

Posted in Compliance, Data Protection, Encryption | 2 Comments »
Sep 3
It seems as if Apple’s MobileMe service has quite a few problems going for itself. A couple weeks ago, the TechCrunch Blog reported a design flaw with the service that allows attackers to crawl the site’s public folder structure and obtain usernames. These usernames are the same usernames used for email addresses for the service. While this isn’t a huge flaw concern for users of the service because it does not expose sensitive information about the user, it is one more way for a spammer to easily obtain email addresses.

Email addresses obtained in this way can be used to launch a targeted spam campaign to phish for passwords and other sensitive information. One more reason why it is important to filter emails and be mindful of what you click on.

A larger concern about the service is the fact that the service does not use SSL security when transferring data from one account to another. The service is an email, contant, and file management service that allows users to collaborate with each other. Account and credential information is encrypted, but not the data that the users send. This is a larger concern due to the fact that users may not be completely aware of this issue and sensitive and confidential data may be transferred over the web and put at risk.

The combination of knowing the users email address and being able to openly view transferred data through the service could allow an attacker to target their attacks knowing direct information about the user.

With that said, Apple is not the only one to blame when it comes to openly displaying usernames in a public webpage format. Many social network sites display a user’s login name on searchable webpages that can then be used to find information on the user. One more lesson on how the internet is an open and public forum.
Posted in Data Protection, Encryption, Internet | No Comments »
Aug 27
So I was reading more on the latest information about the number of security breaches this year. I was reading an article by George Hulme over at Information Week about why additionals laws are needed for data protection compliance, particularly in the health care industry. HIPAA policies are beginning to be enforced, but it will be awhile before we start seeing accurate reports on the number of security breaches.
There has been better security compliance over the last few years, but there is still much more work that needs to be done. There are many industries that need the same type of attention applied as has been done with the financial quarter. Hulme mentions about how the Health Care industry is so far behind financial industry compliance. I believe that part of this reason is because the health care industry is generally behind the financial industry when it comes to technology.

While there have been strides made in the health care industry with HIPAA policies, there is still a ways to go with enforcement and auditing those standards. It was only last year (2007) that the Department of Health and Human Services conducted its first audit. As always with audits, it will take a little while until all the kinks are worked out and they can really be accurate with their final reports. This can clearly be seen with the financial sector’s lastest report from 2008’s security breach numbers; and SOX auditing has been around longer than HIPAA policy auditing.

The health care industry also reaches sectors where network technology is underutilized. This makes it hard to give accurate numbers on data breaches due to malicious software and attacks. Many private doctor’s offices don’t invest much of their resources into technology and because many offices are making a big push for technology, other offices don’t feel the need to make the push themselves. Often what causes a practice or company to upgrade their infrastructure is when their competitors or partners improve theirs. With much of the industry lagging behind, there is still a large portion that uses paper records as their main data repository method.

Many private practices also outsource their patient management systems to third-party companies. This means that patient data is crossing more networks and is thus exposed to more hands, eyes, and network nodes. All this adds to increased security risk while at the same time makes auditing across seperate networks difficult. Many of these smaller practices and health care providers don’t have a full-time IT staff and so security is not looked at as an ongoing chore as it should be.

So while adjustments have been made to increase security and privacy, there is still a lazy approach to enforcement in the health care industry. More laws are needed to enforce HIPAA policies otherwise this trend will continue.
Posted in Compliance, Data Protection, Identity Theft | No Comments »
Aug 26
According to the Identity Theft Resource Center, the number of reported data breaches for 2008 has already passed the amount that was reported for all of the year 2007. In 2007, the number of data breaches reported was 446. This number for 2008 has already surpassed the 450 mark.

The ITRC only reports on data breaches where more than 22 million records are exposed and in more than 40% of data breaches the number of records exposed is not fully disclosed. This means that the total number of records exposed from these data breaches is incomplete and can’t be used for any accurate research.

Not only is the number of records exposed inaccurate, but the actual number of breaches is fairly inaccurate as well. One of the reasons why the breach number for 2008 is 4 months ahead of 2007 is because the ITRC is much better at tracking these data breaches. The actual number of breaches is most likely much higher, due in part that some are never reported and some multiple events are actually records as single events. Because of all this, it is hard to say whether or not the number of data breaches is truly getting worse. A longer period of recording is needed to flush out any inaccuracy.

For more information on this report, visit the ITRC’s website.
Posted in Data Protection, Identity Theft | No Comments »
Aug 20
As a security IT professional for a company, one of your main concerns revolves around protecting your company’s data. Data loss prevention; really that is what everything boils down to. We do backups of our data to protect it. We patch our systems so that data won’t be compromised. We audit activity to prevent unauthorized access. Almost every security measure we take is to safeguard the data that our company uses.

But, are you doing everything you can to protect data? You may be protecting your
data from outside intruders, but what about protecting your data from your own employees? For data loss prevention, you must take a look at every interaction that the data has with an end-user and also every interaction that the data has with other network nodes.

Taking the right safeguards for data loss prevention involves using the right tools to not only prevent data loss, but also audit them so that you can make adjustments to prevent them in the future. The first investment you should make is an auditing hardware appliance. These appliances gather syslog data, event log data, and other security auditing information from nodes everywhere on the network. It will then format it and supply all this information to you in report form for review. This will help you analyze your network and put you in the right direction for data loss prevention. For more important security alerts on the network, the device can send out alerts notifying you of any data leaks, unauthorized data access, or intrusions.

Once you know where your main weak areas are on your network, you can take action in locking them down. You will want to do a full permissions audit and review on your data and ensure that no one has access to data that shouldn’t have access. This doesn’t just mean modifying permissions on files on your storage drives. It requires thinking outside of the box. For example, if you send backup tapes offsite to a remote location, then making sure that data on those tapes is encrypted is important. Without encryption, whoever touches those tapes on their way to and from that remote location has access to all the data on those tapes. Or if you send your data to a remote location via the network, is that data stream also encrypted? Are thumb drives and writeable CD’s allowed on the network? If so, are you able to tell if someone copied sensitive information to one?

These are all things you must look at for complete data leak prevention. It is all part of your encompassing network security policy. To prevent data loss, you must track that data wherever it goes. Start with an audit of your network and go from there. Data loss prevention is an on going process and should never be taken lightly.
Posted in Data Protection | No Comments »