Risk Level: HIGH
Offsite and web enabled access from anywhere is creating significant security holes.
Type of Threat:
We are giving Authorized user access to almost everyone we work with, supplying corporate information or valuable data from anywhere on mobile devices, apps, or through public WIFI. The opportunity exists for countless bugs and virus to gain access, not to mention the risk of a loss of a mobile device with connectivity settings intact. It’s more common than you think!
Why this is so important:
Personal devices are not usually monitored, whether personal or company owned. This opens up huge risks to your secure data just from typical user behavior, which includes personal web surfing, pornography (viruses), torrents, movies, personal email, apps, software / malware and more. End users believe connections to the corporate are protected, but what is not clear is what else is watching and logging that activity. With no protection on the end-point it’s impossible to know how extensive the threat.
At risk employees:
Desktops and Laptops contain user logon information to what matters; Data, company drives, bank information, credit information, identity. It’s a risk just to have Authorized users accessing this info, but potentially ten-fold risk if they do it from home on their own PC’s or Laptops. Quite simply a simple USB insert of a kids homework paper can introduce all sorts of stuff on the PC.
How to mitigate:
Simple as it sounds, you need a usage policy that requires any device accessing the network to have on it policy enforcement both on the network and off, period. We can debate legal infringement all day, but it boils down to having the privilege to access company information remotely requires a security cost. DLP end points that enforce last known policy regardless of connection to the Internet is a must. Technical Recommendations – We recommend software that loads on each workstation and enforces policies of data-loss, internet access, usb usage, attachment scanning and more to be in effect at all times both on the corporate network and off. This becomes even more important for work remote employees and contractors. DLP end point is a simple and easy managed software that we recommend.
Risk Level: MODERATE
Internal threats now represent more than 60% of the risk to company data, 40% coming from hackers.
Type of Threat:
Web applications and web-enabled mobile devices for convenience is a green-field frontier for hackers. Corporate defenses were never designed to block web – they just allow port 80 and block playboy.com. Ok we’re way beyond security of 1998, so now we must re-look at our gateway devices and require them to control the most important aspects of our company, including web application access, usage, monitoring, website visits, reporting and more. We can no longer standby and hope our CRM access, our database, email and more is secure.
Why this is so important:
Convenience has driven faster than our security policies. Internal threats now represent more than 60% of the risk to company data, 40% coming from hackers. We must remember internal threats are dangerous for three main reasons;
- We trust them (authorized users)
- We don’t typically monitor them
- We give them access to everything.
End users and executives alike have a limited time with an organization. The best practice is to realize that loyalty is not what it used to be, and to get serious about a policy, then employ technology to ensure the data and assetts are protected. When people are conntected to the web or even their web mail, the natural belief is they can “send” important documents to their home email, from their home email, to “work” on it remote. That activity just lost your entire database of customers. Hopefully they dont work for a competitor in the future….
Liability has gone up? You bet!
Giving someone an ipad is enough to cause liability. Imagine them at home accessing things they should not with a copmany resources. Guess who’s fault it is? Yup – it’s the companies. Now imagine an employee downloading music and movies on a corporate owned system through open ports the traditional firewall/filter combos cant block. Again it’s the fault of the company. The third point brings up someone losing their laptop, which happens to have customer information. This happens all the time and brings hundreds of thousands of liability dollars, apologies, letters of shame, identity theft issues and more. Again, the companies responsibility and liability.
How to mitigate:
A couple easy ways; First you need a usage policy defining what can be accessed and what is inappropriate (BorderLAN can help with this template), Second a smart filter that monitors, reports and blocks inappropriate access both ON network AND OFF network on company devices or even personal devices. Third is to outline a web -app policy and procure a device to manage those apps. Think of it as a interal facing web-app firewall.
We recommend Appliance based Web Filtering with capabilities of controlling IPAD’s and mobile iDevices. We recommend Web Application Firewall appliances to mitigate and enforce usage policies on apps that are accessing critical and confidential data. BorderLAN can help consult with and size these appliances for your organization.
Risk Level: MODERATE
Method of entry:
Small Application / script payload / website link / email or spam
How it works:
Small every changing random payload scripts are carried in and quietly usually on the back of an email, usb file, freeware program, facebook looking invites, shared movie files, shared audio torrents etc.
Method of deployment:
Slow deployment will not replicate itself and send off warning signals. Instead it sits quietly in its random form listing, learning, keying every website and keystroke. Eventually the most complex can initiate simple web sessions and “post” the data in the background using open web ports to the hackers servers. From there data is sourced and filtered, used and sold depending on the quality.
Desktops and Laptops contain user logon information to what matters; Data, bank information, credit information, identity. Hackers know this and realize the complexity of network hacks becomes difficult. Hackers are like electricity….they date the path of least resistance, and right now it seems the end-point is the place. Why try to hack through huge defenses, when you can ride in and learn all the passwords through an unprotected trusted employee?
Who is doing it:
Out of country hackers primarily, open source software. Thousands of faceless hackers work to develop and implement cross border attacks as enforceability is non-existent.
Why it can be a substantial threat:
It’s not defended using traditional methods of black list AV and malware. Anti technologies must first identify a “match” before it can block a threat. What if the threat keeps changing, keeps morphing, and randomizes?
How to mitigate:
The trillion dollar question is how to mitigate. Ironic that’s the kind of numbers in loss we are talking about if not handled. Impact on every organization is significant and should be top of mind. Technical Recommendations – We recommend software that limits payload deployment. Identifying what payloads or applications can run via a whitelist is a safe layer of defense as most other randomly created threats and applications fly right through AV. Executable white listing is simple and easy managed from a simple server software.
Redlands Unified School District (RUSD) is a California-based school district, serving over 21,000 students. There are 23 schools in the district, ranging from elementary to high schools, and over 1,800 employees. RUSD currently has over 7,000 Windows computers across the district, supported by 75 servers. The main district office connects to all of its schools via fiber point-to-point optic connection.
Like many school districts, RUSD was mandated to cut costs and realize savings wherever possible. The district did not have an existing power management strategy in place, and therefore manually shutdown their computers every night. Not only was this difficult to control, but because there were no specific reporting features, it was impossible to determine how much unnecessary energy was
being consumed or saved.The Technology Services Coordinator, David Massaro, and the Facilities team attended a Southern California Edison presentation on power management. For schools and other organizations facing shrinking budgets, they learned that a dedicated PC power management solution is an immediate and cost effective way to reduce computer energy consumption and greenhouse gas emissions. Southern California Edison is one of the largest power providers in California and provides rebates to school districts and companies who purchase PC power saving software.
Recognizing the opportunity to save money with a dedicated PC power management solution, Massaro began researching various solutions. Out of the numerous vendors Massaro examined, Faronics caught his attention. As an already satisfied customer of Faronics Deep Freeze (an instant system restore solution) and Faronics Insight (a classroom management solution), David didn’t hesitate to choose Faronics Power Save as their power management solution of choice.
The PC energy reducing software is now deployed on over 5,500 computers at RUSD. There are two dedicated servers that manage all Power Save PCs in the district’s office, and the software has been configured to ensure the most efficient savings without any end-user disruption.
The Department of Health and Human Services known as HHS released even more safeguards for patients health information. The primary change is the Omnibus rule, which says any improper use will be considered a breach and would result in mandatory notification requirements. The omnibus rule also extends the requirements of HIPAA privacy to all business associates of physicians and all subcontractors doing business with physicians. The official deadline for the omnibus rule is March 26, 2013. Proper policies and technologies should be implemented immediately to ensure compliance. Some helpful technologies for HIPAA that BorderLAN Network Security supplies are:
- Email Encryption – Helps physicians communicate with contractors third-party medical facilities, hospitals, and even home healthcare practitioners about patients securely.
- Intelligent antivirus – enterprise level AV software to watch not only known threats but help prevent emerging threats and zero day attacks.
- Desktop security software – helps prevent leaks occurring from end-users loading of programs, malware knowingly or unknowingly.
- Bring your own device – enterprise server that can accept and remember guest connections to Wi-Fi, and ensure those devices are scanned according to policy before being allowed on the network.
- Proper web filtering – high-capacity servers that mitigate users web activity and help prevent web-based threats, downloads, Hotmail and other potential holes and breaches for HIPAA.
- USB prevention and data loss prevention – software that enforces security policies to end points both on networking off network.
See Products from BorderLAN http://borderlan.com/products/ for more information or Contact us
Email Security for America’s Protectors
When you’re in the business of guarding the financial concerns of the people responsible for protecting America, you want to make sure their personal data is safe.
That’s why Justice Federal Credit Union chose Zix Corporation (ZixCorp) for their email encryption solution.
Justice FCU is the premier provider of financial services to employees of the Department of Justice and the Department of Homeland Security. It also offers membership to those working for state and local law enforcement organizations. With assets of approximately $438 million, it pledges to maintain the highest standards of confidentiality to protect their members’ personal privacy. Every single employee, from mortgage specialists to marketing staff, uses ZixCorp® Email Encryption Services to send secure messages to members and business partners.
“With the alarming rate of identity theft in the United States, email encryption is crucial for the protection of our members’ personal information,” said Rifat Ikram, Justice FCU’s Vice President, Electronic Delivery and Support Services. ”We chose ZixCorp Email Encryption Services because of its superior reputation.”
Another key factor in selecting ZixCorp Email Encryption Services was that the Federal Financial Institutions Examination Council (FFIEC) agencies have implemented it, says Ikram. “If they’ve done their homework and have chosen ZixCorp, it makes it easier for credit unions encryption solution. If the ZixCorp solution is good enough for the FFIEC, it’s a no-brainer that it would be the right choice for us.”
The SafeConnect NAC solution provides the flexibility to select and use only the policy modules needed to satisfy the requirements of their security plan. Administrators can implement the policy modules standard to the SafeConnect solution including compliance with anti-virus, anti-spyware, Microsoft OS patches, as well as registration and authentication.
Other standard policy modules include peer-to-peer file sharing, access points, and power management. Custom policies can also be created based on the existence or non-existence of file types, registry settings, services, and processes on endpoint devices.
La Mesa-Spring Valley School District is a K-8 district located in the East County of San Diego. The District serves 14,310 students housed in 18 elementary (K-5) and four middle schools (6-8). Certificated and classified employees number 1,550.
District-wide there are approximately 1,600 workstations running on a Novell core network. Though Windows workstations are used by administrative staff, Macs are used for educational purposes – students and teachers. The Macs mainly run OS 10.2.8 to 10.3.9 with any new hardware purchases having OS 10.4 (there are also some older machines still running OS 8 & 9, but these are slowly being phased out.)La Mesa-Spring Valley School District has an annual budget of $100,000,000 and an approximate student-to-computer ratio of 10:1 (on computers less than three years old.)
At the time that La Mesa-Spring Valley was transitioning to Mac OS X, the Information Systems (IS) staff realized that, though the operating system offered an environment that was more “kid-proof ”, there were still general worries with regard students “explorations” and general OS integrity.“Middle-schoolers are notoriously mischievous when it comes to computers,” said Richard Ribley, a Support Technician at La Mesa-Spring Valley. “They like to change things just because they can, whether that means taking items off the Dock, moving files to different locations or changing the toolbar in an application like Word. This would, of course, screw up the machine for the next person or even for the same person coming back to that machine later.”
Mr. Ribley and the La Mesa-Spring Valley IS staff found that the teachers often wouldn’t know how to rectify user-created difficulties or, if they did, would spend more time fixing the problems than teaching – a situation that didn’t work for either teacher or students. Generally, the teacher would end up calling the IS staff. With a staff of six and a schedule that meant that a staff member could only visit a school once every five days, a computer could easily be out of commission for a week.
In their preventative efforts, the IT staff implemented pop-up blocker software for Windows Explorer When OS 8 and 9 were being utilized, La Mesa-Spring Valley utilized programs like On Guard (which they still use on their older systems) and Foolproof Security. With their transition to OS X, a security solution that worked with OS 10.2 (Jaguar) had to be implemented quickly or computer downtime and over-stretched staff would become an ongoing problem. Attempting to use Jaguar’s Simple Finder to curtail precocious users proved unworkable because this solution did not allow for a shortcut to the District’s Novell server and, therefore, students could not log in to their network accounts. There were no known OS X alternatives out there.
“The difference that using Deep Freeze Mac made was huge,” said Mr. Ribley. “Immediately, we saw the amount of support time devoted to our Macs easily cut to 5% of what we had been spending prior to installing Deep Freeze. Deep Freeze eliminated 95% of all the software issues we were encountering so that almost the only difficulties we had were hardware-related.”
Security on an international level: Ameropa protects its global business with gateProtect
The Swiss company Ameropa AG was founded in 1948 and trades on an international basis. It currently manages the business of 22 Sectors located throughout the world from its headquarters in Binningen near Basel and is steadily expanding on all continents. Ameropa AG, which is not stockmarket listed, sees organic growth as instrumental in achieving this. Its core business is global trade in cereals and artificial fertilisers and also in petrochemicals and metals. Around 2,300 people work for the company, many of them in the field.
At the Ameropa headquarters in Binningen in Switzerland, administration of IT security is outsourced to the German service provider Computer Löwe. „In 2003, we put out 2 calls for tenders: for the replacement of the SonicWALL solution and an upgrade of the security infrastructure at Ameropa‘s international locations. In a direct comparison between SonicWALL and gateProtect, the Hamburg supplier clearly came out on top,“ says Markus Keller, Managing Director of Computer Löwe„This was mainly because the gateProtect firewall is so easy to operate, but also because SonicWALL were unable to offer German-speaking support.“ The intuitive and process-oriented front-end to the gateProtect administration client, the ergonomic Graphic User Interface (eGUI®), is the reason why it is so easy to operate.
The project has grown steadily over the last five years. Two gateProtect GPA 400 solutions have been implemented at Ameropa headquarters and guarantee high availability and failure safety. The foreign branches have acquired four GPA 250 and four GPO 125 solutions, which can be maintained remotely; however, the administrator can also make changes to the configuration locally, as required.
As operation has been trouble-free, the gateProtect implementation is being steadily extended. For example, there are plans to deploy more gateProtect solutions at the locations in the UK, Brazil and the Czech Republic. The existing Cisco VPN solution is also set to be replaced by the equivalent gateProtect product.
The Research and Development Centre (Forschungs- & Entwicklungszentrum) Witten GmbH is a service provider for innovative start-ups with five to fifteen employees. FEZ undertakes its main functions (management consulting, provision of infrastructure and technology transfer) in close collaboration with the University of Witten/Herdecke, with sponsors of business in the region and with partners from other regions. Currently, 57 companies with around 150 employees work in the FEZ.
One of the most important of the services provided by FEZ is making a modern infrastructure available. The basic equipment includes a powerful data network with a 100 Mbit/sec direct connection to the backbone. The data network is managed by an external IT service provider. In order to protect the intellectual property of the tenants, FEZ offers a security service in the form of a firewall to safeguard their corporate networks.
Since the beginning of 2007, FEZ has implemented version 8.0 of the GPX 800 UTM solution from gateProtect, currently licensed for 100 users. The firewall divides the network into 40 subnetworks, using the VLAN functionality that became available with version 8.
The gateProtect firewall has been running reliably and with practically no interruptions since it was launched. The neutrality of the gateProtect solution regarding the hardware and software platforms used behind the firewall should also be highlighted.
With the implementation presenting no problems so far, e-Systems is campaigning at FEZ for the gateProtect appliance to be used as a UTM solution. For example, virus protection on the gateway would be offered to the tenants as an additional service.
On top of that, it is planned to protect a second start-up centre with the implemented gateProtect solution. This is the Zahnbiologische Zentrum (ZBZ), the most modern dental biology institute in Europe, which is under construction opposite FEZ and is almost complete. To allow this, it is merely necessary to increase the number of licensed users on the existing gateProtect appliance because, according to Christoph Weimann, the potential of the GPX 800 is by no means exhausted.