Risk Level: HIGH
Offsite and web enabled access from anywhere is creating significant security holes.
Type of Threat:
We are giving Authorized user access to almost everyone we work with, supplying corporate information or valuable data from anywhere on mobile devices, apps, or through public WIFI. The opportunity exists for countless bugs and virus to gain access, not to mention the risk of a loss of a mobile device with connectivity settings intact. It’s more common than you think!
Why this is so important:
Personal devices are not usually monitored, whether personal or company owned. This opens up huge risks to your secure data just from typical user behavior, which includes personal web surfing, pornography (viruses), torrents, movies, personal email, apps, software / malware and more. End users believe connections to the corporate are protected, but what is not clear is what else is watching and logging that activity. With no protection on the end-point it’s impossible to know how extensive the threat.
At risk employees:
Desktops and Laptops contain user logon information to what matters; Data, company drives, bank information, credit information, identity. It’s a risk just to have Authorized users accessing this info, but potentially ten-fold risk if they do it from home on their own PC’s or Laptops. Quite simply a simple USB insert of a kids homework paper can introduce all sorts of stuff on the PC.
How to mitigate:
Simple as it sounds, you need a usage policy that requires any device accessing the network to have on it policy enforcement both on the network and off, period. We can debate legal infringement all day, but it boils down to having the privilege to access company information remotely requires a security cost. DLP end points that enforce last known policy regardless of connection to the Internet is a must. Technical Recommendations – We recommend software that loads on each workstation and enforces policies of data-loss, internet access, usb usage, attachment scanning and more to be in effect at all times both on the corporate network and off. This becomes even more important for work remote employees and contractors. DLP end point is a simple and easy managed software that we recommend.
La Mesa-Spring Valley School District is a K-8 district located in the East County of San Diego. The District serves 14,310 students housed in 18 elementary (K-5) and four middle schools (6-8). Certificated and classified employees number 1,550.
District-wide there are approximately 1,600 workstations running on a Novell core network. Though Windows workstations are used by administrative staff, Macs are used for educational purposes – students and teachers. The Macs mainly run OS 10.2.8 to 10.3.9 with any new hardware purchases having OS 10.4 (there are also some older machines still running OS 8 & 9, but these are slowly being phased out.)La Mesa-Spring Valley School District has an annual budget of $100,000,000 and an approximate student-to-computer ratio of 10:1 (on computers less than three years old.)
At the time that La Mesa-Spring Valley was transitioning to Mac OS X, the Information Systems (IS) staff realized that, though the operating system offered an environment that was more “kid-proof ”, there were still general worries with regard students “explorations” and general OS integrity.“Middle-schoolers are notoriously mischievous when it comes to computers,” said Richard Ribley, a Support Technician at La Mesa-Spring Valley. “They like to change things just because they can, whether that means taking items off the Dock, moving files to different locations or changing the toolbar in an application like Word. This would, of course, screw up the machine for the next person or even for the same person coming back to that machine later.”
Mr. Ribley and the La Mesa-Spring Valley IS staff found that the teachers often wouldn’t know how to rectify user-created difficulties or, if they did, would spend more time fixing the problems than teaching – a situation that didn’t work for either teacher or students. Generally, the teacher would end up calling the IS staff. With a staff of six and a schedule that meant that a staff member could only visit a school once every five days, a computer could easily be out of commission for a week.
In their preventative efforts, the IT staff implemented pop-up blocker software for Windows Explorer When OS 8 and 9 were being utilized, La Mesa-Spring Valley utilized programs like On Guard (which they still use on their older systems) and Foolproof Security. With their transition to OS X, a security solution that worked with OS 10.2 (Jaguar) had to be implemented quickly or computer downtime and over-stretched staff would become an ongoing problem. Attempting to use Jaguar’s Simple Finder to curtail precocious users proved unworkable because this solution did not allow for a shortcut to the District’s Novell server and, therefore, students could not log in to their network accounts. There were no known OS X alternatives out there.
“The difference that using Deep Freeze Mac made was huge,” said Mr. Ribley. “Immediately, we saw the amount of support time devoted to our Macs easily cut to 5% of what we had been spending prior to installing Deep Freeze. Deep Freeze eliminated 95% of all the software issues we were encountering so that almost the only difficulties we had were hardware-related.”
Security on an international level: Ameropa protects its global business with gateProtect
The Swiss company Ameropa AG was founded in 1948 and trades on an international basis. It currently manages the business of 22 Sectors located throughout the world from its headquarters in Binningen near Basel and is steadily expanding on all continents. Ameropa AG, which is not stockmarket listed, sees organic growth as instrumental in achieving this. Its core business is global trade in cereals and artificial fertilisers and also in petrochemicals and metals. Around 2,300 people work for the company, many of them in the field.
At the Ameropa headquarters in Binningen in Switzerland, administration of IT security is outsourced to the German service provider Computer Löwe. „In 2003, we put out 2 calls for tenders: for the replacement of the SonicWALL solution and an upgrade of the security infrastructure at Ameropa‘s international locations. In a direct comparison between SonicWALL and gateProtect, the Hamburg supplier clearly came out on top,“ says Markus Keller, Managing Director of Computer Löwe„This was mainly because the gateProtect firewall is so easy to operate, but also because SonicWALL were unable to offer German-speaking support.“ The intuitive and process-oriented front-end to the gateProtect administration client, the ergonomic Graphic User Interface (eGUI®), is the reason why it is so easy to operate.
The project has grown steadily over the last five years. Two gateProtect GPA 400 solutions have been implemented at Ameropa headquarters and guarantee high availability and failure safety. The foreign branches have acquired four GPA 250 and four GPO 125 solutions, which can be maintained remotely; however, the administrator can also make changes to the configuration locally, as required.
As operation has been trouble-free, the gateProtect implementation is being steadily extended. For example, there are plans to deploy more gateProtect solutions at the locations in the UK, Brazil and the Czech Republic. The existing Cisco VPN solution is also set to be replaced by the equivalent gateProtect product.
gateProtect provides central security in the virtual network of the North Rhine-Westphalia association
The Johanniter-Unfall-Hilfe e.V. is part of the Protestant Order of St. John. It is involved in various social and charitable activities ranging from outpatient care for the elderly to working with children and young people to aid projects on an international scale. In Germany alone, the Johanniter-Unfall-Hilfe e.V. has around 8,500 permanent employees, more than twice as many volunteers and over a million members providing financial support.
The North Rhine-Westphalia regional association based in Cologne is one of the largest in the national Johanniter association. The organisation manages 15 of the total of 60 retirement homes throughout Germany and four of the fifteen Johanniter hospitals. There are also dozens of day nurseries for children, emergency services and domestic services such as Meals on Wheels.
Decentralising the use of central IT resources helps to cut costs and improve productivity. This applies particularly to sectors such as social services, which are growing quickly, but must withstand the huge pressure of rising costs. The North Rhine-Westphalia regional Johanniter association decided therefore to allow as many users from the branch offices as possible to access data and applications at headquarters in Cologne. As this is sensitive personal data, data protection was given the highest priority when the retirement homes and seven other sites were linked in via VPN. And, as the users also need Internet and e-mail communication, the firewall had to offer more functionality such as virus protection, spam protection and content/web filtering like a UTM solution.
The GPX 800 solution from gateProtect has been in operation successfully since 2003. Since then, the retirement homes and other sites have been connected by VPN to the central network and employees can use data and applications from headquarters. When senior regional association managers are on the road, they can also access the IT resources in Cologne, which is where most of the IT infrastructure is located. Approximately 50 users have access to core applications such as management software for outpatient care and homes, bookkeeping software, programmes for planning menus and excursions etc. The hardware – servers, desktop PCs, Notebooks etc. – is all supplied by Hewlett Packard. Only the head office has its own IT department; the other sites are supported by external IT administrators as required.
When Bank Rhode Island was looking for an email encryption service for communicating with customers and business partners, it turned to Zix Corporation (ZixCorp) for the answer.
“I wanted an encryption solution targeted to the financial services market that needed very little investment in human capital and resources to set it up and minimal maintenance after that. Ease of use and ease of installation were key,” said Don Morash, Vice President and Information Security Officer for Bank Rhode Island. “That’s what ZixCorp delivered.”The fact that the Federal Financial Institutions Examination Council (FFIEC) agencies rely on ZixCorp for their email encryption was icing on the cake.
“What sold me was that ZixCorp has the federal regulators as customers,” said Morash. “If they’ve chosen ZixCorp, then obviously their email encryption service really works.”
Bank Rhode Island, founded in 1996, is a full-service financial institution with 16 branches across the state. With $1.5 billion in assets and 270 employees, it’s a mid-sized bank with a business focus priding itself on meticulous customer service. “We’re a community bank that really understands our clientele,” said Morash. “And in terms of protecting their information, we err on the side of caution.”ZixCorp®
Email Encryption Services allow the bank to leverage the efficiency of email communication while ensuring the appropriate controls to protect sensitive information as it’s in transit. “With this solution, we can permit electronic exchange of data, because we know it’s secure,” said Morash.
“If everybody were using the ZixCorp solution – if it became the world standard for email encryption – that would be great,” said Morash. “Then nobody would have to worry about whether their email is secure.”