//
archives

data security

This tag is associated with 6 posts

What You Need to Know About PCI DSS 3.0 – Closed to Risk, Open to Business

We’ve been closely following all the revelations about the recent massive credit card breach at Target stores in the U.S., which was soon followed by news of credit card theft from Neiman Marcus and Michael’s stores. Corey Nachreiner has done a great job of summarizing the chain of events in a recent blog post.

It is likely that all the retailers such as Target, Michael’s, and Neiman Marcus, had passed their PCI compliance audits. But, malware was used to scan credit card data from RAM of the Point of Sale (POS) systems, and it looks like the hackers broke into the IT infrastructure at Target using some stolen 3rd party vendor credentials. The net result is that consumer confidence in the safety of credit card data is probably even lower today than it was back in 2004, when the PCI standard was first introduced. In the wake of these breaches, many people, including Gartner analysts, have been asking if the PCI standard is worthwhile.

PCI is not the panacea for all credit card loss. It is a basic set of security controls that codifies common sense security practices. Compliance is not security. Passing an annual audit for the PCI standard does not guarantee the safety of your customers’ data. Much like getting a driver’s license does not mean that you will never crash a car. You need to remain always vigilant.

It is debatable if the standard is adapting fast enough, but it is still important for affected security pros to stay current with latest updates. To help you, WatchGuard has just finished a new webinar on credit card security and the updates to PCI DSS 3.0 titled, “Closed to Risk, Open for Business.”

PCI DSS is a fairly mature standard now. Most of the changes in PCI DSS version 3.0, which was published in November 2013 and took effect in January, are in place to clear up any points of confusion between QSAs and the companies that they audit.

pciwebinar2

In fact, 62 of the listed changes are Clarifications, another 5 are Additional Guidance, and there are 19 more significant updates that fall in the category of Evolving Requirements. The Evolving Requirements are probably the most significant, and some of the key new areas of emphasis include:

  • Combined password strength requirements.
  • Relationship and responsibilities of third party vendors and cloud providers.
  • Better documentation of the scope – Network diagrams should not include cardholder data flows; Maintain an inventory of systems in scope, and an inventory of wireless access points.

To find out more details about PCI DSS and what’s new in version 3.0, you can watch the full WatchGuard webinar here.

pciwebinar

Visibility is necessary to determine which information to secure

You can’t protect what you don’t know needs to be protected.

This may sound painfully obvious, but based on recent research, the market of information security professionals don’t have nearly enough visibility into the information they are tasked with securing. We know this because we worked directly with Frost & Sullivan researchers to determine the level of insight security professionals have into their data systems.

We presented the results in a webinar with Frost & Sullivan Principal Consultant Jarad Carleton. You can view the full webinar now to get the details on just how important visibility is to defending your data.

Finding the cuts in the locked gates

Defense in depth is important, but multiple systems with multiple dashboards increase the burden on overtaxed InfoSec professionals. By distributing where information lives and not having a way to connect the systems or servers that house a businesses’ lifeline, the risk of a hack or exposure through vulnerability can go unmitigated. Frost & Sullivan’s research shows that only 15 percent of IT spend is funneled toward detecting an intrusion or compromise.

Businesses assume that by erecting a fence around their data, they are protected. But consider the fence around your data to be like the fence around 100,000 acres of rangeland. If cows start to disappear, finding the hole they’re escaping from can be a monumental task unless you have systems in place to detect those weak points. It’s no different in information security. If a leak happens with your data, you will only find out when it’s too late and your intellectual property or customer data has been exposed.

The webinar is an important teaching in how products like WatchGuard Dimension can offer the visibility into incoming threats, attack vectors and vulnerabilities to exposure as well as how to protect your business from dangerous viruses like CryptoLocker.

Analyze all the data

WatchGuard Dimension is capable of analyzing your networks inbound and outbound traffic in real time. It offers visibility into bandwidth usage, application control and other vital information for not only protecting your data, but also detecting potential data exposure.

The webinar recording features a live demonstration of how WatchGuard Dimension can actively identify the signatures of CryptoLocker. CryptoLocker is a form of ransom ware that is quickly spreading across the Internet through phishing and social engineering attacks. It encrypts the data on a computer’s hard drive and only offers the decryption key if the computer owner pays a significant fee.

Because of WatchGuard’s best-of-breed approach, our collaboration with key antivirus providers enables our customers to not only prevent the virus from rooting onto a computer, but also enables administrators the ability to identify at-risk users and targets to prevent them from falling victim to an attack.

We invite you to watch the recorded webinar now and learn how greater network visibility will enable you to protect your users and your data better. And, if you’re ready to try out WatchGuard Dimension, let us know now.

ACS Aviation uses WatchGuard to make its global connections

As the global economy continues to unify, the global demand for flights rose 7.5 percent in August compared to last year. As more travelers take to the air, the need for the airlines to be aligned on compliance issues and international standards continues to be in high demand.

This is why ACS Aviation Solutions has experienced tremendous growth. Along with that growth has come tremendous demand on its network that supports a global, remote staff of 70 field workers, analysts and consultants. ACS runs an enterprise-grade IT infrastructure and needed bulletproof security, powerful centralized management, and fail-over capability for always-on high performance.

It found that solution with WatchGuard’s XTM unified threat management (UTM) platform. ACS deployed XTM appliances across its global offices to support its staff. ACS needed a solution that was secure for employees, but also provided access to its customers to highly sensitive documents and reports. Given the nature of ACS’ work, all data is highly confidential and security is paramount as it routinely communicates with global regulatory bodies. Additionally, it needed to have the failover that large enterprises expect from a unified threat management system.

In fact, the WatchGuard system was quickly put to the test after being implemented. The domain controller in ACS’ Dublin office went down due to a hardware interruption. Because the server was not available, Dublin traffic was rerouted through Melbourne, enabling all staff to log on and operate as normal with no experienced downtime.

ACS plans to begin using WatchGuard’s UTM platform to manage VPN connections for remote users, ensuring validation of connections occurs at the firewall, rather than in the server. This is like a doorman who asks visitors to wait outside while he checks their credentials, rather than first inviting the stranger in. The upshot is that traffic is validated between the firewall and the server, rather than between the server and the user. It’s an important distinction as it provides yet another layer of protection for the network.

Since implementing WatchGuard’s UTM platform, ACS has been able to experience the benefit of a secure network that hosts the company intranet, supports collaboration due to ease of document sharing, and provides reliable, robust disaster recovery capability.

WatchGuard XTM is a great fit for any business and our extensive lineup of appliances means that there is one that fits your needs. If you’re ready to learn how WatchGuard can fit into your business, learn more about WatchGuard now. You can also read the full details of the case study here.

8 Messaging Attributes to Trigger Email Encryption

Email encryption policies can be extremely granular and, once defined, applied automatically at the gateway. This ensures email encryption and email privacy is handled consistently, and eliminates the risk of user error by removing the need for senders to make decisions as to whether or not to secure an email and its content.

When encryption is enabled, you can use policy and content filtering features in your email security solution (in our case the XCS family of email security appliances) to scan for specific patterns in email messages that indicate the message must be encrypted, including:

  • Pattern Filters
  • Objectionable Content Filters
  • Content Scanning
  • Content Rules
  • Document Fingerprinting

For example, you can create a Pattern Filter to search for the word “[Encrypt]” in the subject field of a message. An end user can add this phrase to their message subject header to indicate the message must be encrypted before it is delivered.

Policies can be set to encrypt messages based on header, subject line, sender, recipient, content, attachments, and many other attributes of an email message, including:

  1. Header or Subject Line: Emails can be set to be encrypted based on keywords within the header or subject line.
  2. Sender or Recipient: Email encryption based on destination (e.g. auditors, Board of Directors, a specific business partner or supplier) or sender. For example, a policy can be set that defines that any emails from John Smith, the CFO of an organization, to the company’s auditor, Jane Doe at auditfirm.com are sent encrypted.
  3. User, Group, or Domain: Email encryption based on user, group, or domain, providing secure, enhanced flexibility of data-in-motion privacy without hindering the flow of data. For example, all emails sent out of the organization by the HR department can be set to be encrypted.
  4. Email Body: Searches for text in an outgoing message that identifies it as a message to be encrypted.
  5. Private Data and Objectionable Content: Searches from a pre-defined dictionary of words that is checked against a message to determine if the message should be encrypted. For example, you may require that any outgoing messages that contain certain confidential information, for example, credit card information or medical records, must be encrypted.
  6. Keywords and Regular Expressions: Keywords and regular expressions found in the subject line or content of messages as defined within the appliance content control policies.
  7. Attachment Type: Email encryption based on other message attributes such as attachment type. For example, you can set encryption to be triggered on all .xls or .csv documents.
  8. Attachment Content: Our XCS email security appliance has the ability to scan content of over 150 file types for keywords, phrases, or patterns which, upon detection of policy-based content can then trigger the email for encryption without user intervention.

Based on the growing volumes of confidential and sensitive information traversing networks on a daily basis, regulatory bodies and business executives have turned their concerns to ensuring messaging is protected from unauthorized viewing. Regulations such as Sarbanes-Oxley (SOX), PCI, HIPAA, GLBA and others have been introduced to mandate that email messages containing sensitive or confidential data are handled securely.

Email encryption has emerged as a vital aspect of an overall email security solution to secure confidential data and yet continue to allow the free flow of communications between colleagues, customers, and partners.

7 Ways Smart Phones are as Smart as the User

Whether based on Symbian, Palm, or Windows CE, smartphones are ripe for compromise and data security issues. Yes, these operating systems incorporate some built-in security measures, and third-party products can fill many of the gaps. But our biggest smartphone security challenges are perception and user behavior. Simply put, most of us fail to treat smartphones as computing assets that require business-grade data security measures.

  1. Lost Smartphones. According to a poll by FusionOne (now Synchronoss), 43 percent of mobile subscribers experience phone damage, loss, or theft. At LAX airport alone, 400 lost phones are found each month. Most businesses routinely back up servers and desktops, but few treat data stored on smartphones with similar care. A whopping 87 percent of those who lost phones had to manually re-enter their data, and 31 percent lost data stored nowhere else.
  2. Theft of Service. Stolen cellphones have long been used to place unauthorized calls, creating a huge black market. According to the Australian Mobile Telecommunication Association, GSM carriers in that country have spent over $7M on technology to block calls placed using stolen Mobile Equipment Identity (IMEI) numbers. But countermeasures like this depend on users to notice and report loss quickly.
  3. Theft of Proprietary Data. Gartner estimates that each unrecovered PDA or phone used for business costs the employer $2,500. This shocking number represents the value of compromised proprietary data. Here again, users who wouldn’t think of carrying an unlocked laptop routinely carry unlocked smartphones. Why? PIN-locking an oft-used phone is a hassle, and even well-intentioned users can forget to lock their phone. Smartphones raise the stakes because they house more sensitive business data, including e-mail, corporate logins/passwords, meeting notes, sales orders, and customer contacts.
  4. Smartphone Compromise. Smartphones have long been a backdoor for desktop infection, propagating Win32 viruses through synchronization and e-mail. But few attacks had been written specifically for smartphones — until now. WinCE Brador-A and Symbian Mosquitos trojans released a while back show how carelessness breeds insecurity. Mosquitos, a hacked version of a legitimate game, racks up charges by silently sending text messages to a premium rate number. Many smartphone users download games, skins, ringtones, music, images, and video clips with little regard as to file source or authenticity. Executing downloaded files on phones that almost always lack on-board virus protection compounds risk.
  5. Bluetooth Exploits. Many smartphones — especially those running Symbian — sport built-in Bluetooth. Bluetooth can be used productively to connect wireless headsets, share content with peers, and synchronize with desktops. But it can also be used by attacks, like the Cabir proof-of-concept worm released not long ago. Worse, the WIDCOMM Bluetooth SDK used by many smartphones has an unpatched buffer overflow vulnerability that permits running arbitrary code on any nearby Bluetooth-capable device. Add these recent developments to previously-documented attacks like Bluejacking and Bluesnarfing, and you have ample motivation to disable Bluetooth on your smartphone.
  6. Mobile Messaging Attacks. Smartphones support popular mobile messaging services like SMS (text) and MMS (multimedia). These services can be associated with fees per message sent/received or when messages exceed a prepaid limit. Attacking a smartphone by flooding it with unsolicited messages is an obvious attack. On a smartphone with short messaging or Internet data, overage charges can accumulate quickly. More subtle attacks include sniffing unencrypted SMS, using MMS to deliver malware executables, and using SMS trigger messages to DOS-attack, unlock, or wipe infected smartphones.
  7. Unprotected E-mail. According to InfoWorld, e-mail is by far the most popular mobile business application, used twice as often as the second place app, Sales Force Automation (SFA). Smartphones are typically supplied with cleartext POP mail accounts and familiar e-mail clients like Pocket Outlook. Naive road warriors who lack IT support for smartphones often forward urgent business mail over POP, risking exposure in transit — you can see this happen at just about any Wi-Fi hotspot. Enterprises are more likely to safeguard mobile e-mail using RIM on Blackberry phones or GoodLink on Palm and WinCE phones. But risks still persist, as shown not long ago when a former Morgan Stanley VP sold his Blackberry on eBay without first shredding stored corporate e-mail.

Smart phones, if you want to call them that, are here to stay, but let’s all be smart about data security and protection as we handle corporate information and data. There’s a lot at stake!

The Data Security Threat to Every Organization

Any time data is set into motion – accessed in an unconventional way, forwarded to a co‐worker, sent to a printer, etc. – data security is put at risk. Managing (and controlling) data‐in‐motion is a requirement for businesses to function effectively and efficiently. At the same time, it is also a growing data security threat that requires proactive data loss prevention solutions.

Data loss (or leakage) occurs in every organization either unintentionally or maliciously. In fact, according to the Ponemon Institute, 3 out of 5 organizations have experienced a data loss or theft event, and approximately 9 out of 10 data loss or theft events go unreported.

In addition, all types of data are vulnerable. Why? More and more employees rely on email for business communications and they use email as a central filing system where they store the bulk of their critical business information. This dramatically increases the probability of leaking sensitive or confidential data. All it takes is for a recipient’s email address to be misspelled or an incorrect key to be pressed by an employee and a message containing confidential information ends up in the wrong hands. All of us can relate.

At some point or another, we have pressed the send button a little too hastily and realized, after the fact, that our email ended up in an unintended recipient’s inbox. In addition, advances in technology make it even easier for this inadvertent data loss to occur. For example, Microsoft Outlook Autocomplete Email Address feature adds a great convenience to our email experience, but if you start typing “susan@bigtaxfirm.com” and the system automatically picks up the first “susan” as being “susan@analystfirm.com” without you noticing that data can end up in the wrong hands and could have a detrimental effect on your business.

Data loss can be attributed to many factors such as computer loss or theft, hacking, malware, network exposure, and more, and many of these reasons for data loss can be avoided. To prevent data loss, an organization needs to have a comprehensive data loss prevention solution in place that not only protects networks from inbound threats to data, but also outbound data loss prevention measures need to be addressed to prevent confidential consumer, personal, and sensitive corporate information from exiting the organization.

So what’s the Cost of a Data Breach?

Data loss becomes a significant problem and risk as organizations are trying to meet and manage regulatory and internal compliance and control requirements, including:

  • Government & Industry Compliance Regulations: e.g. HIPAA, PCI, GLBA, SOX, etc.
  • Internal Policies: C‐level rules, sensitive and confidential information
  • Acceptable Use: HR policies, sexual harassment and legal violations that can occur in messaging
  • Intellectual Property: Trade secrets, sales reports, financial statements, sales or business plans, etc.

Getting caught losing sensitive data is expensive, disruptive, and damaging to carefully nurtured corporate images. There are significant hard costs to non‐compliance in mitigation and remediation to affected individuals such as auditors and board members not to mention regulatory fines and fees to support increased audits. However, often unappreciated are the soft costs to brand equity and competitive advantage which result in lost customers. Enterprises are penalized in both the court of law and the court of public opinion.

If sensitive information is exposed, it’s not only the millions of dollars to fix that breach that costs the company, it can wreak havoc on the company in other ways, such as:

  • Negative PR
  • Brand erosion
  • Loss of consumer confidence
  • Loss of business partner confidence
  • Regulatory fines
  • Stock market loss
  • Legal fees
  • Implementation of internal processes

Whether your data loss is accidental or malicious, you need to gain insight into the magnitude of your data loss problem, identify security gaps, and develop a proactive approach to prevent data loss before it happens. The vast amount of potential avenues along with the wide array of privacy and security requirements has escalated data loss prevention to become a critical issue that can only be addressed by comprehensive data loss prevention tools that are used to accelerate business, protect your organization, and ensure privacy. Organizations can no longer afford to ignore data security. The day when the fall‐out from one data loss incident is sufficient to bankrupt a business may not be far away. Don’t let it be yours!