We’ve been closely following all the revelations about the recent massive credit card breach at Target stores in the U.S., which was soon followed by news of credit card theft from Neiman Marcus and Michael’s stores. Corey Nachreiner has done a great job of summarizing the chain of events in a recent blog post.
It is likely that all the retailers such as Target, Michael’s, and Neiman Marcus, had passed their PCI compliance audits. But, malware was used to scan credit card data from RAM of the Point of Sale (POS) systems, and it looks like the hackers broke into the IT infrastructure at Target using some stolen 3rd party vendor credentials. The net result is that consumer confidence in the safety of credit card data is probably even lower today than it was back in 2004, when the PCI standard was first introduced. In the wake of these breaches, many people, including Gartner analysts, have been asking if the PCI standard is worthwhile.
PCI is not the panacea for all credit card loss. It is a basic set of security controls that codifies common sense security practices. Compliance is not security. Passing an annual audit for the PCI standard does not guarantee the safety of your customers’ data. Much like getting a driver’s license does not mean that you will never crash a car. You need to remain always vigilant.
It is debatable if the standard is adapting fast enough, but it is still important for affected security pros to stay current with latest updates. To help you, WatchGuard has just finished a new webinar on credit card security and the updates to PCI DSS 3.0 titled, “Closed to Risk, Open for Business.”
PCI DSS is a fairly mature standard now. Most of the changes in PCI DSS version 3.0, which was published in November 2013 and took effect in January, are in place to clear up any points of confusion between QSAs and the companies that they audit.
In fact, 62 of the listed changes are Clarifications, another 5 are Additional Guidance, and there are 19 more significant updates that fall in the category of Evolving Requirements. The Evolving Requirements are probably the most significant, and some of the key new areas of emphasis include:
To find out more details about PCI DSS and what’s new in version 3.0, you can watch the full WatchGuard webinar here.
You can’t protect what you don’t know needs to be protected.
This may sound painfully obvious, but based on recent research, the market of information security professionals don’t have nearly enough visibility into the information they are tasked with securing. We know this because we worked directly with Frost & Sullivan researchers to determine the level of insight security professionals have into their data systems.
We presented the results in a webinar with Frost & Sullivan Principal Consultant Jarad Carleton. You can view the full webinar now to get the details on just how important visibility is to defending your data.
Defense in depth is important, but multiple systems with multiple dashboards increase the burden on overtaxed InfoSec professionals. By distributing where information lives and not having a way to connect the systems or servers that house a businesses’ lifeline, the risk of a hack or exposure through vulnerability can go unmitigated. Frost & Sullivan’s research shows that only 15 percent of IT spend is funneled toward detecting an intrusion or compromise.
Businesses assume that by erecting a fence around their data, they are protected. But consider the fence around your data to be like the fence around 100,000 acres of rangeland. If cows start to disappear, finding the hole they’re escaping from can be a monumental task unless you have systems in place to detect those weak points. It’s no different in information security. If a leak happens with your data, you will only find out when it’s too late and your intellectual property or customer data has been exposed.
The webinar is an important teaching in how products like WatchGuard Dimension can offer the visibility into incoming threats, attack vectors and vulnerabilities to exposure as well as how to protect your business from dangerous viruses like CryptoLocker.
WatchGuard Dimension is capable of analyzing your networks inbound and outbound traffic in real time. It offers visibility into bandwidth usage, application control and other vital information for not only protecting your data, but also detecting potential data exposure.
The webinar recording features a live demonstration of how WatchGuard Dimension can actively identify the signatures of CryptoLocker. CryptoLocker is a form of ransom ware that is quickly spreading across the Internet through phishing and social engineering attacks. It encrypts the data on a computer’s hard drive and only offers the decryption key if the computer owner pays a significant fee.
Because of WatchGuard’s best-of-breed approach, our collaboration with key antivirus providers enables our customers to not only prevent the virus from rooting onto a computer, but also enables administrators the ability to identify at-risk users and targets to prevent them from falling victim to an attack.
We invite you to watch the recorded webinar now and learn how greater network visibility will enable you to protect your users and your data better. And, if you’re ready to try out WatchGuard Dimension, let us know now.
As the global economy continues to unify, the global demand for flights rose 7.5 percent in August compared to last year. As more travelers take to the air, the need for the airlines to be aligned on compliance issues and international standards continues to be in high demand.
This is why ACS Aviation Solutions has experienced tremendous growth. Along with that growth has come tremendous demand on its network that supports a global, remote staff of 70 field workers, analysts and consultants. ACS runs an enterprise-grade IT infrastructure and needed bulletproof security, powerful centralized management, and fail-over capability for always-on high performance.
It found that solution with WatchGuard’s XTM unified threat management (UTM) platform. ACS deployed XTM appliances across its global offices to support its staff. ACS needed a solution that was secure for employees, but also provided access to its customers to highly sensitive documents and reports. Given the nature of ACS’ work, all data is highly confidential and security is paramount as it routinely communicates with global regulatory bodies. Additionally, it needed to have the failover that large enterprises expect from a unified threat management system.
In fact, the WatchGuard system was quickly put to the test after being implemented. The domain controller in ACS’ Dublin office went down due to a hardware interruption. Because the server was not available, Dublin traffic was rerouted through Melbourne, enabling all staff to log on and operate as normal with no experienced downtime.
ACS plans to begin using WatchGuard’s UTM platform to manage VPN connections for remote users, ensuring validation of connections occurs at the firewall, rather than in the server. This is like a doorman who asks visitors to wait outside while he checks their credentials, rather than first inviting the stranger in. The upshot is that traffic is validated between the firewall and the server, rather than between the server and the user. It’s an important distinction as it provides yet another layer of protection for the network.
Since implementing WatchGuard’s UTM platform, ACS has been able to experience the benefit of a secure network that hosts the company intranet, supports collaboration due to ease of document sharing, and provides reliable, robust disaster recovery capability.
WatchGuard XTM is a great fit for any business and our extensive lineup of appliances means that there is one that fits your needs. If you’re ready to learn how WatchGuard can fit into your business, learn more about WatchGuard now. You can also read the full details of the case study here.
Email encryption policies can be extremely granular and, once defined, applied automatically at the gateway. This ensures email encryption and email privacy is handled consistently, and eliminates the risk of user error by removing the need for senders to make decisions as to whether or not to secure an email and its content.
When encryption is enabled, you can use policy and content filtering features in your email security solution (in our case the XCS family of email security appliances) to scan for specific patterns in email messages that indicate the message must be encrypted, including:
For example, you can create a Pattern Filter to search for the word “[Encrypt]” in the subject field of a message. An end user can add this phrase to their message subject header to indicate the message must be encrypted before it is delivered.
Policies can be set to encrypt messages based on header, subject line, sender, recipient, content, attachments, and many other attributes of an email message, including:
Based on the growing volumes of confidential and sensitive information traversing networks on a daily basis, regulatory bodies and business executives have turned their concerns to ensuring messaging is protected from unauthorized viewing. Regulations such as Sarbanes-Oxley (SOX), PCI, HIPAA, GLBA and others have been introduced to mandate that email messages containing sensitive or confidential data are handled securely.
Email encryption has emerged as a vital aspect of an overall email security solution to secure confidential data and yet continue to allow the free flow of communications between colleagues, customers, and partners.
Whether based on Symbian, Palm, or Windows CE, smartphones are ripe for compromise and data security issues. Yes, these operating systems incorporate some built-in security measures, and third-party products can fill many of the gaps. But our biggest smartphone security challenges are perception and user behavior. Simply put, most of us fail to treat smartphones as computing assets that require business-grade data security measures.
Smart phones, if you want to call them that, are here to stay, but let’s all be smart about data security and protection as we handle corporate information and data. There’s a lot at stake!
Any time data is set into motion – accessed in an unconventional way, forwarded to a co‐worker, sent to a printer, etc. – data security is put at risk. Managing (and controlling) data‐in‐motion is a requirement for businesses to function effectively and efficiently. At the same time, it is also a growing data security threat that requires proactive data loss prevention solutions.
Data loss (or leakage) occurs in every organization either unintentionally or maliciously. In fact, according to the Ponemon Institute, 3 out of 5 organizations have experienced a data loss or theft event, and approximately 9 out of 10 data loss or theft events go unreported.
In addition, all types of data are vulnerable. Why? More and more employees rely on email for business communications and they use email as a central filing system where they store the bulk of their critical business information. This dramatically increases the probability of leaking sensitive or confidential data. All it takes is for a recipient’s email address to be misspelled or an incorrect key to be pressed by an employee and a message containing confidential information ends up in the wrong hands. All of us can relate.
At some point or another, we have pressed the send button a little too hastily and realized, after the fact, that our email ended up in an unintended recipient’s inbox. In addition, advances in technology make it even easier for this inadvertent data loss to occur. For example, Microsoft Outlook Autocomplete Email Address feature adds a great convenience to our email experience, but if you start typing “firstname.lastname@example.org” and the system automatically picks up the first “susan” as being “email@example.com” without you noticing that data can end up in the wrong hands and could have a detrimental effect on your business.
Data loss can be attributed to many factors such as computer loss or theft, hacking, malware, network exposure, and more, and many of these reasons for data loss can be avoided. To prevent data loss, an organization needs to have a comprehensive data loss prevention solution in place that not only protects networks from inbound threats to data, but also outbound data loss prevention measures need to be addressed to prevent confidential consumer, personal, and sensitive corporate information from exiting the organization.
So what’s the Cost of a Data Breach?
Data loss becomes a significant problem and risk as organizations are trying to meet and manage regulatory and internal compliance and control requirements, including:
Getting caught losing sensitive data is expensive, disruptive, and damaging to carefully nurtured corporate images. There are significant hard costs to non‐compliance in mitigation and remediation to affected individuals such as auditors and board members not to mention regulatory fines and fees to support increased audits. However, often unappreciated are the soft costs to brand equity and competitive advantage which result in lost customers. Enterprises are penalized in both the court of law and the court of public opinion.
If sensitive information is exposed, it’s not only the millions of dollars to fix that breach that costs the company, it can wreak havoc on the company in other ways, such as:
Whether your data loss is accidental or malicious, you need to gain insight into the magnitude of your data loss problem, identify security gaps, and develop a proactive approach to prevent data loss before it happens. The vast amount of potential avenues along with the wide array of privacy and security requirements has escalated data loss prevention to become a critical issue that can only be addressed by comprehensive data loss prevention tools that are used to accelerate business, protect your organization, and ensure privacy. Organizations can no longer afford to ignore data security. The day when the fall‐out from one data loss incident is sufficient to bankrupt a business may not be far away. Don’t let it be yours!