What’s next? Constant Reinvention.

What’s next? I was inspired to consider this question today after reading John D. Halamka’s blog entry on Life as a Heathcare CIO.
If you’re not familiar with his work, John Halamka is, an MD, MS, and is Chief Information Officer of Beth Israel Deaconess Medical Center, Chief Information Officer at Harvard Medical School, Chairman of the New England Healthcare Exchange Network (NEHEN), Co-Chair of the HIT Standards Committee, a full Professor at Harvard Medical School, and a practicing Emergency Physician. He is also a long time Accellion customer and has implemented Accellion’s secure file sharing at both BIDMC and Harvard Medical School. You can read more about his implementation of Accellion in this eWeek article.
Given the scope of his career, it seems like he must ask himself the “What’s Next?” question a lot. On his blog he answers it. What’s next? Constant Reinvention. He recently announced he is going to step down as CIO of Harvard Medical School, help them find a fulltime replacement for the role and embrace the next reinvention of his career. About the next phase of his career he states:

It’s July of 2011… and I feel powerful forces are aligning to create a quantum leap forward in electronic health records and health information exchange technology.

We think he’s right. Healthcare organizations are struggling with the growing use of mobile devices and unmanaged Dropbox-type of solutions in their enterprise and need to secure, manage and audit the mobile sharing of electronic health records, research and other Protected Health Information (PHI). They know this problem puts the organization at risk for non-compliance with HIPAA and Hitech. The organization could also run the risk of a serious data breach, making news headlines, and incurring hefty regulatory fines.
Accellion’s healthcare customers tend to be more savvy than most and care about offering their staff easy to use file sharing and collaboration applications while still securing and managing sensitive patient and research data.
Accellion is constantly introducing new products and features, and the market continues to have new problems to solve – unmanaged Dropbox-type of solutions in the enterprise, proliferation of new mobile devices. Asking “What’s Next?” helps us all to thrive and innovate.
So, thanks John for providing today’s inspiration and we wish you luck for your next reinvention.

by Janine Kromhout

Top Endpoint Security Stories for July 2011: New cybersecurity plans, breaches, platforms and arrests…

In response to increasing cyber threats targeting the U.S. government, defense contractors and the nation’s critical infrastructure, the Department of Defense released its new strategy for protecting our nation’s systems and networks from cyber attacks. While it’s a nice first step, many critics are wondering if the government can actually pull it off. In the same vein, the shift to virtualization has many businesses re-thinking their existing security approaches. Will virtualization mark the end of traditional host-based antivirus solutions as we know it? Here are some of the top endpoint security stories for July 2011.

DoD’s cybersecurity plan creates more questions than answers

In July, the Department of Defense released its new strategy for operating in cyberspace, and how it plans to protect our nation’s computer systems and networks from cyber attacks. The plan includes a number of initiatives such as treating cyberspace as a domain it defends (with land, air, sea and space), introducing new network defenses to detect and stop malicious code, coordinating with the private sector, and working with other countries. However, in the article, “Critics: U.S. cyber security plan has holes, few new items,” the document has many analysts like Rich Mogull of Securosis wondering if the DoD can pull it off.

“Some of these things have been written about for years. The real challenge is, are they going to actually execute this?”

While Mogull is glad to see the government is finally getting serious about improving cyber defenses, he doesn’t see anything in the new plan that the DoD isn’t already working on. For example, the government has been talking about establishing partnerships with the private industry and international community for years now. Why hasn’t this already been done? But while critics may agree developing a strategy is a good first step, achieving the initiatives is paramount to securing our nation and critical infrastructure from more dangerous, harmful cyber attacks.

Shift to virtualized environments shaking up security practices

As more and more businesses move to virtualized computing environments, they’re quickly learning that the shift to server virtualization is creating a number of new security challenges. For companies that are beyond the halfway mark of operating a 100% virtualized environment, some of the top security concerns include access control, data encryption, monitoring virtual network traffic, and improving threat detection and rogue-device identification.
Along with a heightened security awareness, many organizations agree they need to re-evaluate their existing strategies and look at new security approaches that will adequately protect their virtualized environments without impacting the availability and performance of their systems. Either way you look at it, today’s infrastructures are changing fast. Organizations moving to virtualized environments need to adapt their security programs and policies to accommodate virtualization.

Will virtualization mark the end of host-based antivirus software?

In a related story, organizations are finding that traditional host-based anti-malware is not as effective as it was in the pre-virtualized era because the main problems they face are coming from Web-based malware. According to the article, “Is hosted-based antivirus software losing luster?” companies are choosing not to run antivirus software in their virtualized environments because it’s no longer useful in detecting malware and can disrupt application performance, said Johnny Hernandez, VP of information security at PrimeLending.

“Today, we don’t run A/V in the current virtualization environment because it does have an impact on the back-end and system utilization.”

More telling is the fact that IT folks like Albert Gore, director of information technology operations at the John F. Kennedy Center for the Performing Arts in Washington, D.C., doubt that most desktop antivirus software can even stop malicious code that is being unintentionally passed from employees to contractors to partners and others over the Web.

Hackers target intelligence contractors

The recent cyber attacks against Lockheed Martin and Booz Allen have shown that hackers are actively trying to steal classified government data by way of the computer networks of U.S. defense contractors.
In the article, “Hackers target intelligence agency contractors,” cyber criminals send emails with malicious software to employees of contractors that work for U.S. government agencies. Spear phishing attacks contained person information designed to deceive the highly targeted victims to click on infected links within the corrupt email. Once the software was installed on a computer, it downloaded payloads that enabled criminals to control a victim’s computer, access sensitive data and communicate with hackers.
Because the attacks target specific government contractors, experts say they are likely distributed and carried out by foreign actors, who persistently target multiple individuals to penetrate the network. To counter such attacks, government agencies and contractors need to push security standards across all endpoints within their networks and beyond the walls of their own defenses. Otherwise, their sensitive and proprietary information is only as safe as their partners’ vulnerabilities.

FBI arrests 14 alleged Anonymous members

As part of an international effort to crack down on cybercrime, the FBI conducted more than a dozen raids across the U.S. in July that resulted in the arrests of 14 members of the notorious hacker group, Anonymous, which has claimed responsibility for multiple high-profiled online attacks including the Internal Affairs and PayPal websites.
This is the latest in a number of international arrests that have shaken up the cybercrime underworld. A handful of others have been arrested in the UK and the Netherlands for alleged related cyber attacks, including an individual connected to attacks carried out by the theoretically disbanded hacktivist organization, LulzSec.
The ongoing cybercrime investigations are part of a concerted effort by multiple international, federal and domestic law enforcement agencies who are working together to stop coordinated cyber attacks targeting major companies and organizations.
I appreciate your interest in reading our blog and encourage you to provide comments and your unique perspective on the biggest stories in the security industry.

by JT Keating

Employee Spotlight — Sooying talks about Product Development and life in Singapore

In the second installment of our employee spotlight, we chat with Sooying, our software architect based out of our Singapore office. Sooying is not only an experienced engineer who has helped create award-winning Accellion products for the past eleven years, but also a devoted mother and an avid baker. Sooying has one of the longest tenures at Accellion!

1. What do you do at Accellion?
I am software architect at Accellion. I am currently involved in the Accellion Secure Collaboration project where I am part of a team that designs and architects the product, UI, and database. I research and decide the tools and libraries to use. Part of my responsibility is also ensuring that the front end and back end systems work together. I work on the logic behind the work-flow in the secure collaboration process.
In addition to building the product, I also manage a team of highly skilled engineers to get the design implemented.
I have been involved in the design and implementation of the product since its inception. Furthermore, I am responsible for ensuring the version compatibility and evolution of the application features for our 1,200 enterprise customers, some of which have been Accellion customers for as long as 8 years.

2. How long have you been here?
I have been at Accellion for 11 years, since May 2000.

3. What led you to work at Accellion?
This was my first job out of college. I joined the company because it seemed like it would be an interesting challenge. I wanted a role where I could learn things and have a chance to expand my responsibilities over time. Smaller companies give new graduates a chance to work on many projects and broaden their skill-set quickly.
Other companies that I applied to were larger and the scope of my job would have been quite narrow.

4. What’s your favorite part of working here?
A couple of things make working at Accellion great.
There is a strong degree of trust. We have a very good manager who gives us sufficient freedom to use our expertise to build the product.
I have two kids and there is great work/life balance at Accellion. Like other working mothers, I am always juggling between being a good engineer and a good mother.
Also, a few of my colleagues have been here for a long time, too. We get along very well and complement each other. That is so important for us.

5. How did you get into engineering? Is this something you always wanted to do? Was there someone in particular that influenced your choice of career?
I come from a very big family – one of eight kids from Selangor, Malaysia. None of my family had an interest in IT. However, I have always been very logical and methodological. I like to deal with facts. I chose the science path when I was in high school. In Malaysia that usually means a career in engineering or the medical fields.
I went on to study multi-media and programming at Technology University Malaysia. I enjoy doing programming as computers always follow a set of pre-defined instructions. Whenever there’s a bug, thinking logically, I’m able to narrow down the piece of code in question and solve the problem.

6. What brought you to Singapore?
When I graduated from college, the region was going through the dot com boom. I looked for a job in Singapore since my husband had already started working in Singapore a year before I graduated. I met my husband at university.

7. What’s life like in Singapore?
I like Singapore. Singapore is governed very efficiently which makes sure everything works like a clock. Everything works as it should and the crime rate is very low. You actually feel quite safe walking alone at 3AM in the morning.
Education system here is quite good.
Singapore is an island full of foreign talents. It’s a very diverse.

8. What do you do when you’re not building products?
I spend my time outside of work with my family. I love baking with my daughter who is four and half years old. We like to make butter cookies. I have a five and half year old son as well. Most of my free time is focused on my kids and making sure they are raised well.
Thanks Sooying for sharing your background with us. There is a lot of thought that goes into all of Accellion’s products.

by Nina Seth

10 Things You Don’t Know about Virtualization Security…

When it comes to virtualization security, there are many things that people don’t even know are problems, or don’t even know they need to address. In our recent webinar, “10 Things You Don’t Know about Virtualization Security”, IANS faculty member and Voodoo Security founder, Dave Shackleford, and CoreTrace’s CTO and founder, Dan Teal, provided their unique perspectives on things that often get left out of the picture when securing a virtual environment, and examples of how the scale of virtualization can blindside an organization before they even know what hit them.
Some of the issues they explored include:

1. You have more virtual systems than you know: Virtual sprawl is the ability to rapidly provision systems. However, it can also increase vulnerabilities such as unknown systems that aren’t properly patched or kept up with from a configuration or security standpoint. Understanding everything in your environment is a major problem in the virtual world. It’s really all about inventory, and keeping up with systems and making sure you’ve got change management in place.

2. You aren’t leveraging virtualization for security: Virtualization is like a double-edged sword from a security and operational efficiency perspective. On one side, virtualization gives an organization the ability to tighten and standardize everything in an environment, making sure it is all being kept up to date. On the flip side, if the foundations aren’t in place from the start things like change management can go completely off track.

3. You need more visibility: In the virtual world, you have to keep tabs on everything in your physical and virtual environments. Monitoring virtual network traffic, particularly between VMs, can be difficult. In order to understand everything that’s running in a virtualized environment, organizations need to take a step back and look at what their entire security looks like. Visibility is critical to making sure you know the condition of all your systems and servers, and that they are being fully utilized.

4. All eggs are in one basket: Dumping the responsibility of running and maintaining virtualized platforms onto one group is a frightening picture, not to mention a step backwards in the concept of separation of duties. While nobody wants one group to have this type of control over their infrastructure, that’s exactly what’s happening with most of these virtualized platforms. What you want is very specific rules within an organization so each group can maintain their own areas.

5. You’re back to 1997 for network security: The reality of virtual environments is you don’t get in-depth security capabilities out-of-the-box with any virtual solution. Often times, you find yourself relying on VLANs for security because that’s all you’ve got. As far as security is concerned, that’s like stepping back into 1997 for network security, and that’s no place you want to be. To meet your security and policy requirements, you need to think about your existing physical infrastructure and try to match that inside your virtual environment.

6. Your existing security programs are probably not adapted for virtualization: Most security programs need to adapt a bit to accommodate virtualization. Evaluating where virtualization affects security operations and creating policies that address virtual systems or include virtualization in existing policies is a good place to start. While things are going to vary from organization to organization, the fact is infrastructures are changing, which makes it worthwhile to move ahead and adapt like everyone else.

7. Your auditors probably don’t know what’s going on: Most auditors are not comfortable with virtualization technology. They generally don’t understand the fundamental concepts of virtualization and how everything impacts different data classification levels and compliance data versus non-compliance data. Part of the education process includes making sure all internal audit teams understand all of the controls that are inherently available within the platforms and tools that are already in place.

8. Storage is a huge security hole: Storage is fundamental to virtualization deployment. Unfortunately, security and storage don’t often mingle in the same circles. Because there are typically no strong access control mechanisms in place with most storage deployments, which can create flaws in the virtualization platform, it’s now critical that organizations implement a defense-in-depth strategy in the storage infrastructure for protecting their virtual environments.

9. Virtualization software DOES have vulnerabilities: No system is perfect. Even for virtualization software, exploit POC code and malware attack toolkits are available for hackers to penetrate a virtual environment. The key is to keep up with what’s going on in the realm of virtualization and vulnerabilities, which are constantly evolving and becoming more sophisticated every day.

10. Availability is the new No. 1: While most security folks focus on confidentiality and integrity, virtualization architectures require availability to be a top priority for your business and operational teams. With a shared pool of resources relying on the availability of multiple systems, a different approach is needed. Organizations need to change the way they use traditional antivirus and anti-malware agents that are increasingly ineffective and consuming too many resources that impact day-to-day operations.

In order to succeed in the virtual world, there are lots of things to think about when it comes to security. The first step is to re-evaluate what you are doing today and figure out how your existing security processes can be re-worked to accommodate virtualization. This requires working with the virtualization and other IT teams to make sure you’ve carefully delineated the roles to better match what you’ve had in place to begin with. Also, making sure the storage infrastructure is secure should not get left out.
All in all, putting more new tools that are a little more “virtualization conscious”, and that have resource-consumption issue top of mind, are critical to alleviating security tools that eat up resources. This is part of the reason why people are turning to application whitelisting and application control for virtual environments. With solutions like CoreTrace’s Bouncer application whitelisting, you’re not running virus scans that consume valuable resources on every virtual machine, which is resulting in poor performance and denial of service incidents. You have a sure list of what’s allowed to run and what’s not allowed to run.
While blacklisting is still useful for identifying known malware already on your endpoints, the fact is organizations are getting hit more than ever despite running the latest security sweeps from all the major vendors. Blacklist simply cannot keep up anymore. Having total control of what is running on your box prevents the malware from executing. As your infrastructure changes with virtualization, you have to adapt for the long haul. This is why we believe application whitelisting and application control is the approach that’s needed to protect today’s rapidly changing virtual environments.

by JT Keating

DoD Cyberspace Strategy: Is the DoD really ready to embrace new technologies & companies???

As a former Air Force information warfare officer, and a member of the military’s red and blue teams for many years, I believe the Department of Defense’s new “Strategy for Operating in Cyber-Space” is a small step towards developing a security plan for protecting our nation from cyber attacks. What leaves me a little perplexed, however, are the realities the DoD is up against in achieving the five strategic initiatives that have been outlined in the document.
As I was going through the plan, what struck me first was the fact that the U.S. has publicly called out to the world that cyberspace will be added as one of the operational domains, retaliating to any attacks against it in the same way it would to attacks by land, sea, air and space. Saying that it plans to aggressively train, organize, collaborate, and strengthen relationships with global partners sends a strong message to the international community about its intentions to take full advantage of cyberspace’s potential, as well as how the government plans to deal with and respond to threats against this domain. While the plan still leaves many questions around attribution and countermeasures against any such attack, I think the clear and unambiguous addition of the domain is an important step to deter cyber attacks targeting the U.S. government and our nation’s critical assets and infrastructure.
Unfortunately, a significant portion of the document is simply reiterating the government’s “business as usual” tactics. I’ve got to believe that for the five strategic initiatives, the DoD already has active programs in place. Therefore, the first question that comes to mind is how effective are these defenses? I suspect that the fundamental problem with the existing defenses is that the government is using traditional security solutions that don’t measure up against evolving cyber attacks. The root of this problem stems from the fact that the government continues to favor status-quo, “no one ever got fired for buying from” large companies and contractors. DoD and other agencies turn to these organizations to build offensive and defensive technologies without paying much attention to smaller, more innovative companies that, in my opinion, develop far better, more effective technology. From my experience, this has historically been the case with the military (just ask the innovative arms manufacturers that couldn’t get the military to adopt new weapons in the Civil War).
I did, however, find a glimmer of hope in the plan’s Strategic Initiative No. 5: “DoD will leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation.” While I’m pleased to hear the government would like to work with small, nimble companies that I believe provide the rapid technological innovation that the document calls for, the reality is what I just outlined: the DoD tradition and evaluation/purchasing structures favor large companies and contractors.
The problem with the claim is the government sets an extremely high bar that almost guarantees they can’t do business with smaller companies. Take, for example, the cost of trying to meet common criteria and update certifications. The average vendor does not have the resources to put their products through all of the regulatory requirements needed for most defense-related implementations. Small businesses generally cannot afford the quarter of a million dollar certification programs that large companies can. As a result, historical precedent has shown that the DoD primarily goes with incumbents.
I commend the government for recognizing the need to innovate technology very rapidly to keep up with evolving cyber threats. Smaller, innovative companies can play a critical role for defending our nation’s networks and systems from more sophisticated attacks. However, I cannot fully believe the DoD is serious about this claim until there is action behind it. It’s a great vision, but there still exists structural impediments that don’t allow smaller companies under normal operating procedures to fulfill that promise.
As a smaller company that provides highly innovative and effective application whitelisting-based endpoint protection solutions, CoreTrace stands ready to help the DoD and other agencies deliver on the cybersecurity vision. My challenge to the DoD is this: If you say working with innovative companies is part of the national cyberwarfare strategy, prove it by bringing companies like CoreTrace in and streamlining the evaluation/procurement bureaucracy. Let us all help make your strategy a reality.

by Toney Jennings

Accellion in Action: Seattle Children’s Hospital

A recent issue of Research Practitioner Magazine includes the article, “Collaboration Moves Research, Clinical Knowledge” and talks about the importance of medical researchers reaching out to potential collaborators, nearby and globally, as they work on ground-breaking medical research.
For more than 100 years, one such facility, Seattle Children’s Hospital, has provided inpatient, outpatient, diagnostic, surgical, rehabilitative, behavioral, emergency and outreach services to children from infancy through young adulthood. Part of Seattle Children’s Hospital, Seattle Children’s Research Institute, has nine major centers, and is internationally recognized for its work in cancer, genetics, immunology, pathology, infectious disease, injury prevention and bioethics.
Accellion customer Wes Wright, Chief Technology Officer at Seattle Children’s, weighed in on how Seattle Children’s uses file transfer and collaboration technology from Accellion to facilitate their research.

Seattle Children’s Hospital in Washington struggled sending secure files through a difficult-to-use secure file transfer protocol server and using email encryption. Less than a year ago, however, the hospital and foundation switched to a Web-based program, one that offers encryption, user tracking, and transfer of large data files. The program is offered by Accellion, headquartered in Palo Alto, Calif.
The switch to the new file transfer system was spurred primarily by research needs, says Wes Wright, vice president and chief technology officer at Seattle Children’s. “We put the solution in to help us transfer data files for research, but it has since spread out among the whole organization.” After the purchase, the system took only took about three weeks to implement.
About 4,800 employees use the system now… the reason is the simplicity of the plug-in, Wright says. If a user wants to transfer a file, he opens Microsoft Outlook and chooses new mail. In the right-hand corner of the new mail is a plug-in that says “Accellion.” “You hit that button and it opens a file browse window. You browse to the file you want and attach it.”
…The system also tracks who has downloaded and looked at each file. “Whenever anyone accesses a particular file, we keep a log of it,” he says. Sometimes researchers send the file to themselves and download it on their home systems so they can work at home. “We know that user X sent it to himself and then downloaded it when he got home. We can keep track of that file and where it went.”
Such technology is “the wave of the future with HIPAA and high-tech regulations and rules,” Wright says. “The easier we can make it to securely share and collaborate among researchers, it’s going to be a research differentiator.”

We’re so proud Seattle Children’s Hospital staff and research team use Accellion to help move such important work forward.

by Accellion

Skyjacking attack – then Cisco, now Aruba?

Recall “Skyjacking” vulnerability discovered with Cisco LAPs couple of years ago? It allowed hacker to transfer control of enterprise Cisco LAPs from enterprise WLC to hacker controlled WLC in the Internet with over-the-air attack. Once control is transferred, the hacker could change configuration on those LAPs in any way by adding, deleting and modifying SSIDs. The hacker could also tamper with Cisco monitor mode APs and take away the security layer. Cisco Skyjacking exploited vulnerability in Cisco’s over-the-air controller discovery protocol. Know more about it here.
Now a similar vulnerability seems to have been discovered in Aruba OS and AirWave console. The advisory states: “[a]n attacker could plant an AP with maliciously crafted SSID in the general vicinity of the wireless LAN and might trigger a XSS vulnerability in reporting section of the ArubaOS and AirWave WebUIs. This vulnerability could potentially be used to execute commands on the controller with admin credentials.” Though modus operandi is different from Cisco, the end result is similar – transferring the control of Wi-Fi controller to hacker by launching over-the-air attack.
No system is free from vulnerabilities and such things will continue to be discovered. But, you don’t have to give away “hack one, get one free”. You don’t have to give hackers control of Wi-Fi coverage and Wi-Fi security in a single shot. This can be achieved by ensuring that the Wi-Fi security layer operates independent of Wi-Fi infrastrucutre. This makes a strong case for using a separate and specialized security monitoring (WIPS) for Wi-Fi. With separate WIPS, even if you lose your Wi-Fi coverage to Skyjacking attacker, the WIPS will prevent any security damage over the compromised controller. It will also alert you when Skyjacking happens, so that immediate remediation can be done.
Not only such diversified approach safer, it is also cost effective! This is because, the specialized WIPS can help you get rid of hardware components such as controllers and will reduce your CapEx. They will also reduce your OpEx with sleek monitoring workflow compared to WIPS bundled along with Wi-Fi infrastructure.

by Hermant Chaskar

AirTight Rated “Strong Positive” by Leading Analyst Firm

We are really excited here at AirTight. AirTight achieved a rating of “Strong Positive” in Gartner’s 2011 Marketscope Report for Wireless LAN Intrusion Prevention Systems. published this week. “Strong Positive” is the highest possible rating in a Gartner Marketscope. The July 2011 report was authored by John Girard, VP, Distinguished Analyst, John Pescatore, VP, Distinguished Analyst and Tim Zimmerman, Research Director at Gartner.

2011 Gartner Marketscope On Wireless LAN IPS matrix

If you are concerned about wireless threats to your enterprise, including unapproved personal smart devices, this report outlines the key highlights and limitations of each solution as well as feedback from real customers of each vendor.
The 2011 MarketScope report evaluated vendors on five criteria – customer experience, offering (product) strategy, overall viability (business unit, financial strategy, organization), marketing execution, and product/service.
The report notes in part, “Wi-Fi support is a standard extension of corporate networks, and enterprises must ensure the vulnerability management and intrusion prevention processes be extended to cover wireless and wired networks. WLAN security monitoring in the form of wireless intrusion prevention systems (WIPS) is required to ensure that supported WLAN performance is not impeded by interference or denial-of- service attacks, WLAN traffic is kept private and secure, users are prevented from installing unauthorized WLANs, and unsupported/unauthorized WLAN technologies are barred from operation.”***
***MarketScope Disclaimer
The MarketScope is copyrighted 2011 by Gartner, Inc. and is reused with permission. The MarketScope is an evaluation of a marketplace at and for a specific time period. It depicts Gartner’s analysis of how certain vendors measure against criteria for that marketplace, as defined by Gartner. Gartner does not endorse any vendor, product or service depicted in the MarketScope, and does not advise technology users to select only those vendors with the highest rating. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

by Della Lowe

Lessons from Booz, RSA, Epsilon, etcetera: Partners may be your weakest security link…

Computer hackers by and large focus on the weakest link of an organization’s security system. Whether it’s an unprotected server, a newly discovered system vulnerability, or an unsuspecting employee’s computer that is connected to the corporate network, cyber criminals are experts at sniffing out the weakest link.
On the surface, this week’s breach of 90,000 military e-mails and password hashes may look the same. After all, the hackers claiming responsibility for the break-in did so through an unsecured server in a network that basically had no security measures in place. What’s different about this attack, however, is the exploited server was not the military’s. The server belonged to government contractor, Booz Allen Hamilton. In other words, this criminal strategy went beyond the walls of an organization’s own network defenses.
In the case of the Epsilon security breach, where millions of customer email addresses were compromised, hackers targeted a single entity to steal private data on many of the marketing giant’s big-name customers like Chase, Citi and Target. The Booz Allen hack reverses that scenario. Instead of going after one to get to many, cyber criminals targeted multiple entities to get to one.
Much like the supply chains of the 1990s that tied systems together, today’s business enterprises are built on the same idea. Unfortunately, with a number of different partners connecting in real-time to a central network, an organization’s security is only as good as its partners’ security practices. If even a single partner does not adhere to today’s best practice security standards, what will result is a weakest link of the chain. Cyber criminals know this, and this week’s military breach is a prime example of what happens when hackers exploit a business partner to get to another business.
In today’s world, the epicenter of a cyber attack isn’t necessarily at the core of your network anymore. With so many endpoints connecting to your enterprise, how can you protect yourself when you can’t control the assets people use to get to your network? The fact is, organizations and people are getting hit in and between companies. The fight against cyber crime is becoming more about the weakest link in the entire value chain, not the organization, itself.
Insisting on best practice security standards from all of your partners can be a first step to protecting your endpoints from attacks that start outside of your network. However, relying on your partners to maintain updates to ensure your corporate policies are enforced can potentially leave your network vulnerable to outside attacks. That’s why when pushing security standards, we recommend mandating a proactive security posture for your own endpoints and those of all of your partners. Naturally, we feel strongly that deploying an application whitelisting solution like CoreTrace Bouncer is a key component of that proactive strategy.

by JT Keating

Gartner Wireless IPS Marketscope rates AirTight “Strong Positive”!

The latest Gartner research on wireless IPS has just been published and AirTight has received the highest rating of “Strong Positive”.

by Mike Baglietto 

Learning from Morgan Stanley’s Data Breach

“Morgan Stanley Admits to Loss of Unencrypted CDs” reads the latest data breach headline in SC Magazine. I can’t help but shake my head as this could have been easily avoided. The lost information contained 34,000 client account and social security numbers, among other confidential data. The CDs were delivered in tact to the New York State department of taxation and finance’s mail room and disappeared somewhere between there and the intended recipient’s hands.
IT departments worry about data security and do their best to put systems in place to prevent this kind of data breach. So how does it happen? Some of the biggest risks come from employees who work around an IT mandated solution. In this case, it looks like there was a file too large for either Morgan Stanley’s, the recipient’s, or both systems’ email restrictions. For the employee who opted to mail the unencrypted CD, the magnitude of the potential loss and risk involved may have never crossed their minds or took a backseat to Getting the Job Done.
You, as an IT professional, can easily save the day and provide a way for your users to share information and collaborate securely.
In addition to banning CDs, thumbdrives, free dropbox-type of applications, FTP or USB sticks, implementing secure file sharing technology such as Accellion’s helps enterprises securely share files in a way that can be seamless to employees and their intended recipients. With Accellion, you can track and manage who has sent and downloaded what file, where, and via what device.
Since Accellion supports any file format and size, I suspect Morgan Stanley’s CDs were used to transfer files an Accellion user would’ve been able to send easily. With Accellion, shared files are stored securely on a server, so issues with the recipients’ email storage limits are also bypassed. And the file is encrypted in transit and at rest.
Some of the world’s leading financial services organizations use Accellion to protect their sensitive data including: AEW Capital Management, American Capital, Australian Unity, Bank of Scotland, Bank of Spain-Miami (Banco Santander), Cigna WorldWide Insurance Company, Covenant Bank, Deloitte & Touche CA, Georgia Bank and Trust, Farmers Insurance Group, Federal Credit Union, HeathMarkets, IMA Financial Group, Inc., KPMG, MIB Solutions, PFS Global Ltd., Princeton Financial Systems, United Community Bank, ViewPoint Bank and Xpress Holding to name a few.
Financial services firms need to protect their sensitive data in a way that’s easy-to-use for employees and easy-to-manage for IT staff. Accellion solutions can help.

by Accellion

Beyond the Glitz and Glamour: Mobile Collaboration

Nothing is more interesting to me than watching people interact with their mobile devices, whether that’s an iPhone or iPad, Android, BlackBerry or even those rare Windows phones. People swoosh their fingers across the screen to access page after page of content…whether it’s the New York Times, Washington Post, Facebook, Twitter, and even business content. I know it’s hard to believe, but watching this behavior is actually quite fascinating. People interact with their mobile devices when they’re alone, out with friends or even on a date. Yes…I have seen it happen and probably am guilty of it too.
Clearly, mobile devices have become extensions of their owners and close attachments have been formed. Flashy people bejewel their mobile device cases with faux rhinestones. Many women change mobile device cases depending on what they’re wearing…just as they would change purses. And, of course, people who don’t care either way, or prefer a traditional looking phone, tend to have sturdy cases in “wonderful” black, grey and white hues.
But beyond the glitz and glamour involved with the look and feel of mobile devices, the material that people access is most important. No one would be obsessed with their mobile device if content was useless or boring.
Today, people want information on the go. In particular, busy professionals want full access to work files whether they’re at a coffee shop, security line at the airport, or on the road. With this in mind, Accellion delivers mobile apps for the iPhone/iPad, Android and BlackBerry mobile devices. Accellion Secure Collaboration customers can securely view their workspace files, make comments on files, and get notified when collaborators have made comments or added files to a workspace. Accellion Mobile Apps ensure that business can be conducted securely on the go, whether you use a leopard print cover is up to you.

by Nina Seth 

EOL for Space Shuttle – 30 Year Product Life Better Than Most Cars?

Atlantis on October 3, 1985 Photo Credit: NASA/KSC

This week, after 30 years of service, the Atlantis Space Shuttle is scheduled to make its final flight before retirement. 30 years ago we had no iPad or iPhone, we didn’t even have the Internet. MS-DOS was just released by Microsoft, the hottest computer was the Sinclair ZX80 retailing at $199.95 and the “Best Selling Car in the America” was the Ford Escort. With this technological perspective the Space Shuttle design is a mind blowing achievement.
It’s become easy over the years to take for granted the almost routine take off and landings of the Space Shuttle. Yet a 30 year product lifetime, for any product, is impressive. Compare the Space Shuttle’s 30 years of service to the ten years expected lifetime of a car and three years for a mobile phone. Admittedly, the Space Shuttle didn’t get daily use, but still most technologies don’t have a 30 year product life. Most people would consider themselves lucky to get two years of service out of laptop.
At Accellion, we’re proud that our file sharing solution has been in service for more than five years at customers such as P&G, Ogilvy & Mather, St. Jude’s Children’s Hospital, L’Oreal, and Hilton Hotels to name just a few. Along the way we have enhanced Accellion file sharing, to support new technologies such as virtualization, cloud, and mobile apps. And, yes, our customer base has grown significantly over the years, including the addition of NASA several years ago. While product life is definitely influenced by technological advancement, customer satisfaction is perhaps the bigger contributing factor. At Accellion, our extremely high customer renewal rate (>98%) represents not only a long product life but, more importantly, that our customers are our old friends.
Congratulations and best wishes to NASA for the final Space Shuttle launch.

by Paula Skokowski

Top Endpoint Security Stories for June 2011: Malware developers show just how efficient they’ve become

We’ve always known how tenacious hackers are, working around the clock to infiltrate corporate networks. In June, we found out just how efficient they are. Mutating malware that bypasses security updates within hours and unconventional cyber attacks on seemingly secure networks have prompted the need for stronger endpoint defenses. For many, whitelisting is the answer. Here are some of the top endpoint security stories for June 2011.

Hackers move quickly to evade the latest security updates

In June, we saw two examples of how quickly cyber criminals can adopt to change. Security updates to both Macs and Windows held hackers back only long enough for them to create new variants that allowed them to resume active attacks on the same fixed vulnerabilities a few hours later.
According to the article, “Apple’s malware detection update circumvented in 8 hours,” malware developers were able to rewrite code overnight to evade the latest Mac updates. In another incident, “Hackers move fast to exploit just-patched IE bug,” just three days after Microsoft patched 11 bugs in Internet Explorer, cyber criminals were exploiting one of the patched vulnerabilities.
With hackers working non-stop to develop new malware and malware variants that can bypass even the most recent updates and signatures, organizations need a solution that doesn’t place a band-aid on known vulnerabilities that criminals can peel off hours later. Security tools like application whitelisting do this by simply preventing the execution of all unauthorized applications.

Poor user updating practices creating unclosed security holes

While security patches have their own challenges keeping cyber criminals from returning to exploit known vulnerabilities (see above), a recent study by G Data SecurityLabs found that users certainly aren’t helping (which is not a surprise to any InfoSec pro).
In the article, “Malware Authors Relying on Poor User Updating Practices,” cyber criminals are taking advantage of users’ negligence around installing the latest security updates. As a result, hackers are targeting both current and older unclosed security holes, said Ralf Benzmüller, head of G Data SecurityLabs.

“Even though an enormous number of program updates are being provided, users should not be fooled into deactivating automatic update functions. Not only does this apply to Java, but it should also apply in general to all browser plug-ins used and all applications installed on the PC.”

Whitelisting a top strategy for combating modern malware attacks

As cyber criminals exploit any vulnerability they can to infect corporate networks, implementing security strategies that stop targeted attacks that quietly stealing sensitive data is critical for combating modern day cyber threats.
The article, “Top five strategies for combating modern computer security threats,” outlines some techniques for protecting computer systems from unauthorized and malicious software from exploiting a user’s laptop or computer. One of the recommended solutions is application whitelisting.
While there are valid concerns around preventing attacks like memory exploits and handling dynamic environments without impacting user and IT productivity, advancements in leading whitelisting solutions have resolved these issues to provide Total Application Control (TAC) that allows organizations to proactively defend their network endpoints from modern malware attacks.

A key goal of today’s cyber attacks: Establishing a “persistent point of presence”

Today’s cyber criminal is not your stereotypical crook who breaks in, steals the loot, and gets out as fast as he can. According to Gartner analyst John Pescatore, the goal behind many of today’s attacks is to surreptitiously establish a persistent point of presence inside a network and use that to snoop on and steal information.

“A common thread through many damaging incidents is targeted executables getting installed on critical servers or high value employee PCs.”

In the article, “Attacks on IMF, Lockheed and others highlight need for defenses against targeted attacks,” a recent rash of successful cyber attacks against supposedly secure organizations has prompted the need for enterprises to deploy stronger defenses to protect their networks against highly targeted and persistent threats. Using whitelisting products alongside other AV tools to automatically block any unapproved applications from running on a system is one way to defend endpoints against custom Trojans that have been seen in many recent attacks.
Thanks for reading this month’s recap on some of the security industry’s biggest stories. I encourage you to regularly stop by to read our blog. Your thoughts on these important stories are always welcome.

by JT Keating

In the Cloud, Outside the Cloud…Securing Your Information

In the technology world, we’ve had a few action packed weeks. First, Box announced their integration with Google Docs. Then, Microsoft made their highly anticipated announcement of Microsoft 365, their cloud solution of productivity apps that includes Microsoft Office, Microsoft SharePoint Online, Microsoft Exchange Online and Microsoft Lync. Next, Google rebutted the announcement in their enterprise blog entitled “365 reasons to consider Google Apps”. And lastly, Box jumped into the fray with a ding at Microsoft for being late to the cloud game and why Box’s open platform is better for consumers.
You might be wondering if there is any valuable information in all this noise. Well, despite the proliferation of cloud computing, Microsoft Office is still the de facto application for business – with 31 million copies of Office 2010 sold. And it’s likely that those organizations will continue to use Microsoft products. But many small to medium (SMBs) businesses and newer companies have embraced the cloud wholeheartedly. They often use more consumer-oriented solutions such as Google and Box due to lower costs, flexibility, and perceived ease of use. They are often looking for more platform-agnostic solutions and not necessarily for enterprise-class solutions, which offer the security that every business requires today.
At Accellion, we spend a lot of time thinking about how employees at large and small companies securely share and send files. In fact, we’ve built our entire business around the premise that information can be shared securely. We offer our solutions through a web interface, native mobile apps, and plug-ins for Microsoft Outlook, OCS and SharePoint, as well as other business applications such as iManage so that users can securely share files through the business applications they already use.
For those of our customers who migrate to Microsoft 365 or are new to Microsoft 365, Accellion offers an Outlook plug-in that enables your users to securely send files to recipients.
Remember that no matter whether your organization uses a desktop or cloud solution, it should allow you to securely send information. To learn more, download our whitepaper, “Secure File Transfer and Collaboration in the Cloud: Maximizing the Benefits While Minimizing the Risks.”

by Nina Seth