Accellion, BoxTone, in a “Healthy” Partnership

Until recently, the thought of doctors using a mobile device to remotely monitor the health condition of a patient sounded like a work of science fiction. In fact, the potential benefits that mobile devices could provide the healthcare community have been discussed since the late 90s. With the recent innovation of powerful and easy to use mobile devices and innovative apps it was only a matter of time until the medical community joined the mobile revolution.

The uses of mobile technology in the healthcare sector seem limitless. The ability for medical professionals to access apps that provide up-to-date information about medical news, tools, procedures, and trends across multiple specialties keeps medical pros well informed. The ability for a doctor to send patient x-rays to a specialist for diagnosis using a mobile device or writing and then sending a prescription to the patient’s pharmacist is remarkable.

Currently, there are 17,000 healthcare applications available in the major app stores. Unfortunately, as more and more traditional healthcare providers join the mobile revolution they are using unmanaged, untracked, free file storage and file sharing apps, in direct violation of federal mandates such as HIPAA. The increased use of mobile devices, file sharing, and collaboration across multiple devices, tablets, and applications has healthcare IT professionals searching for secure solutions.

The idea of securing patient data anywhere, anytime is one of the reasons why Accellion announced a partnership  with BoxTone today. Linking the BoxTone EMM solution with Accellion’s secure file sharing solution ensures healthcare IT can instantly secure, manage and support thousands of mobile employee devices and apps, while retaining complete control over access and security of confidential document- and file-based patient information.

Healthcare professionals can learn more about the secure mobility solution offered by BoxTone and Accellion in Las Vegas at HIMSS 2012 Booth 12928 Kiosk #13 on February 20-22 in the Mobile Health Knowledge Center.

by Ryan Swindall

(source)

BYOD and WPA2 – not made for each other

As the BYOD (Bring Your Own Device) tide rises, the  network and security admins wonder if their existing Wi-Fi infrastructure security will hold on. In particular, will WPA2 with PEAP, which is pretty much the norm for the Wi-Fi infrastructure security in the enterprise networks today, continue to be adequate? WPA2 with PEAP is simple enough, still strong enough, and has served the enterprise Wi-Fi security needs very well in the past several years. The forthcoming BYOD revolution however pops a new challenge for WPA2 and will require additional thinking on part of the network and security admins about how to complement PEAP to address some of the BYOD security issue. This new challenge comes from the ease with which people can bring in personal mobile devices on the enterprise premises and connect them to the WPA2 enterprise Wi-Fi network without administrator knowledge or help.

Quick rundown on how WPA2 with PEAP works

In WPA2 with PEAP, the security handshake starts with the authentication server sending the server certificate to the client. The client is “supposed” to check the validity of the certificate to ensure that it is connecting to the legitimate network. If you check your Windows laptop PEAP configuration, the certificate check is ensured by selecting the “validate server certificate” checkbox. After the server certificate check passes, the client and the server establish an encrypted TLS tunnel between them. Once the encrypted tunnel is up, the client sends username and password to the server to get entry into the network.

PEAP certificate check is no requirement for personal mobile devices

With respect to the description above, if you did not check the “validate server certificate” option in the Windows PEAP configuration, the server certificate check is ignored. Then, it is also not essential to put in the server CA certificate in the client for the certificate checking. With the smart mobile devices also, the certificate check option is off by default. In Android, the default value for the certificate is ”unspecified” (and the device does not even throw any warning about it) and in iOS you have to simply accept a warning indicating that the certificate verification has not been done (who looks at the warnings anyway, particularly those which one doesn’t understand). The result? Users can simply put in their WPA2 usernames and passwords (which they know from their laptops) in any personal Android, iPhone, or any other device for that matter, and connect that device to the enterprise Wi-Fi. No need to call help desk! It is not a good idea to allow indiscriminate connections of personal mobile devices to the corporate networks assets, there can’t be much disagreement about that.

WPA2 can be complemented with “device identification” to solve the above problem

WPA2 can give good user authentication capability, but does not give device identification capability. Hence, when the users log in using their credentials on different devices (including the personal mobile devices), WPA2 can’t stop them from connecting. You will need ability for the device identification in addition to the user authentication to solve this problem. With the device identification capability in place, administrators can then set up policies on what devices the users can connect from and block personal mobile devices from connecting to the WPA2 network, even if users copy credentials from the IT assigned authorized devices to the personal devices.

Device identification in AirTight WIPS and AirTight Wi-Fi access points

AirTight Networks WIPS and Wi-Fi access points both provide the ”device identification” capability. They can fingerprint the device behavior attempting connection to the enterprise Wi-Fi and identify the type of the device. Now administrator can set up policy rules on what devices to allow and what devices to block. On any blocked device, administrator can do drill down including location tracking and then decide to leave it blocked or put in the allow list. This facilitates monitoring and controlling personal mobile devices attempting connection to the enterprise Wi-Fi network and nicely complement WPA2.

by Hemant Chaskar

(source)

The information management payoff

If Metcalfe’s Law shows that the value of any communications network increases in direct proportion to the number of connected users, Murphy’s Law suggests it’s only a matter of time before one of those connected users does something to compromise the integrity of the information being exchanged.

One significant lesson to be learned from any data breach incident is the high cost of human error. In too many cases, failure to comply with information privacy legislation or the leaking of sensitive data boils down to any organisation’s capacity to get a firm grip on exactly who is handling their data – and why.

Incredible as it may seem, many organisations seem to have tighter control over the processes for re-stocking their global stationery cupboards than they do for how, when, why and by whom sensitive information should be used and shared. Small wonder, then, that CompTIA’s IT Security in the Workforce study found that one in five organisations say they ‘definitely’ experienced sensitive data loss in 2011, with 32 per cent saying it was ‘likely’ that they had done so.

Nailing down all your company’s information seems like an onerous task. But there are simple steps any organisation can take to reduce the risk of human error without shutting down communications. In the case of misdirected email – a leading cause of data leakage - organisations can use deep content inspection and true file type analysis to establish the sensitivity or integrity of any information before allowing it to be exchanged. Based on company-defined policies and settings, certain types of information can be encrypted automatically, without requiring any intervention by the user.

Organisations can take the extreme approach of configuring email gateways to quarantine all outbound email, forcing users to think twice before and after they’ve hit the send button. Or they can inject flexible controls into the equation and only quarantine mails that match specific criteria, such as those with attachments, messages containing credit card numbers or going to certain addresses. By diverting potentially sensitive content to a personal message manager portal, senders can review messages, releasing them only when they’re absolutely certain it’s appropriate.

These approaches do add an extra step to the email sending process, but it’s a short one and the payoffs in terms of data protection are significant. As the UK’s Information Commissioner’s (ICO) head of enforcement, Stephen Eckersley, has said, “One of the most basic rules when disclosing highly sensitive information is to check and then double check that it is going to the right recipient.”

Just this week, it was revealed that the ICO has issued over £1m in fines for data breaches since April 2010. New EU directives on data privacy will see penalties of up to 2 per cent of global annual turnover for organisations that breach data regulations. Globally, some of the world’s most respected brands have found themselves in the spotlight for all the wrong reasons; financial penalties aside, the reputational damage that follows in the wake of a data breach can linger long after any fine has been paid.

That’s a heavy price to pay for an errant click of the ‘attach file’ or ‘send’ button.

by Nick Peart

(source)

Customer Spotlight: Pepperdine University Gives Accellion Top Marks

Accellion In Action: Pepperdine Secures Copier Files

When Pepperdine decided to implement a university-wide copier replacement program, the mission was to make staff and students’ lives easier. With 90 copiers across four campuses, individuals could scan documents as needed, convert files to PDFs, and send them to an email account. Sounds great, right? But, the big question facing IT was – just how secure is the process?

For Pepperdine, all documents needed to be properly encrypted, keeping financial and other personal information out of the wrong hands and enabling the university’s clinics and counseling centers to comply with HIPAA regulations. But, the encryption needed to happen behind the scenes, as the university recognized that if the new copiers weren’t easy to use, they simply wouldn’t be used by students.

With Pepperdine already using Accellion Secure File Transfer to send and receive large documents – powering much of the university’s communications – the university decided to also use Accellion to support its copier rollout. How? Users simply scan desired documents, the Accellion SMTP Satellite forwards the file attachments to the Accellion appliance, and once users return to their PCs, they’ll have a secure link waiting with the scanned items. Users don’t have to do anything new – a huge perk. Plus, with all documents sent through the appliance, the built-in security aligns with the university’s HIPAA compliance practices.

“When you have an IT solution in place that can be used to support and secure other key business operations, it’s a huge win,” said Michael Lucas, CTO with Pepperdine University. “Our users know – and like – Accellion Secure File Transfer, so extending the product to our new copiers was a no brainer.”

Click here to read the full case study

by Ryan Swindall

(source)

Video: Stopping Reflective Memory Injection

Today’s cyber attackers have added a new weapon into their arsenal: a sophisticated memory attack known as “Reflective Memory Injection”. Reflective Memory Injection goes beyond traditional memory exploits like skape/jt to easily compromise and own a victim computer.

Most security professionals today know that CoreTrace Bouncer provides advanced threat protection based on its adaptive application whitelisting technology. But Bouncer goes well beyond simple whitelisting–including extensive memory protection capabilities.

At CoreTrace, we believe actions are always better than words. So I recorded a video that shows how an attacker would use Reflective Memory Injection to compromise a victim computer, then demonstrates how Bouncer automatically prevents the attack.

Take a look and feel free to let me know if you have any questions.

by Greg Valentine

(source)

What I Don’t Love About SharePoint

A recent article in Fierce Content Management entitled “Survey finds many users blow by SharePoint security” reveals how cavalier some Microsoft SharePoint users are about maintaining security within the widely used Enterprise collaboration and content management solution.  According to the SharePoint security survey conducted by Cryptzone, an IT threat mitigation company, 92% of respondents said they knew that taking content out of SharePoint created a security risk; still 30% were willing to take that risk for the sake of convenience.  Even more eye-opening was that 43% took sensitive content out of SharePoint to work at home and 55% said they did that to give material to someone without access to SharePoint.

There’s a clear need to be able to share files externally from SharePoint that is not currently being addressed in many organizations.

To effectively collaborate today, users need to easily share content securely within their organization and with external partners across the firewall. But in order to securely share data with outside parties, organizations need to create a secure file sharing system within their SharePoint environment.  Unfortunately, it is not easy or inexpensive to build an external-facing SharePoint server farm.

In order to open up content in SharePoint to external users, IT needs to provision a license and also set up external facing SharePoint servers on the DMZ.  This is an expensive proposition. So organizations usually bypass setting up external SharePoint servers.  This often leads employees to create work-arounds rather than taking the time to put in IT requests.  However, this is a data breach waiting to happen.  Once a document leaves SharePoint “illegally” the ability to track and manage the file is compromised.  This is particularly important in industries subject to HIPAA and other regulatory compliance.

There is a solution to this problem for organizations who want to make the most of their SharePoint investment.  Accellion offers a plug-in for SharePoint that enables users to quickly, easily, and securely share any size file from within the SharePoint Document Library to both internal and external recipients.  The plug-in not only makes it easy to share files across the corporate firewall but also provides easy-to-use file tracking and reporting required to meet industry and government regulations such as HIPAA, SOX and GLBA.

So if your organization has made an investment in SharePoint but you haven’t yet implemented external sharing of SharePoint documents for your users please give us a call.   As the Cryptzone survey illustrated if a solution isn’t provided for external file sharing from SharePoint then users will come up with their own solution and security isn’t typically top of their list of requirements.

by Nina Seth

(source)

The human factor

News of a data breach at the UK’s Scotland Yard has pushed the issue of data management and control back into the public eye. The Yard admitted accidentally sharing the personal email addresses of more than a thousand crime victims with other victims on its database. It was an easy mistake to make: In the course of sending a survey to 1,136 people, email addresses were entered in the wrong box, making them visible to all recipients.

In a worst case scenario, the maximum penalty for a data breach in the UK is £500,000.

No one sets out to lose data, but a glance at some of the most recent incidents reveals a common thread: human error. At a time when organisations across sectors are under increasing pressure to adhere to the often competing demands of transparency, cost-effectiveness, privacy and collaboration, data leak incidents are in danger of undermining reputations, brands, revenues and effective business strategies. It’s a high price to pay for an accident and if government privacy agencies are increasingly less forgiving of mistakes, customers – both existing and potential – are even less tolerant. According to research undertaken by the Ponemon Institute in October 2011, data leaks cost a minimum loss of 12 per cent in terms of brand damage; in some instances, this rose to an almost 25 per cent loss of brand value as a direct result of a data leak incident. As I’ve said, it’s a high price to pay for an accident that could easily have been prevented.

Data leak prevention, Web and Email Gateways and strong, flexible policy-based encryption work in tandem with effective education and management policies to reduce the potential for costly human error. Encryption and decryption, for example, can be performed automatically and centrally within flexible policy parameters and without the need for user interaction.

This doesn’t mean limiting end user ability to share and communicate – recognising the content is important, but so too is the ability to apply context to the data before making the decision to encrypt whether or not the end user selects that option.

It’s all about striking a balance between risk and real-world working requirements – and making sure that human error doesn’t get in the way.

by Alyn Hockey

(source)

Even at Shmoocon, Security Can’t Be Taken for Granted

Shmoocon labs is a group of vendors and attendees who get together before Shmoocon begins for a learning experience. The task – build a stable and SECURE network infrastructure to meet the needs of the convention. The idea is to teach people how to use the hardware from various vendors and make it all work together as a network that remains secure, stable and functional throughout the conference, no matter what.

This year, AirTight’s® SpectraGuard® wireless intrusion prevention system (WIPS) was handed the responsibility to protect this network from wireless threats. As soon as I deployed the AirTight wireless Sensors in the convention center and fired up the SpectraGuard management console to give a demo at the AirTight booth, I noticed an unusual number of Rogue APs had popped up. More concerning was one Rogue AP that was unencrypted and on the main management network of the conference. Although AirTight’s WIPS had automatically detected and blocked the device immediately, a little detective work was in order. I used SpectraGuard’s location tracking to pinpoint the exact placement of the device.

A quick physical search revealed an Apple Airplay device plugged into the management network. These devices are small and look just like normal Apple power plugs, however, they can also connect to wired networks, create wireless networks, and stream music! The AP was quickly removed from the management network (and placed on the hacker’s playground network). However, the AP was on the management network for over 5 hours of the convention; who knows what would have happened if SpectraGuard was not around to take care of business – switches, firewalls, Wi-Fi, almost anything on the network could have been reconfigured.

I guess it can happen to the best of us, but, once again, it makes the case for layered security – having someone watching your back. As a security professional your job is never done

by Rick Farina

(source)

There's opportunity in difficulty

Faced with increased penalties and significant reputation damage for serious data or information compliance breaches, it’s hardly surprising to find data protection topping TechTarget's list of enterprise IT priorities in 2012.

Challenging times lie ahead for organisations that don’t adapt to the new risks and opportunities that come with new ways of communicating but organisations that focus only on network security risk taking their eye off the ball. IT consumerisation, smart device proliferation, web-based services and workplace mobility all call for a data-centric approach to information management and protection.

Information is only as good as your ability to use it effectively; organisations looking to achieve high-quality data protection need to know, manage and understand the value of all the data entering and leaving their networks, as well as how it’s being used and by whom. The organisations that meet this challenge will be the ones that are most able to make effective use of their data while mitigating the risks inherent in information exchange.

To this end, more traditional, network-based data protection approaches should be implemented in tandem with contextual information management systems. This allows organisations to simultaneously control and empower their data without impeding its flow. Stopping and blocking might seem like the easiest route to take, but it simply isn’t up to the task and doesn’t reflect the technological realities of the way we do business today – or in the future.

by Alyn Hockey

(source)

A tale of the two WLAN controllers, do we need to be chasing our tail for the WLAN security?

Right when the Wi-Fi access and security management are moving towards the controller-less architecture, another interesting architecture seems to have evolved at the other extreme. This architecture seems to be advocating not one, but two WLAN controllers in tandem – and that too from two different vendors. And, some optional (additional?) security management servers on top of the tandem. You think I am kidding? Then check this announcement from Aruba Networks, which is a leading controller-based WLAN vendor: http://www.arubanetworks.com/solutions/by-application/byod-services-on-your-existing-wi-fi/. The stated business case seems to be to put a band-aid on the Cisco WLAN’s (another leading controller-based WLAN vendor) insufficient security features.

In this case, the tandem is only for BYOD security, but as a matter of fact there are many more security gaps that will still remain to be addressed even after the twin tandem controllers are deployed. Would we need a third WLAN controller in the tandem to fill the remaining security gap, and who might provide that? Or, is it just easier to deploy a controller-less comprehensive WIPS solution (and that too with the onsite or cloud option) and secure the Cisco WLAN once and for all. Just a practical thought.

by Hemant Chaskar

(source)

Security Earthquake That Nobody Felt: McAfee Endorses Application Whitelisting

Folks in California are so used to earthquakes that sometimes they barely notice when one happens. Folks in the security business are so busy and swamped with the noise of the market that we often miss tectonic shifts in our own world. Let me help you with that last one:

BREAKING NEWS: “Endpoint Security Earthquake Hits: McAfee Actively Endorses Application Whitelisting. Magnitude & Ramifications Are Significant.”

This week, McAfee, one of the two dominant forces in reactive, blacklist-based endpoint security,actively and unequivocally endorsed Application Whitelisting. Ironically, in hard coverage of Symantec’s recent problems with pcAnywhere, the industry is actively recommending application whitelisting too.

First, let’s cover the major quake: McAfee’s active endorsement of application whitelisting—for corporate desktops and laptops. In a series of videos on the popular video sharing site, YouTube, McAfee joins CoreTrace in educating the market about the shortcomings of traditional blacklist-based solutions, the advantages of application whitelisting, and McAfee Application Control’s purported advantages (most of which are unique compared to other whitelisting solutions but are not unique compared to CoreTrace (e.g., trusted change and memory protection)). You can view the initial video here here . While you are at YouTube, make sure to check out CoreTrace’s video channel too.

While CoreTrace has successfully competed with our friends from McAfee on application whitelisting projects on fixed function systems (e.g., critical infrastructure, POS terminals, servers), the antivirus giant has never publically announced that whitelisting can and should be used on corporate desktops and laptops—until now. In the introductory video, McAfee senior product manager Swaroop Sayeram directly states: “Simplistic whitelisting might fit just fixed function systems… Dynamic whitelisting is a great fit for servers… and it is now a good fit for corporate desktops as well. These days, most of the deals we are seeing are to secure servers and corporate desktops.”

Second, let’s cover the story of the related tremors: The industry’s recommendations to utilize application whitelisting to solve problems like those created by Symantec’s pcAnywhere code theft. While Symantec’s own advisory to pcAnywhere users only includes its boilerplate old-school recommendations, experts throughout the industry are recommending whitelisting as one of the main solutions. As an example, as a part of his recommendations in a FoxNews.com interview , Anup Ghosh, founder and CEO of Virginian security firm Invincea, told FoxNews.com “Businesses should deploy application ‘whitelisting.’ This will prevent unauthorized malware from running on computers.”

So, McAfee has dramatically shifted the endpoint anti-malware landscape. Now the question is, with the ground shifting beneath its feed, what will Symantec do? Stay tuned for future coverage of this developing story…

by JT Keating

(source)