» 

Blog

Posts Tagged with "DATA SECURITY"

Preview of RSA Conference 2017 #RSAC

RSA conference

 

For those that are new to the annual RSA Conference U.S., this is one of the greatest info security conferences all year. The 2017 conference is said to be better than ever: more space, expanded food options, the new “Reserve a Seat” option and three full days of info security discussion led by global security experts.

Linoma Software will be attending this year’s conference, exhibiting in the North Expo. Our team is looking forward to learning which security topics are most prevalent among peers and engaging in meaningful discussions on today’s challenges and innovation. From an educational standpoint, there are several sessions we are most looking forward to:

 

CSA summit at RSACloud Security Alliance Summit 2017

February 13, 2017 | 9:00 AM - 4:00 PM | Marriott Marquis | Yerba Buena 5

Ah, “the cloud.” Over the past decade, businesses worldwide have been making the transition towards cloud computing and storage, and concern for security within the cloud has never been higher. In this special summit taking place during RSA 2017, world-leading security experts and cloud providers will join to discuss the threat landscape, data security innovations and global governance.

The keynote speakers are General Keith Alexander, CEO and President of IronNet Cybersecurity, and Robert Herjavec, CEO and Founder of Herjavec Group, and frequent investor on Shark Tank. Together with top officials from Symantec, Cryptozone, Duo Security and Oracle, these speakers are sure to bring decades of experience, lively discussion and actionable advice.

 

Peer2Peer at RSAMobile Devices: What Could Go Wrong? Discussion from the Frontlines

February 14, 2017 | 2:30 PM - 3:15 PM | Marriott Marquis | Nob Hill B

How many of your employees use their personal phones to access email, calendars or internal web resources? As of 2016, 77% of U.S. adults owned a smartphone, according to the Pew Research Center. In a world of BYOD (bring your own device), this session offers the opportunity to learn how your peers are dealing with security risks associated with mobile devices, apps and wi-fi networks that employees use.

This discussion will take place as part of the “Peer2Peers” breakout sessions, which is one of our favorite aspects of this conference. Facilitated by David Jevans, VP of Mobile Security at Proofpoint, it’s sure to spur meaningful conversations and peer-to-peer discussion.

 

Secure File Transfer for Enhanced Data Security

February 13-16, 2017 | Linoma Software Booth 4407, North Expo | San Francisco Moscone Center

Bring your most pressing file transfer questions to the North Expo, where secure file transfer experts from Linoma Software will be available to answer questions. This is a great opportunity to learn how a managed file transfer solution like GoAnywhere MFT can help to secure and automate transfers using a centralized approach.

We’re looking forward to connecting with you during the RSA 2017 conference! Be sure to stop by booth 4407 (map below).

RSA expo map to Linoma booth

 

Ready to get into the information security mindset? Watch the RSA 2016 opening theme video below for a glimpse into the discussions sure to occur during the 2017 conference.


3 Data Breaches That May Have Been Avoided through PCI Compliance

data breaches avoided with PCI compliance

 

“Dear Valued Customer,

As you may have heard, on September 8, 2014, we confirmed that our payment data systems have been breached, which could potentially impact customers using payment cards at our U.S. and Canadian stores.”

 

This is an excerpt from an actual email distributed by a large retailer, in the wake of a massive data breach jeopardizing over 50 million credit cards. Since 2004, Payment Card Industry Data Security Standards (PCI DSS) has stood as a core regulation aimed at thwarting breaches like the above, and any organization that accepts, transmits or stores cardholder data must comply.

Now, here’s the shocking truth: In the latest PCI Compliance Report conducted by Verizon, none of the companies it had investigated in ten years had been fully PCI compliant at the time they were breached.

In many cases, companies achieve total PCI compliance once but don’t sustain it. According to the Verizon report, 80 percent of companies fail at interim assessment. Technology moves quickly, and compliance solutions and policies implemented in past years may not be enough to stand up to modern security threats.

Other organizations believe that they don’t have to worry about protecting data. They believe their business is too small to be the target of hackers, or too large and successful to be using outdated, inadequate security practices. Sometimes they believe that data breaches only affect big retailers, not other industries.

But PCI compliance needs to be taken seriously by everyone or the consequences can be devastating. Here are three organizations that experienced the detriment of non-compliance.

hom depot data breach logo#1: Data Breach at Home Depot Compromises 56 Million Credit Cards

In what went down in history as one of the worst retail data breaches of all time, malware infected Home Depot point-of-sale systems and stole millions of customer credit and debit cards. The Home Depot attack seems to be a case of relying on inadequate software solutions and policies for data breach prevention. Employees later said that the company used outdated antivirus software and failed to monitor the network for unusual behavior.

PCI standards require routine vulnerability scans, but according to employees, more than a dozen systems handling customer information were not assessed and were off limits to much of the security staff. In Home Depot’s case, investing in a security software with the ability to audit security infrastructure for PCI compliance, may have been the difference between a $19.5 million data breach settlement, and business as usual.

OPM data breach logo#2: Office of Personnel Management Data Breach Affects Millions

After hackers attacked the Office of Personnel Management (OPM)’s servers and stole the personnel files of 4.2 million former and current government employees, as well as the security clearance background investigation information of millions more, a congressional investigation uncovered the organization’s security shortcomings.

Among many other findings, the report took especial issue with the department’s lack of two-factor authentication for employee access to sensitive data, claiming it was an oversight that could have prevented the security breach. This points to a key problem that PCI compliance is meant to address. It’s not enough to encrypt and protect your files during transfer, you need to monitor internal actors as well. A robust security solution will authenticate users, give them only the access they need, and maintain a detailed log of each user’s actions.

TJX data breach logo#3: Over 45 Million Credit Card Numbers Stolen in TJX Breach

TJX Companies, owner of popular home brands such as TJ Maxx, Marshalls, and HomeGoods, experienced a data breach in which more than 80GB of cardholder data was stolen over a period of 18 months. Before the company was able to detect and halt the breach, 45.6 records had been stolen.

Documents filed in court after the breach claimed that TJX had failed to comply with nine out of the twelve PCI DSS requirements. Factors contributing to the incident included an improperly configured wireless network, a failure to segment networks carrying cardholder data from the rest of TJX's network, and the storage of prohibited data. Two members of the PCI Standards Council later pointed to PCI compliance as the clearest way to protect data against a TJX-style breach.

PCI Compliance Can be Tricky, We Get It.

No company embarks on an initiative to avoid PCI compliance. You are trusted by your customers, partners and vendors to take the proper measures to secure and protect their sensitive payment data. It’s that trust that has kept your company successful for so many years!

We read about data breaches and attacks like these in the news on a regular basis, but we don’t pause often enough to audit our own data security practices. IT infrastructure in today’s enterprises is increasingly complex, especially for large companies with systems spread around the world like Home Depot. Add to that the fact that PCI compliance has multiple, complex requirements, and it can be daunting for IT and security teams to implement a sustainable process that ensures ongoing compliance.

PCI DSS compliance can be greatly simplified by using software solutions with features designed to help you achieve security and compliance. This type of software addresses PCI requirements, provides the information you need to satisfy an audit, and in some cases even helps you assess check whether you are meeting compliance standards.

PCI Compliance with Secure Managed File Transfer

File transfers are an essential point of vulnerability to consider when developing your security strategy. The most common file transfer pitfall is relying on inadequate methods such as poor FTP implementation practices, file sharing apps, and unencrypted email attachments.

A secure managed file transfer (MFT) platform guards your sensitive data against attacks with robust security and encryption methods, all while streamlining the file transfer process and saving your team time and resources that can be used to tackle other potential security issues.  Furthermore, a good MFT solution will have features like detailed audit logging and compliance assessments to eliminate the headache involved with ensuring your file transfers are compliant.

To make protecting data transfers as easy as possible, make sure your managed file transfer platform provides:

  • Secure connections for the transmission of sensitive data
  • Integration with existing critical applications
  • Role-based security and user authentication
  • Strong encryption methods
  • Detailed logs for audit reporting

Securely managing your data transfers is just one aspect of achieving PCI compliance, but it is an essential step toward fully protecting your enterprise against security threats.

Assess the PCI compliance of your file transfers for free when you try GoAnywhere MFT for 30 days. Sign up for a trial here.


Why Bother Upgrading Beyond Standard FTP?

Right out of the box, most operating systems come with a built-in File Transfer Protocol (FTP) tool that makes it possible to transfer large files between people, computers and servers. It accomplishes the key goal, which is to deliver the file from one place to another. However, too many organizations' philosophy has been that as long as the files were getting where they needed to go, standard FTP was good enough. That was especially true when they were transferring files internally.

The truth is that FTP alone has never been good enough, because too much information (file data, user names, passwords, etc.) is vulnerable to hackers and it only takes fairly rudimentary hacking skills to steal it. Now with increased pressure to protect sensitive data coming from regulators and consumers, it's urgent that companies implement a more secure file transfer method.

Take a look at this short video to hear Bob Luebbe, Linoma Software's Chief Architect, talk about the dangers of standard FTP.

 

 

At the end of this video, Bob mentions the value of clustering and load balancing to promote high active-active availability. Since this video was produced, we've also added these features to both GoAnywhere Services and GoAnywhere Director.


Federal Government Prioritizes Data Security

During the last State of the Union address, President Barack Obama included improving data security on his list of national priorities.

President Obama said, "America must also face the rapidly growing threat from cyberattacks½ We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy."

Including data security 0n the President's agenda is significant because it first implies that our government is not yet accomplishing this goal, and second it compels us to put the pieces in place "to protect our national security, our jobs, and our privacy."

Cyberattacks Not Always Sophisticated

Government Data Security Identified as Top PriorityWhile the list of companies who have suffered some form of data breach grows, the sad reality is that many cyberattacks (malicious or otherwise) are not "sophisticated" and could be prevented with off-the-shelf solutions. These first level attacks focus on corporate secrets, personal identity fraud, credit information, and private email.

The second level of attacks are those that attempt to disrupt our national security, financial institutions, and the backbone of our infrastructure. Internet providers, utility and transportation companies use communications to run switching stations, trucks, and trains, all of which would affect our livelihood if disrupted.

The President mentioned signing an Executive Order to work on this initiative (Executive Order 13636--Improving Critical Infrastructure Cybersecurity). The Executive Order calls for standards, processes and procedures to be proposed within 120 days of its signing (February 19, 2013).

Don't Wait to Take Action

When trying to comply with all of the various data security regulations (like  PCI DSS or HIPAA), it is critical to have the right procedures and products in place.

A variety of government agencies have already implemented solutions such as the GoAnywhere managed file transfer solution.  GoAnywhere takes a standards-based approach to data security using proven FIPS 140-2 validated encryption, SSL, TLS and SSH protocols, along with role-based administration and detailed audit trails.  This comprehensive approach allows federal agencies to protect and automate their batch transmissions, perform ad-hoc transfers safely and provide a compliant alternative to email attachments.

Linoma Software will be demonstrating the GoAnywhere solution, which is now listed in the GSA Advantage Directory, at the upcoming FOSE Government Technology and IT Expo held in Washington DC, May 14-16.

In the State of the Union Address, the President encouraged Congress to pass laws to "give our government a greater capacity to secure our networks and deter attacks."

Take a look at GoAnywhere today and learn how you can meet your security requirements and save costs through file transfer automation.  


Healthcare Industry Still Lags in Protecting Data

As healthcare information security requirements and penalties get tougher, a great deal of discussion is focused around how well the healthcare industry is securing patient data.

healthcare data security survey results

The general consensus is that the industry still has a long way to go. One of the industry's publications, Healthcare InfoSecurity, released the results of the Healthcare Information Security Today survey sponsored by RSA which took an in-depth look at security and IT practices of senior executives in the healthcare industry.

<< click on the image to learn more  

 

The survey reviews many information security topics including

  • Impact of a data breach
  • Security threats
  • Compliance and steps to improve security
  • Risk assessment

Some of the responses surprised us on how far healthcare companies need to go for proper HIPAA compliance. Take a look at these statistics:

  • 55% of respondents were not confident in their organization's ability to comply with HIPAA and HITECH Act regulations concerning privacy and security (grading themselves adequate or less).
  • 66% responded that their organization's ability to counter internal information security threats was adequate or less.
  • Only 47% of survey participants utilize encryption for information accessible via a virtual private network or portal.
  • 32% of respondents have not conducted a detailed information technology security risk assessment/analysis within the past year with 47% updating their risk assessment only periodically.

The good news is that the survey shows that healthcare organizations are taking steps in the right direction to improve their security practices.

  • 37% of organizations' budgets for information security are scheduled to increase over the next year.
  • 40% of respondents plan to implement audit tool or a log management solution within the next year.

When asked what their organization's top three information security priorities are for the coming year, the top responses included

  • Improving regulatory compliance efforts
  • Improving security awareness/education
  • Preventing and detecting breaches

Healthcare IT teams will need updated security policies, comprehensive training for employees, and reliable tools and solutions that can deliver functionality, ease of use, audit reporting, and efficient workflows that protect the security of confidential data at rest and in motion.

The pressure is growing, compliance audits are looming, and tackling these issues are just part of the evolution of the healthcare industry.  


Linoma Joins HANDD at InfoSecurity Europe

Following on the heels of the InfoSec Conference in Orlando last week, we've crossed the pond to co-sponsor an exhibition stand with longtime partners HANDD Business Solutions at the InfoSecurity Europe conference in London.  This event brings experts from all areas of cyber, network, cloud and data security together to discuss key issues and educate IT professionals on best practices.

InfoSecurity EuropeNo matter where an organization does business, keeping private data protected, avoiding data breach, and implementing appropriate policies and procedures to meet a variety of compliance guidelines are formidable challenges.

On the top of the minds of IT professionals who stopped by our stand, #C95, was how to find a better file sharing alternative than the free cloud-based services that have become popular with employees, but that are virtually impossible to monitor and track to meet compliance guidelines.


Hold the Phone! Your Cloud-Storage Files May Be Vulnerable

The cloud storage services market has seen tremendous growth in just the last two years. Reports indicate a growth from 300 million cloud storage subscriptions in 2011 to over 500 million in 2012. The popularity and convenience of mobile devices have fueled this growth, with cloud services presenting a way for companies and their employees to share files anytime and from anywhere.

dangers of mobile file transfers in the cloudThe ability to access virtually any type of document from your smartphone has been both a great tool, and a potentially serious risk.   Sharing files in the cloud allows your traveling sales representatives to access their latest sales report from their tablet, and lets the exec review accounting figures from their phones. Once the files are viewed, the users can delete them and assume everything is safe.

While cloud storage services may be convenient, they also present many security vulnerabilities. One of those vulnerabilities is that unauthorized users may be able to gain access to your files stored in the cloud through your mobile phones.

A recent article published in InfoWorld details the findings of a new report that focused on the security risks of using cloud storage services like Dropbox, Box and SugarSync. It described how researchers were able to recover a variety of different files from multiple mobile devices including iPhones and Android devices, even after they had been deleted from the cloud.  In addition, data about the cloud service user was also accessible via the phones.

Given how many mobile devices are lost and stolen every day, if you or your employees use a cloud storage solution to transfer sensitive data, it's possible that someone with the right expertise could access those files using your mobile device.

Two important precautions companies can take to minimize risk are to train employees to follow established security policies, and give them easy access to a secure and convenient way to share and store files.

Secure managed file transfer solutions are an excellent alternative to the cloud storage services, providing the ability to transfer files - both batch and ad-hoc -- without risk of unauthorized access. It puts the control for data security back into the hands of the IT team without compromising the workflow for employees.

Managed file transfer solutions offer many features not typically included in cloud based storage solutions like encrypted file transfer protocols, error reporting, audit trails, and support for SFTP, FTPS, and HTTPS - all important to maintain the utmost level of security.    


Computing Security Magazine Reviews GoAnywhere

As you probably know, GoAnywhere is not the only managed file transfer product on the market.  A handful of vendors offer their versions of a product to help streamline the file transfer process with features that are designed to keep that data secure.

Many of the people we talk to are researching several companies trying to decide which product will best serve their needs, and naturally, all of the vendors believe theirs is the best fit.

We've been developing resources over the last few years to help define what sets GoAnywhere apart, and as a result, we've built a bigger library of case studies, added a growing collection of customer success videos, and continued to marvel at the growing list of comments that our customers make about our products on LinkedIn.

We've also built an MFT Checklist that provides a list of features and considerations organizations should investigate when talking with competing vendors. The latest evidence we have to support the fact that GoAnywhere is a comprehensive, flexible, well-supported and easy-to-implement solution that can help any industry automate, simplify and encrypt their file transfers is a product review in Computing Security Magazine. GoAnywhere Product ReviewHighlights of the review include these:

"There are plenty of MFT (managed file transfer) solutions on the market, and Linoma's GoAnywhere is one of the most versatile and secure we've seen so far."
"The enhanced file transfer interface is very simple to use, and provides drag-and-drop facilities between the client and their assigned directory on the GoAnywhere host."
"We created a project to securely transfer a large folder, using FTPS from our domain controller to the GoAnywhere host system in minutes."

To read the entire review, you can download it here.    


New Protections for Patient Data Increase Pressure For Trading Partners to Get Compliant

Yet another layer of regulation has been added to the Health Insurance Portability and Accountability Act (HIPAA) that offers even greater protection for healthcare patients' privacy, while also defining new rights regarding how they can access their health records.

meet HIPAA compliance regulationsThe biggest change is the expansion of HIPAA compliance requirements to include trading partners and third parties who also handle patient data, such as billing companies, contractors, and more.  The U.S. Department of Health and Human Services (HHS) reports that these third parties have been responsible for several significant data breaches which is one reason the responsibility for compliance has been extended to this group.

Penalties for violating HIPAA compliance rules will be assessed based on the determined level of negligence, and can go as high as $1.5 million per incident.

Other issues addressed with the latest additions to the HIPAA regulations include more clarity in defining which types of breaches need to be reported, as well as how patients will be allowed to access and interact with their health records electronically.

If you're concerned about whether your FTP server meets compliance regulations, join us for a webinar on Thursday, Jan. 31 at Noon Central entitled "Get Your FTP Server in Compliance!"  You can learn more about the agenda for this webinar here.

For more information about the new HIPAA rules, check out the press release from HHS.


Hacking and File Transfers: What You Need to Know

In the battle to secure information, it helps to know a little bit about how it can be compromised. Using FTP is one way to expose critical vulnerabilities that can allow credentials to be hacked.  However, these holes in security can also be easily closed if you know how.

How Hackers Discover Vulnerabilities

Here's how hackers could access sensitive data sent via FTP.  With the use of a "sniffing" tool, an attacker could intercept and log any data traveling across the network. This log can then be analyzed to look at the content that was sent across specific TCP ports like FTP (port 21), as well as the user ID and passwords used to log in to the FTP servers that may have been sent as clear text.

managed file transfer, secure file transferStart with Networks, Routers, and Firewalls

To prevent this kind of hacking, the wired network can be secured by first making sure network ports are not available for public access, and then by separating network segments for sensitive servers and workstations.

However, many companies also have wireless networks where hackers just need reasonable proximity to the Wi-Fi signal, such as in an adjacent office or parking lot. Therefore, it is critical to secure wireless routers with WPA or WPA2 encryption options, rather than WEP encryption, which is no longer considered effective protection against hackers.

Once networks are secured, the next most effective tactic against hackers is to block all FTP traffic at the firewall. Then, for permitted file transfers, allow only secure encryption protocols such as SFTP, FTPS, HTTPS, PGP, or GPG for file exchanges in and out of the network. These security restrictions will deter most hackers.

Security Measures Can Be Challenging

Implementing these security measures is important, but it doesn't come without some challenges.  The IT staff will have to handle more complicated secure file transfer management processes, and users may be inconvenienced as files are transferred to people and organizations that need them.  As a result, users may look for a workaround for sending and receiving files to avoid being slowed down by the IT staff.  Popular alternatives users may try include email attachments or browser-based cloud services such as Dropbox that present a new vector of vulnerability as these options may not meet necessary security standards.

MFT Minimizes Hassle, Solves Security Vulnerabilities

There is a solution, however, that can provide not only the highest security for file transfers, but also create fewer hassles for both the IT department and the general employee.

Managed File Transfer (MFT) solutions increase data file security implementations and simplify the entire file management process by providing the tools for easily creating and managing all of the unique encryption keys for the company's various trading partners.  Access controls can be set up for authorizing each employee's file exchange requirements. MFT also provides a detailed log of all transactions so that any required audits may be easily fulfilled.

Some MFT vendors also provide intuitive and convenient email encryption solutions that can integrate with existing corporate email clients such as Outlook. This reduces the temptation for employees to use workaround tools that may bypass the security restrictions that have been put in place to prevent hacking of sensitive data.

Keeping data secure is an ongoing mandate that will only become more critical as industries move toward paperless environments.  Adopting a managed file transfer solution is one of the best ways to strengthen your file transfer processes and security as the pressure and liability risks continue to grow.

photo credit: kryptyk via photopin cc