Posted by Brian Milas - CTO on Tue, Jun 23, 2009
CSO Magazine's June 2009 article, Undercover: A Case of Help Desk Failure takes me back to the early days when Courion was working with early adopters of automated password reset solutions.
The article describes how social engineering was used to gain access to another person's password through the helpdesk... highlighting the need (and difficulty) in challenging helpdesk callers with a set of questions that correctly authenticate the individual but yet are easy for the individual to remember.
In the early days of Courion, we heard similar stories about weak authentication processes at the helpdesk. The most memorable was the helpdesk whose reps recognized the voice of the caller... and this was not an isolated case, several companies used this "authentication mechanism".
The article goes on to emphasize the importance of security, compliance, and controls from the perspective of the business rather than just from the IT frame of reference. Security and Compliance should be part of the business, enabling it go move faster... making it easy for a worker to perform their job securely, and difficult to take risky actions.
Posted by Todd Chambers - CMO on Thu, Jun 11, 2009
While reading Matt Flynn's Identity Management blog I was interested to see a post on the requirements that the American Recovery and Reinvestment Act (ARRA) will impose on healthcare organizations, specifically how they are required to prove audit compliance with respect to their use of electronic protected health information. Not only will all organizations be required to have audit controls in place and regularly monitor their audit records, but they'll also need to monitor and review the audit trails in "as close to real time as possible." It will be extremely difficult if not impossible for healthcare organizations to live up to this level of compliance ordinance without the aid of some sort of access assurance solution which includes preventive controls (identity management, access provisioning...) and detective controls (DLP, SIEM...). With the level and volume of access required to Electronic Health Records, having automated tools to aid in the privacy protection and access control process is really the only way organizations will be able to keep up with these increasingly stringent mandates.
We will actually be hosting a webinar on the "Impact of HIPAA on Identity and Access Assurance" next Wednesday on this topic so we hope you will join us or, if you can't make the live event you can visit our Webinar Archive to learn more.
And if you're interested in really digging in, here's the actual ARRA documentation and the HITECH Act begins on page 112.
Are you at all apprehensive about keeping up with the HITECH standards? If so, we want to hear from you. What are the challenges standing in your way?
Posted by Todd Chambers - CMO on Mon, Jun 08, 2009
The revelation that a highly placed State Department official and his wife have been spying for Cuba for almost 30 years should be another reminder that internal ‘espionage' is every bit as dangerous as external hacking, and can be even more costly. For much of the past 30 years, technologies didn't exist that would allow IT managers to detect suspicious access patterns. That's not the case anymore.
Today, an advanced Access Assurance strategy with a combination of detective and preventative controls (DLP, SIEM, provisioning...) gives the security team insight not only into who has access to which resources, but what they are doing with that access, and whether that action logically corresponds with the user's job requirements.
As the White House further develops its new cybersecurity plan, it will be important to include guidelines that direct the implementation of a consistent Access Assurance strategy across agencies. While external hacks certainly pose a risk, protecting sensitive data from insider threats should be just as high of a priority.
Posted by Brian Milas - CTO on Wed, Jun 03, 2009
I recently read a
report, sponsored by Symantec, on DLP...and part of the executive summary caught my eye,
"If there ever was a problem that could be solved purely by the appropriate deployment of technology, data loss prevention isn't it. People, policies, and products must all work together, or the exodus of information will surely continue."
This is an interesting article that discusses the increased risk of theft/loss of your data, in part, because a market exists for things like stolen credit card data or personal information. Here's a synopsis...
In the past locked down perimeters and datacenters were the norm, but the "line" is blurring....workers are accessing systems from home, from hotels, on the road. Your IT organization may be blurring the line as well, moving applications into the "cloud". The enterprise infrastructure of your business is expanding to include partners and customers. Businesses continue to have a need to balance how they manage security against how they allow the business to run. Today's work environment, more than ever, expects to have data easily available at any time, from anywhere...the security model needs to protect data (no matter where it is) in addition to protecting systems.
The article then goes on to describe how Network Access Control complements DLP. Basically, ensuring that any device that is connected to the network meets the policies of the business. (Ex: require antivirus, encryption, up to date patches, etc.)
Another key component is people and education. Teach them how to make the right business decisions with security in mind, AND, make it "easy" to do the right thing.
Ensure that people have the right access to the right data at the right time. Good people doing unintentional things can introduce as much risk as a malicious hacker. Reduce your exposure by removing access to sensitive data that is not needed by the business.
Posted by Bob Craig - Dir Prod Marketing on Tue, Jun 02, 2009
It is being
reported that yet another utility company has been attacked by a disgruntled ex-employee using a zombie account. This time, the victim was Energy Future Holdings, a large privately-held energy company in Texas. After being fired and escorted off the premises, a former employee apparently used his still-active account to gain access to the corporate VPN, where he emailed proprietary data to a personal email account on Yahoo! and modified or deleted various files in the corporate network, which caused an estimated $26K in damages related to lost business.
As we saw last month in the case of the California Water Service Company in San Jose, enterprise networks can be extremely vulnerable to attack by zombie accounts as layoffs - and tempers - mount. Security professionals need to be extremely diligent about the state of their Access Assurance strategies to make sure they are turning off access for former employees immediately upon termination. Leaving even a short time gap between notice of termination and closing accounts creates vulnerabilities. For example, earlier this year the Ponemon Institute reported that 59 percent of terminated employees admitted to stealing confidential company information. Implementing an automatic de-provisioning process is the only way to confidently avoid glaring lapses in security when your company's data stores are vulnerable to attack.