Astaro Boosts Green County Agency's Security: County Agency Selects Astaro Network Security Over SonicWall

The Greene County Board of Developmental Disabilities, an agency committed to serving individuals with mental and physical disabilities, had a small network with little network protection. The eight users were networked together through a wireless broadband access point with a wireless router as their only form of network protection.

Read this case study to learn how Greene County was able to utilize Astaro Security Gateway software to fully protect its network.

View the original article here

Astaro Boosts Green County Agency's Security: County Agency Selects Astaro Network Security Over SonicWall

The Greene County Board of Developmental Disabilities, an agency committed to serving individuals with mental and physical disabilities, had a small network with little network protection. The eight users were networked together through a wireless broadband access point with a wireless router as their only form of network protection.

Read this case study to learn how Greene County was able to utilize Astaro Security Gateway software to fully protect its network.

View the original article here

Astaro is a No Brainer for NeuroScience Consultants: Physician Network Saves $100,000 a Year with Astaro Security Gateway

NeuroScience Consultants is a multi-location group of over 30 doctors spread out over 16 locations with a central administrative office to handle the billing needs of the practice. Until recently, each of their locations had its own private network routed over the Internet using Multiprotocol Label Switching (MPLS) with Cosco Routers.

With Astaro Security Gateway, NeuroScience Consultants was able to connect all 16 of its locations and protect its 250-300 users from spam, malware and spyware. Check out this case study to learn more.

View the original article here

Astaro is a No Brainer for NeuroScience Consultants: Physician Network Saves $100,000 a Year with Astaro Security Gateway

NeuroScience Consultants is a multi-location group of over 30 doctors spread out over 16 locations with a central administrative office to handle the billing needs of the practice. Until recently, each of their locations had its own private network routed over the Internet using Multiprotocol Label Switching (MPLS) with Cosco Routers.

With Astaro Security Gateway, NeuroScience Consultants was able to connect all 16 of its locations and protect its 250-300 users from spam, malware and spyware. Check out this case study to learn more.

View the original article here

Creating a network endpoint security policy for hostile endpoints

NETWORK SECURITY TACTICS

Andrew Jaquith, Forrester Research
09.13.2010
Rating: -4.25- (out of 5)




The enterprise security perimeter is quickly dissolving. Everything from company financials and source code emails to unstructured documents and other forms of data is circling outside the enterprise firewall on non-IT-controlled devices. Not surprisingly, Cambridge, Mass.-based Forrester Research Inc. has found that nearly half (47%) of North American and European enterprises have stated that implementing security requirements for third parties is a high or critical priority.

IT security has long operated on a simple principle: Because the firm owns all user endpoint devices that access company information, securing the devices means that data on them is secure. But what if that foundational principle no longer applies? The increasingly insistent and inconvenient spread of sensitive data to non-company-owned devices suggests that it doesn't.

Conversations with enterprises in the manufacturing, media and seasonal services verticals uncovered some unconventional wisdom: Control does not necessarily require ownership. Moreover, successfully controlling the spread of sensitive information on the network requires inverting conventional wisdom entirely by planning as if the enterprise owned no devices at all. Forrester calls this strategy the Zero Trust Model. To put the strategy even more simply: Treat all endpoints as hostile.

In recent research, Forrester identified five data security design patterns for implementing the Zero Trust strategy: thin client, thin device, protected process, protected data, and eye-in-the-sky. None of these patterns assume that the enterprise owns the endpoint devices. By dismissing the age-old conflation of ownership and control, enterprises will be able to design a network endpoint security policy that encompasses all possible ownership scenarios, including "technology populism," offshoring and outsourcing. To that end, look to secure your company's information with the following: Thin client: Process centrally, present locally
Thin client is the old war horse of the Zero Trust strategy, encompassing a variety of technologies, including OS streaming, hosted desktop virtualization and workplace virtualization. Implemented in a security context, sensitive data stays centralized in hardened bunkers, with remote devices allowed to view it only via thin-client terminal applications. Because network access is required, thin client doesn't support offline use.

The advantage of the thin client is that data never leaves the server: It is only rendered on the endpoint. For additional security, IT can restrict host copy-and-paste operations, limit data transfers and require strong or two-factor authentication using tokens. Client

Thin device: Replicated data, with device-kill for insurance
The thin device pattern constrains access by limiting the type of device that can be used to access the data. Point-purpose devices like smartphones, for example, can keep only limited amounts of sensitive information on them. The information they keep is replicated, with master copies stored in data centers. Because of their size, storage capacity and comparatively modest processing power, applications are limited to email, light Web surfing and simple Web applications, rather than general data processing. With the thin device pattern, IT security groups can still control the security of devices, even when they don't own them. Using native management tools or third-party mobile device platforms like those made by Sybase Inc., smartphone security policies that can typically be imposed include backup and enforced encryption. For insurance, thin devices can be remotely wiped, making them truly disposable, unlike PCs. However, IT security may find it technically or politically unfeasible to impose IT security policies on non-company-owned devices. Protected process: Local information processing in a secure "bubble"
Unlike the thin client pattern, which keeps sensitive data off of client devices entirely, the protected process pattern allows data to be processed locally on non-IT-owned machines. Sensitive information sits inside a compartmentalized processing environment that is separated from the user's local operating system environment -- essentially a "bubble" -- of which the security and backup properties are controlled by IT. The protected process pattern has many advantages: local execution, offline operation, central management and a high degree of granular security control, including remote wipe capabilities. But keep in mind that most operating system and application virtualization products are Intel- or Windows-only. Protected data: Documents protect themselves regardless of location
Whereas all of the previous patterns seek to control the operating environments that process information, the protected data pattern protects the data itself. Technologies like enterprise rights management (ERM) enshrine access rules into documents directly. These rules, which rely on cryptography for enforcement, apply no matter where the document rests, which is a key advantage. Of all the patterns in the Zero Trust data security strategy, protected data is the most fine-grained and effective because it focuses on the information, not its containers.

One of the disadvantages to this pattern is that ERM requires client-side agents on every participating endpoint. The technology can also be challenging to deploy: Organizations tell Forrester that ERM business unit users sometimes create policies that are too tight, making data difficult to access, and policies don't adapt well to organizational changes.

Eye-in-the-sky: Know when important information leaves
The fifth Zero Trust data security design pattern is a supplementary data control technique for detecting, logging and optionally blocking sensitive data that leaves the physical or logical enterprise perimeter. Data leak prevention (DLP) technology, and, to a lesser extent, security information and event management (SIEM) tools, form the backbone of this pattern.

The primary advantage of the eye-in-the-sky pattern is that it can detect sensitive data as it moves outside the logical security boundaries, making it ideal for understanding the velocity and direction of information flow and for detecting anomalous transmissions. Unfortunately, most enterprises aren't able to require their business partners to install DLP agents on their computers. For this reason, enterprises should regard the eye-in-the-sky pattern as one that supplements other protection capabilities for outside PCs.

About the author:
Andrew Jaquith is a senior analyst at Forrester Research, where he serves security and risk professionals. He will speak at Forrester's 2010 Security Forum in Boston, Sept. 16 -17. Andrew's colleague, John Kindervag, will speak at the Forum as well on the subject "No More Chewy Centers: The Zero-Trust Model Of Information Security."
To rate tips, you must be a member of SearchSecurity.com.
Register now to start rating these tips. Log in if you are already a member.

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

View the original article here

Creating a network endpoint security policy for hostile endpoints

NETWORK SECURITY TACTICS

Andrew Jaquith, Forrester Research
09.13.2010
Rating: -4.25- (out of 5)




The enterprise security perimeter is quickly dissolving. Everything from company financials and source code emails to unstructured documents and other forms of data is circling outside the enterprise firewall on non-IT-controlled devices. Not surprisingly, Cambridge, Mass.-based Forrester Research Inc. has found that nearly half (47%) of North American and European enterprises have stated that implementing security requirements for third parties is a high or critical priority.

IT security has long operated on a simple principle: Because the firm owns all user endpoint devices that access company information, securing the devices means that data on them is secure. But what if that foundational principle no longer applies? The increasingly insistent and inconvenient spread of sensitive data to non-company-owned devices suggests that it doesn't.

Conversations with enterprises in the manufacturing, media and seasonal services verticals uncovered some unconventional wisdom: Control does not necessarily require ownership. Moreover, successfully controlling the spread of sensitive information on the network requires inverting conventional wisdom entirely by planning as if the enterprise owned no devices at all. Forrester calls this strategy the Zero Trust Model. To put the strategy even more simply: Treat all endpoints as hostile.

In recent research, Forrester identified five data security design patterns for implementing the Zero Trust strategy: thin client, thin device, protected process, protected data, and eye-in-the-sky. None of these patterns assume that the enterprise owns the endpoint devices. By dismissing the age-old conflation of ownership and control, enterprises will be able to design a network endpoint security policy that encompasses all possible ownership scenarios, including "technology populism," offshoring and outsourcing. To that end, look to secure your company's information with the following: Thin client: Process centrally, present locally
Thin client is the old war horse of the Zero Trust strategy, encompassing a variety of technologies, including OS streaming, hosted desktop virtualization and workplace virtualization. Implemented in a security context, sensitive data stays centralized in hardened bunkers, with remote devices allowed to view it only via thin-client terminal applications. Because network access is required, thin client doesn't support offline use.

The advantage of the thin client is that data never leaves the server: It is only rendered on the endpoint. For additional security, IT can restrict host copy-and-paste operations, limit data transfers and require strong or two-factor authentication using tokens. Client

Thin device: Replicated data, with device-kill for insurance
The thin device pattern constrains access by limiting the type of device that can be used to access the data. Point-purpose devices like smartphones, for example, can keep only limited amounts of sensitive information on them. The information they keep is replicated, with master copies stored in data centers. Because of their size, storage capacity and comparatively modest processing power, applications are limited to email, light Web surfing and simple Web applications, rather than general data processing. With the thin device pattern, IT security groups can still control the security of devices, even when they don't own them. Using native management tools or third-party mobile device platforms like those made by Sybase Inc., smartphone security policies that can typically be imposed include backup and enforced encryption. For insurance, thin devices can be remotely wiped, making them truly disposable, unlike PCs. However, IT security may find it technically or politically unfeasible to impose IT security policies on non-company-owned devices. Protected process: Local information processing in a secure "bubble"
Unlike the thin client pattern, which keeps sensitive data off of client devices entirely, the protected process pattern allows data to be processed locally on non-IT-owned machines. Sensitive information sits inside a compartmentalized processing environment that is separated from the user's local operating system environment -- essentially a "bubble" -- of which the security and backup properties are controlled by IT. The protected process pattern has many advantages: local execution, offline operation, central management and a high degree of granular security control, including remote wipe capabilities. But keep in mind that most operating system and application virtualization products are Intel- or Windows-only. Protected data: Documents protect themselves regardless of location
Whereas all of the previous patterns seek to control the operating environments that process information, the protected data pattern protects the data itself. Technologies like enterprise rights management (ERM) enshrine access rules into documents directly. These rules, which rely on cryptography for enforcement, apply no matter where the document rests, which is a key advantage. Of all the patterns in the Zero Trust data security strategy, protected data is the most fine-grained and effective because it focuses on the information, not its containers.

One of the disadvantages to this pattern is that ERM requires client-side agents on every participating endpoint. The technology can also be challenging to deploy: Organizations tell Forrester that ERM business unit users sometimes create policies that are too tight, making data difficult to access, and policies don't adapt well to organizational changes.

Eye-in-the-sky: Know when important information leaves
The fifth Zero Trust data security design pattern is a supplementary data control technique for detecting, logging and optionally blocking sensitive data that leaves the physical or logical enterprise perimeter. Data leak prevention (DLP) technology, and, to a lesser extent, security information and event management (SIEM) tools, form the backbone of this pattern.

The primary advantage of the eye-in-the-sky pattern is that it can detect sensitive data as it moves outside the logical security boundaries, making it ideal for understanding the velocity and direction of information flow and for detecting anomalous transmissions. Unfortunately, most enterprises aren't able to require their business partners to install DLP agents on their computers. For this reason, enterprises should regard the eye-in-the-sky pattern as one that supplements other protection capabilities for outside PCs.

About the author:
Andrew Jaquith is a senior analyst at Forrester Research, where he serves security and risk professionals. He will speak at Forrester's 2010 Security Forum in Boston, Sept. 16 -17. Andrew's colleague, John Kindervag, will speak at the Forum as well on the subject "No More Chewy Centers: The Zero-Trust Model Of Information Security."
To rate tips, you must be a member of SearchSecurity.com.
Register now to start rating these tips. Log in if you are already a member.

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

View the original article here

Visa Opens World’s Leading Payments Network to Independent Developers

Tags » Authorize.net, CyberSource, Visa  » Comments (0)

Visa has announced a number of enhancements to the Authorize.Net Developer Center, a resource that enables "independent developers to create applications supporting electronic payments and related services for major payment networks including VisaNet." The Developer Center builds on Authorize.Net’s existing platform, which Visa acquired as part of the purchase of CyberSource earlier this year.

Besides an improved developer program, what's new here is a PCI-friendly card acceptance technique called the Direct Post Method. "Because customer billing data posts directly to Authorize.Net without touching the merchant server, the merchant can retain control over the receipting experience without incurring PCI DSS overhead."

View the original article here

How Many Aunt Sally Years Does Your Network Have?

If you've been doing PC tech support for your friends or family, you've probably noticed that for some of them, no matter what you do to protect them, they keep getting infected over and over again.

For some people I support, I removed administrative privileges from their account, installed an A/V, an antispyware, made sure Windows Update is active, etc. and still, they keep getting infected.

I'm not talking about people downloading illegal games and cracks, I'm talking about the typical Aunt Sally and Uncle Joe: people who only have a basic understanding of computer security and who know nothing about social engineering, drive-by downloads and the latest Acrobat exploit.

When they see a popup saying their computer is infected, they can't make the difference between a fake message and a real one and they click on the "clean up" button. They are normal people and probably behave the same as those working and browsing on your enterprise network.

On average, the people I know will have their computer infected once a year (at least). If we extrapolate to a corporate network of a thousand computers where the machines have an average of three years of age, that makes a whopping 3000 "Aunt Sally/Uncle Joe" years of browsing, receiving emails and using untrusted USB sticks.

Hundreds of bots are available for rent in .mil, .gov and other high value domains. Thousands of strategic systems have been infected with the Stuxnet worm.

Are all of them poorly managed corporate systems? I doubt it. But malware keeps getting past protection mostly because of end user behavior.

Is your network differently or better protected? Probably not.

No matter if these attacks are targeted Advanced Persistent Threats (APT), linked to a cyberwar, or just a simple generic Zeus/SpyEye infections, the fact is that malware is installed, is remotely controlled and the organization is not aware of it.

This not FUD, it's a fact that our flagship product, ECAT, allows us to verify each time it is used to assess a network.

Governments are starting to be aware of this and are looking for ways to control the situation. The corporate world is further behind and seems to wait for tangible proof before taking action.

For most of them, the only thing they need now to get that proof is to simply take a deep look at their systems' integrity.

Let's hope they won't wait too many more "Aunt Sally" years before they do!

Cross-posted from Silicium Security

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here