How to protect your corporate information from hack attacks.

Even the largest corporations have had difficulty defending themselves against targeted data attacks from ‘hacktivist’ groups, highlighting the importance of ensuring sensitive data is kept secure.

With a significant rise in the popularity of cloud-based CRM and other corporate applications, many companies have devolved responsibility for the security of their data to the cloud application’s user access infrastructure. However, this can often be insufficient – particularly when only a password and username is required to access critical data.

IT security expert Chris Russell, offers some advice on locking down access to cloud applications, enabling your business to lever the benefits of cloud-based services:

1. Ensure users’ credentials are not stored within the application

Storing user information along with a cloud-based application is risky. Just one successful hack can leave the digital identities of your entire database compromised. The only way of ensuring that users are protected is by retaining local control of users’ digital identities within the corporate environment.

2. Do not rely on usernames and passwords to protect critical data

Many hack attempts are successful because attackers only need to crack a simple username/password combination. This makes it easy for anyone, even those with not much more than basic IT skills, to crack a system’s security shield.

3. Two-factor authentication should be the minimum standard

Strong authentication solutions add an additional layer of security to a corporate network. Adding a second tier of authentication – based on something that only the authorised user knows, combined with something that they have – means that IT managers can be confident that anyone accessing the network is the person they say they are.

4. Authenticating mobile devices is not enough

Increasing numbers of organisations have started migrating from token-based legacy systems, in favour of cheaper and simpler mobile phone-based options for their two-factor requirements. A number of solutions send a one-time-code as a text message to the user’s phone.

While this is a more secure approach than that offered by usernames and passwords, it does not confirm the identity of the user – only that the phone was present. For maximum security the user needs to apply something only known to them, to confirm they are who they say they are.

Read full article here

LEARN MORE ABOUT SWIVEL SECURE
To learn more about Swivel’s PINsafe two factor authentication platform click here
Alternatively, contact a Swivel sales representative today on 0845 094 8828

Enterprises are having trouble recovering business information because they are not properly managing the data encryption keys, which effectively lock them out of the critical data they sought to protect, Symantec found in a survey.

Enterprises are using encryption in more places than ever, but they are not properly securing the keys or using consistent products, a recent report found.

Despite using encryption, poor key management and lack of control over the technologies being used can cost the organization an average of $124,965 a year, according to the 2011 Enterprise Encryption Trends Survey report released by Symantec on Nov. 30.

Business groups and employees are often independently encrypting the data without involving the IT department, according to Matthews. While the move to encrypt is a good thing, these unauthorized deployments are a challenge for IT because the data is lost and irretrievable if the employee loses the key, forgets the passphrase or leaves the company without passing on custody of the encryption keys. If IT doesn’t have the key, it also becomes harder to properly backup the data or to access the information as part of an e-discovery request, he said.

Rogue projects pose a “recovery issue” for organizations since that’s data the IT department has no control over and if told by the courts to hand over data, the “enterprise can’t really say ‘I can’t,’” Matthews said.

Read full article here

IT departments have access to the most sensitive data, even ahead of management and the board.

In a survey of 500 IT security specialists, 65 per cent of respondents acknowledged that IT departments have the easiest access to sensitive data, while data access is restricted for other key staff, including CEOs.

When asked who had the easiest access to their company’s most sensitive data, 30 per cent believed it was the CEO, eight per cent said management, seven per cent the HR department and five per cent the legal team.

Meanwhile, 40 per cent of IT staff admitted that they could ‘hold their employers hostage’, even after leaving for another job, by withholding or hiding encryption keys, making it difficult or impossible for management to access vital data.

However, 24 per cent said that the fear of losing encryption keys was deterring them from investing in encryption technologies. Jeff Hudson, CEO of Venafi, said encryption management has become a big issue for companies worldwide, particularly with encryption being the last line of defence in protecting data against loss or compromise.

“Companies are finding out how important encryption is when they have experienced a huge data breach because they weren’t using encryption, then they find out that when they deploy encryption they have another big problem, and that is managing the encryption keys,” he said.

Read full SC Magazine article here

- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -
ENTERPRISE KEY AND CERTIFICATE MANAGEMENT [EKCM]SOLUTIONS
- – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – - – -

Designed especially for enterprise environments, Venafi solutions provide automated management for the widest range of digital certificate and encryption key technologies in use today – including digital certificates, SSH keys, and asymmetric and symmetric keys.

It’s flagship product Venafi Encryption Director™  automates the discovery, monitoring, validation, management, and security of organisations’ extensive (and expanding) encryption resources – ensuring encryption systems provide the security they are designed to deliver while simultaneously reducing operational risk and administrative workload.

To find out more about Venafi contact Cohort Technology today on 0845 084 8828 or email venafi@cohorttechnology.com

The amount of data that enterprises must secure with encryption is growing rapidly, and with it, the number of digital certificates and keys that encrypt the data. This digital-certificate explosion, while necessary, can create management nightmares: Companies must track each and every certificate, and in keeping with best practices, renew each of them as they are set to expire (typically annually). The ability to do this hinges on a critical asset: a comprehensive inventory.

An accurate certificate inventory is also necessary to meet security-compliance requirements: Healthcare companies must comply with HIPAA, publicly traded companies must comply with Sarbanes-Oxley, and every company that deals with credit cards must comply with the credit card industry’s PCI (News – Alert) regulation. There are also internal policies and security regulations for the European Union and other countries abroad—and these are but a few of the regulations with which organizations must comply.

Correctly done, an SSL certificate inventory should include the whereabouts of each certificate, the identity of the certificate authority that signed it, and the identity of the person who is responsible for its care (including this person’s contact information). Such an inventory or certificate population is critical because companies can’t ensure the security of their protected information and system authentication without ensuring the safety and validity of the certificates that secure it, and they can’t ensure the certificates’ safety unless they know where to find them.

While many enterprises contract with external certificate authorities (CAs)—often multiple CAs—the inventory task is not as simple as asking each CA (News – Alert) for a list of the certificates it manages. A given CA’s list does not include certificates it didn’t issue—or certificates that administrators purchased from the CA before the company contracted with it. Nor would they include an inventory of self-signed certificates that systems and applications often issue without the IT staff’s knowledge. In addition, their lists wouldn’t include important information such as certificates’ locations and statuses (active or inactive).

Data centers are typically heterogeneous environments in which several different brands of hardware and software run side-by-side. Likewise, organizations often deploy certificates from heterogeneous sources side by side and may not have a complete list of CAs from which to start the inventory-requesting process. Given all these caveats, it is obvious that companies must supplement the inventories their CAs provide with their own, network-wide certificate-discovery searches.

This said, certificate inventory projects can be daunting. A Fortune 500 technology company that operates in more than 75 countries presented a certificate-inventory case study at the RSA (News – Alert) Conference 2011 in San Francisco. This company’s network consists of 10,000 routers and 20,000 switches; about 10 percent of its workforce telecommutes. In addition, over the course of its history, the company has made more than 100 acquisitions. All of these factors made inventorying certificates a complex and complicated process. The company eventually created an internal portal to discover, provision, manage and govern its certificate process.

A network discovery process can find certificates that are on listening ports—such as 443, the well-known HTTPS port. (The term HTTPS identifies secure Web sites [the S stands for secure].) Secure Web sites are protected by private keys that match corresponding digital certificates. The discovery process involves gathering network address ranges and then collecting a list of ports to check. Port 443 is a good place to start, but there are many other ports on which companies can find certificates.

Some X.509 certificates are not discoverable through network ports, including client-side certificates used for mutual authentication on Secure Sockets Layer (SSL)-encrypted connections. Finding these certificates typically requires using a locally installed agent to perform file-system scans on servers and clients.

But technology alone can’t guarantee an accurate inventory. It is important that administrators proactively report all certificates of which they are aware and add these certificates to the inventory. Establishing this human-based process may require education.

Upon completion, companies must analyze their digital certificate populations to determine whether each certificate and associated private key was properly issued, its status, and its expiration date (this is particularly important). Companies must initiate the renewal process for any certificate set to expire in less than 30 days. If a certificate is allowed to expire on a production system, the event will block access to the site, file, or database the certificate protects, causing network downtime, inconvenience to employees, partners and customers, and even costly, brand damage. Expiration dates can also help identify certificates that have been active too long. Companies should flag and inspect certificates that have been active longer than a year to make sure they deserve to stay active.

Finally, it is important to determine each certificate’s CA, thereby identifying self-signed and improperly authorized certificates.

As challenging as the inventory process may be, it’s vital for enterprises to learn as much as possible about the encryption assets running on their networks — to affirm the knowns and discover the unknowns. Without this information, it is impossible to keep valuable and sensitive information secure, meet compliance regulations, and keep networks running efficiently.

To learn more about Venafi, the leader in enterprise and certificate management, contact Cohort Technology today on 0845 094 8828 or email venafi@cohorttechnology.com

Venafi, the inventor of and market leader in Enterprise Key and Certificate Management (EKCM) solutions, today announced its strategic partnership with Cohort Technology to distribute EKCM solutions in the United Kingdom.

Together, the companies will extend Venafi’s market leadership to meet the needs of Cohort Technology’s resellers and customers. Designed specifically for enterprise environments, Venafi solutions provide automated management for the widest range of digital–certificate and encryption-key technologies in use today—including digital certificates, Secure Shell (SSH) keys, and asymmetric and symmetric keys.

Cohort managing director Grahame Smee said: “We are delighted to partner with Venafi, the recognised industry leader in the growing EKCM arena. Our customers are heavily dependent on encryption for information security and system authentication. As a result of their growing inventories, these same organisations have certificates and keys strewn throughout their infrastructures, most of which are managed departmentally and in silos.”

Jeff Hudson, chief executive of Venafi, pointed to the frequency of enterprise security breaches “including data breaches, man-in-the-middle attacks and CA compromises”.

Read full press release here