Our Blog

Today's mobile world has pushed companies to embrace full-system encryption in software.  Its value lies in injecting a layer of protection that serves to reduce the risk of data compromise in the event the hardware is lost or stolen.  But the secret lies not in how the encryption was implemented but on how the users use the system.

Government regulations including 201 CMR 17 - MA Privacy Act - recognize that encryption is absolutely critical when securing vulnerable data and require you to deploy a certain level of data encryption.

Encryption can be implemented at different levels: at the file, folder, partition, mobile level etc.

To gain access to the information, users must enter information to gain access to the data.

"Full-disk encryption involves encrypting the OS partition on a computer and then booting and running with the system drive at all times."

In the event the computer is lost or stolen, all the data is rendered unreadable without access via the key.  Because booting into an encrypted system is possible only by providing a decryption key.

The key comes in different forms. Some keys are:

•  Passwords
•  USB flash drive with the decryption key
•  RSA tokens
•  Biometrics
•  A combination of the above

If the key itself is lost or stolen, the system administrator can provide some form of key escrow enabling access to the data.

NSG is proud to announce its strategic partnership with Sophos (formerly Utimaco).  Sophos provides several options with disk encryption including local and enterprise deployment.  NSG will work to determine what type of security coincides with your security policies. 

Contact NSG:

Office: 617-337-3007

Phone: 1-866-QUOTE-50
FAX: 1-866-786-8350

Follow us on Twitter at http://twitter.com/NetworkSG

There are several definitions for Cloud Computing. Let's take a look how some of the industry experts define it:

Gartner defines Cloud as "A style of computing where scalable and elastic IT-enabled capabilities are provided as a service to external customers using Internet technologies."

NIST defines it as "A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and service) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

The Cloud today is offered in the following business models:

• Software as a service
• Platform as a service
• Infrastructure as a service

Early adopters recognize that implementing the Cloud is quick and easy providing businesses the much needed agility and scalability to grow.  In addition, by not incurring significant capital expenditure, companies reap the cost benefits of the Cloud.  

But the implementation of the Cloud also raises some questions. Availability of data; on-demand and real time, performance unpredictability and data bottlenecks are but a few of the concerns that face companies.

Here are some best practices to take into account when considering the Cloud:

• Avoid putting sensitive data in the Cloud
• Include your audit legal teams in the decision
• Demand transparency from your provider
• Apply your initial internal risk assessment and assess all legal/regulatory/audit areas
• Confirm with a certified third party

Companies go far and wide to protect all points of access and entry into the network. However, most overlook the fact that some insidious attacks originate from within.

Internal attacks are easy to perpetrate as they override some controls put in place. Login Ids and passwords are provisioned to all internal constituents enabling employees to penetrate the network infrastructure. 

NSG has, in previous blogs crystallized the importance of network infrastructure protection and articulated the measures that companies should take to protect their network. Today let's look at some of the underlying factors that enable security infractions. 

A study by the National Threat Assessment Center of the US Secret Service along with the Software Institute at Carnegie Mellon University highlights the following:

• Most insider events were triggered by a negative event in the workplace
• Most perpetrators had prior disciplinary issues
• Most insider events were planned in advance
• Only 17% of the insider events studied involved individuals with administrator access
• 87% of the attacks used very simple user commands that didn't require any advanced knowledge
• 30% of the incidents took place at the home of the insider using remote access to the organization's network

Network Security Group Inc. along with our Partner Awareness Technologies is proud to present a Webinar on Data Loss Prevention.  We will explore the causes that drive intellectual property loss and review the methods that proactively protect your organization.

What:  Data Loss Prevention (DLP) - Protecting your Intellectual Property Webinar

When: Thursday, February 25th at 2pm EST

Register Now: https://www1.gotomeeting.com/register/191496129

See you there!

Last month NSG posted a blog addressing the issues around storing personal information on the cloud.  As a security professional, I noted that Cloud Computing does not come with guarantees.  Security being the primary concern, and one which is currently mandated by State and Federal regulations.

Operation Aurora, the recent highly sophisticated and coordinated hack attack on Google's network has caused the internet giant to team up with the National Security Agency to investigate the attack in a bid to prevent another assault.

This kind of attack is actually not unheard of.  Thousands of companies were attacked over the last few years. 

In the Google attack, hackers stole intellectual property, which they presumed to be its source code and gained access to the Gmail accounts of human rights activists.

Consequently, Google has teamed up with the National Security Agency to investigate the hack attack against in a bid to prevent another assault.

The agreement between Google and NSA has raised concerns around privacy and even civil rights issues.  Even though Google maintains that NSA will not have access to users' searches, e-mails and accounts nor will it (Google) share proprietary data with NSA, concerns still persist.

In response to this agreement, a request seeking NSA communications with Google regarding Google's failure to encrypt Gmail and cloud computing services has been filed.

Avoid a hack attack by connecting with NSG. As a client of NSG, Inc. you will have access to a dedicated support team that will work with your team to ensure comprehensive, tailored solutions for specific business needs that are affordable, effective and reliable from product to service.

Phone: 1-866-QUOTE-50
FAX: 1-866-786-8350

Follow us on Twitter at http://twitter.com/NetworkSG

Network Security Group Inc. along with our Partner Awareness Technologies is pleased to present a Webinar on Data Loss Prevention.  We will explore the causes that drive intellectual property loss and review the methods that proactively protect your organization.

What:  Data Loss Prevention (DLP) - Protecting your Intellectual Property Webinar

When: February 25th at 2pm EST

Register Now At: https://www1.gotomeeting.com/register/191496129

Data Loss is a term used to refer to any type of data loss resulting from exposure of sensitive information to information falling in the wrong hands. 

Data Loss Prevention is a term that refers to systems that identify, monitor and protect data that is (a) in Use, (b) In Motion and (c) at Rest. The system is designed to detect and prevent unauthorized use and unauthorized transmission of confidential information.

So, how do companies enforce better business practices in the handling of sensitive data?

By taking a holistic approach that ensures robust Installation, Configuration, Performance, Detection, Fingerprinting and Reporting.

Join us as we address the following topics and more:

• Are you confident that your employees are following company policies and procedures?
• How are you ensuring that your corporate assets are being protected against both internal and external threats?
• What would it cost you if an employee lost one laptop?

Learn how by clicking this link to register: https://www1.gotomeeting.com/register/191496129

See you there!

Thank you for attending the Commonwealth Privacy Law (201 CMR 17) Webinar hosted by Network Security Group on January 28th at 2pm EST.

The enthusiastic response illustrates the appetite of customers for compliance with the Privacy Law and for establishing a process to ensure a more secure environment.

As a reminder, the key elements of this regulation focus on your duty to:

• Maintain and monitor all records containing Personal Information
• Identify Activities that Constitute Excessive Risk
• Establish a written Information Security Program

As a client of NSG, Inc. you will have access to a dedicated support team that will work with your team to ensure comprehensive, tailored solutions for specific business needs that are  affordable, effective and reliable from product to service.

Please contact me for further information or have any questions:

 

Peter Streips

CEO

Network Security Group Inc.

 

Email: pstreips@nsgroup-inc.com

Office: 617-337-3007

Phone: 1-866-QUOTE-50
FAX: 1-866-786-8350

 

Follow us on Twitter at http://twitter.com/NetworkSG

 

 

 

Cloud Computing is increasingly gaining popularity today as companies rush to implement the cloud to expand their technology infrastructure.  Gartner defines cloud computing as "a style of computing in which massively scalable IT-related capabilities are provided 'as a service' using Internet technologies to multiple external customers."

Cloud computing typically utilizes significant computing power, a large number of virtual machines distributed throughout the company, large storage farms, and high bandwidth connectivity.

However, as a security professional, I have noted that Cloud Computing does not come with guarantees.  Security being the primary concern, and one which is currently mandated by State and Federal regulations

So, from a security standpoint, the questions you need to address before storing any personal information on the cloud are as follows:

1. What kind of Network and System security standards do we have to meet?
2. What are the Personal Information privacy laws? Does our system meet the requirements of the privacy laws defined by many States?
3. What are the laws regulating Personal Information if data is sent offshore?
4. For Credit Card processing management, do we meet the Credit Card standards (PCI-DSS)?
5. How can we guarantee that the data is used only as defined by the law?
6. How can we ensure that our virtual machines are kept secure?
7. What are our Breach Prevention Management policies?
8. What is our backup policy? Are our offsite and offshore protections adequate?
9. What are our contractual obligations with regards to offsite and offshore backup?
10. What are the data encryption expectations?

Join Network Security Group as we address all the above questions and more at our webinar around the CMR 201 regulation this Thursday, 1/28 at 2pm EST. 

Register here: https://www1.gotomeeting.com/register/683177321

I am delighted to invite you to the inaugural Network Security Group Inc. Webinar of 2010.

What: Commonwealth Privacy Law (201 CMR 17) Webinar

When: January 28th at 2pm EST

Register Now: https://www1.gotomeeting.com/register/683177321

In today's dynamic market place, companies are faced with several types of regulations and have to adhere to different standards of compliance.  Mass Gen Law Chapter 93H - Security Breaches is once such compliance and failure to adhere will only result in fine, fees and penalties.

NSG security engineer, Eric Wickberg, will discuss who is subject to the law, the details of the law, the key components, the requirements and standards for compliance and how NSG can assure your company stays in compliance

Register now by clicking this link: https://www1.gotomeeting.com/register/683177321

See you there!

In my last blog, I looked at the issues that framed 2009. Now, I look forward at the issues that will keep IT/Security Managers awake at night.

All the network security journals, rags and blogs are buzzing about their predictions for top concerns of 2010 from internal threats to conformance of compliance requirements to an effective security strategy and the list goes on.

Even Security Gurus' are putting their stake in the ground with predictions of identity issues to abandonment of Real ID to Self-propagating mobile phone worms and Trojans and yes, the list goes on.

But I want to hear from you!

What is keeping you up at night? What network threat or security breach are you concerned about?

Also, ask me questions how to prevent any unforeseeable glitches and breaches.

So here we are, at the start of the New Year.  But before we move forward, let's look back at the events that framed 2009.  It was a year marked with multiple Virus, DOS, Phishing Password-stealing Malware attacks and breaches of security that impacted several companies including Amazon.com, FaceBook, Twitter etc.

• Phishing and password-stealing Malware attacks alone affected approximately 31,173 sites

NSG's premier partner ESET introduced NOD32 primarily for such attacks. Customers benefit from its light footprint, fast scanning engine and advanced detection methods that provide effective malware protection without compromising system performance

To my clients, I stress the importance of sound security practices in addition to an effective malware solution and a secure network infrastructure. Going beyond just infrastructure, it is important to manage behavior that potentially compromises the security of the network.  Let me use my favorite analogy to explain this more clearly: "It is like using a mosquito repellant when hiking in the summer; it's a great first line of defense, but you should also wear pants, long sleeves, etc."

I start this blog by inviting you to share your success stories of 2009. 

• What challenges did your customers face?
• How you resolved the situation?
• What is your take on the Phishing and password-stealing Malware attacks?
• All comments, suggestions or questions are encouraged

Let's start this conversation......

Either comment on this blog below or continue the conversation on:

• Follow us on Twitter: http://twitter.com/NetworkSG