Healthcare Industry: In Need of Security Medicine

Published on 10/24/14 01:53PM

Virtualization, Compliance, Vertical Series

As part of an ongoing series, we’re examining the security and compliance needs and challenges in a variety of industries, and the implications for value-added resellers (VARs) and managed services providers (MSPs). In this post, we look at the healthcare sector.

Few industries (financial services being another), have been as scrutinized over data security and privacy issues as healthcare. With the advent of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act, hospitals, clinics, private practices, health insurers and others in the industry have had to become super diligent about protecting patient information.

Read More

Financial Services: High-risk security, by the numbers

Published on 10/21/14 02:52PM

Enterprise Security, Compliance, Vertical Series

Our latest addition to the industry-by-industry security analysis series is financial services.

Financial services companies in the U.S. lost an average of $23.6 million from cyber-security breaches in 2013, the highest average loss across 26 industries, according to a report from the Deloitte Center for Financial Services. The study by the consulting firm, entitled "Transforming Cybersecurity: New Approaches for an Evolving Threat Landscape", notes that the growth in cyber-crime has continued, if not accelerated, in the industry.

A huge majority (88%) of the cyber-security attacks against financial services firms are successful in less than one day, the report says. On the other hand, only 21% of the attacks are discovered within a day, and only 40% of the companies involved are able to restore their business within that one-day time frame.

Read More

SSL v3 vulnerability: this POODLE eats secure cookies

Published on 10/15/14 08:11PM

Enterprise Security

What this is:

  • A method to compromise communication encrypted by SSL v3 (meaning: access secure cookies, thereby gaining access to session information)

What this is not:

  • A direct method of compromising endpoints

What is required:

  • A node capable of intercepting traffic between two nodes; a “bump on the wire”

  • The nodes at each end (client and server) are willing to fall-back to SSL v3

Original announcement

Original publication

Read More

SSL v3 Vulnerability - Remedies and What You Can Do

Published on 10/15/14 08:09PM

Enterprise Security

If you are running systems that maintain SSL 3.0 compatibility, you are advised to define a Signaling Cipher Suite Value (SCSV) to prevent unintended protocol downgrades between clients and servers when both parties support a higher version of the protocol.

Disabling fallback to lower protocols is different from operating system to operating system. Here are some guidelines for the most frequently used webservers:

Read More

Shadow IT and Educational Moments

Published on 10/09/14 03:00PM

Cloud Security, DevOps

One of the most serious security challenges for enterprises today is the ease with which users can sidestep IT for the apps and information services they need. The danger is especially high when these employees are also creating and accessing confidential or regulated information. It means this data is sprawling out to apps and clouds that may not have the necessary controls to keep all of this data safe.

What makes this condition worse is that many companies don’t even believe this is going on within their organizations until they are forced to actually see it happening. For instance, just a few weeks ago I was sitting in on a live demo of a network monitoring application at a local company. The CIO there was positive that there was not any “unsanctioned” cloud apps running on their network. I told him I found that hard to believe, but would be impressed if it was so.

Read More

Manufacturing: Big Industry, Big Security Challenges

Published on 10/08/14 03:54PM

Service Provider, Reseller, Compliance, Vertical Series

In this latest installment in our series of profiles on security and compliance issues and challenges in various industries, we take a look at the manufacturing sector.

This industry, particularly if we include consumer goods, presents a broad range of companies. And of course security threats can vary depending on what types of products a company makes.

But in general, companies that make goods and equipment are particularly prone to theft of information about how they produce things, especially for high-priced or high-demand items. Given the growth of business competition worldwide, manufacturers these days should expect to be the target of theft of trade secrets and intellectual property via corporate espionage.

For value-added resellers (VARs) and managed services providers (MSPs), the opportunities to assist clients in this sector are plentiful. For one thing, it’s a huge industry. For another, it has a host of information security concerns.

Read More

Managed Service Providers: drivers for competitive advantages? Part 2

Published on 10/02/14 03:37PM

Service Provider

This is a continuation of my previous blog post which aims to discuss the near future scenario of extreme competition among Managed Services Providers (MSPs).

Differentiation among MSPs will mostly circle around go-to-market areas like marketing, sales and strategic capabilities as technology advantages will not hold for long, given high speed of wide adoption of new technologies.

In Part 1 we covered the Marketing perspective and in this blog post we will cover the Sales perspective and the Strategic perspective.

 From a Sales perspective there is a huge difference between selling boxes and selling services. The second needs a consultative approach for convincing customers to sign a service contract. Consultative selling needs dedicated sales teams for each type of service (e.g. managed and cloud services). Acknowledging the different sales roles (e.g. farmers and hunters) is preferred when dealing with both up-selling and attracting new customers.

Read More

Shellshock is Shocking, According to Shellers

Published on 09/26/14 06:54PM


If you’ve had a few spare moments to peruse the news, and happen to do so with an eye toward IT, you’ll have heard about Shellshock. As with many a vulnerability, there are many questions, and in this post I hope to answer some.

What is the problem?

Bash (Bourne-again Shell) is a command line interpreter packaged with most Unix variants. It’s quite handy for running commands, especially when invoked from scripts. The vulnerability roughly relates to how Bash parses environment variables (used to set the context of commands). The vulnerability allows someone entering environment variables to insert arbitrary code. Instead of just setting the context of execution, Bash executes the injected commands.

Read More

Continuous Security Monitoring in a Continuous World

Published on 09/25/14 04:15PM


In today’s highly virtualized environments, where continuous integration and deployment are the norm - it’s just impossible to manually ensure that both security and regulatory compliance controls are adequate.

With virtualized workloads, apps, and the supporting infrastructure being persistently updated, your enterprise needs automated and constant security checks to be ran in parallel. Gone are the days of running monthly security and regulatory compliance assessments. As continuous integration and deployment pipelines rapidly become the norm, rather than the exception, a fundamental shift in the way enterprises view security is essential.

But where to start the continuous security monitoring? When looking at your environment in its entirety, with an eye toward monitoring everything all of the time, it can appear overwhelming. And the reality is that you can’t start monitoring everything all at once. Choices need to be made about where to start: endpoints, servers, and applications need the most oversight?

Read More

Think like a Dev, act like an Op and harness Security – Part One

Published on 09/24/14 04:54PM

Public Cloud, Cloud Security, DevOps

Creating software is a perpetual journey. Just like relationships, technologies start young and reach maturity over time as they evolve through several phases of completion. Some of them don’t reach adulthood because they’re ahead of their time or simply not practical, while others refuse to go quietly due to their massive popularity in the business world.

Regardless of industry and activity field, truly ground-breaking technologies are designed with a sole intention: to transform the customer experience in ways that no one has done before. With most businesses, however, change doesn’t come naturally, just as habits (good or bad) die-hard in a long-term relationship.

Read More
Evaluating Security Software

Subscribe to our newsletter