Orlando Blog Hipaa Hitech Medical Record patient Stimulus Medicaid Medicare CMS

Security News

Data Breach Disclosed - 100 Million Credit Cards Compromised - January 20, 2009

Orlando Florida -- A data breach disclosed today by Heartland Payment Systems may well displace TJX Companies' January 2007 breach in the record books as the largest ever involving payment data with potentially over 100 million cards being compromised.

Heartland, a Florida-based provider of credit and debit card processing services said that unknown intruders had broken into its systems sometime last year and planted malicious software to steal card data carried on the company's networks. The company, which is among the largest payment processors in the country, claimed to have discovered the intrusion only last week after being alerted by Visa and MasterCard of suspicious activity.

The card companies' alerts triggered a subsequent investigation by "several forensic investigators" during which the intrusion was discovered, Robert Baldwin Jr., Heartland's president and CFO, said in the statement. The company said the intrusion may have been the result of a "widespread global cyberfraud operation".

Heartland claimed that no merchant data, cardholder's Social Security numbers, or unencrypted personal identification numbers (PIN), addresses or telephone numbers were compromised.

As with most data breach notifications, Heartland offered no explanations on when it was first informed of the breach by the card companies, when in 2008 the company had been breached, how long the intruders had remained undetected, or how many cards might have been compromised in the intrusion. A company spokeswoman did not immediately respond to requests for comment.

But given that Heartland processes more than 100 million card transactions per month, it is very possible that the number of compromised credit and debit cards is at least that much, if not more, said Avivah Litan, an analyst with Gartner Inc. "It does look like the biggest ever," Litan said. The TJX breach involved the compromise of over 45 million cards.

It also appears that those behind the breach "made off with the gold" by intercepting and stealing the so-called Track 2 data from the magnetic stripe on the back of cards, which is all that's needed to create counterfeit cards, Litan said.

Dan Clements, president of CardCops, an identity protection service of Affinion Group Inc., said that he has noticed activity in underground chat rooms that suggested a major compromise at a processor such as Heartland.

Typically when a card is stolen, crooks first check to see if the cards are still active by using it for some transaction -- often a very small donation to a charitable organization -- to see if it works. This sort of validity check has increased by nearly 20% over the past few months, suggesting a major compromise. But it's not clear yet if it is related to the Heartland breach, Clements said.

The Heartland compromise is the second involving a large payment processor over the past few weeks. One Dec. 23, RBS WorldPay, the payment processing division of The Royal Bank of Scotland Group, announced that its systems had been breached by unknown intruders, resulting in the compromise of personal information belonging to about 1.5 million card holders. The compromised information included the Social Security numbers of 1.1 million individuals using payroll cards, the company said.

The incidents suggest that cybercrooks are increasingly beginning to target payment processors, Litan said. "Attacking a processor is much more serious than attacking a retailer. A processor sits at the nerve center of the payment process,"and processes far more payment card data than any retailer, she said.

"More radical security moves" need to be taken by payments industry as a whole to address the problem, she added. Such incidents show that the security requirements of the Payment Card Industry Data Security Standard (PCI DSS) being pushed by the major card companies is clearly not enough, Litan added.

For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/services-penetration.php

About Us

Sencilo Solutions is a Florida-based integrator specializing in Cost Cutting storage, security and managed services solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, Data Domain, EMC, Hitachi, Symantec, HDS, IBM, Commvault, Xiotech and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, storage virtualization installation, maintenance and knowledge transfer.

Sencilo has offices throughout Florida including: Jacksonville, Daytona Beach, Tampa, St. Petersburg, Orlando, Hialeah, St. Augustine, Gainesville, Ocala, Palm Coast, Clearwater, Kissimmee, Lakeland, Maitland and Cape Canaveral Green Simpana Offerings Projects: BC DR planning Replication De-Dup De-Dupe iSCSI SAN NAS VMware Security EMC NetApp HP IBM Quantum Compliance VTL Data Domain vs Gartner Magic Quadrant Quadrent LTO Backup Exc Pure Disk NetBackup Networker TSM Commvault BakBone D2D D2D2T compare cloud data deduplication thin provisioning DXi Global Compression DDX virtual tape library Data Reduction SEPATON FALCON compare Celerra CLARiiON Equallogic Dell NS20 NS40 CX4 CX3-20 CX3-40 CX3-80 FAS2050 FAS3050 Xiotech Nexsan Avamar DLD3 1500 D3 Storwiz storage compression data Ocarina Networks A-SIS compare Sepaton infopro BlueArc OnStor Microsoft Unified Storage data protection StorageX Brocade FAQ SSD Solid state disk SANmelody FalconStor tier zero Xiotech ISE nx4 ax4 greenBytes ZFS Sun Top 10 ROBOBak managed services hosting cloud grid Datacore Compellent compellant equallogic lefthand networks don't buy storage stop buying storage itguardian cherub networks Arkeia Network Backup appliance Data Recovery Backup Health IT Healthcare IT Digital Hospital Allscripts

Penetration Testing and Best Practices - September 16, 2008

Orlando Florida -- Penetration testing is an important means of assessing the strength of an organization’s information security program. A security system may look good from the inside, but a test is an excellent way to determine if it will hold up under pressure. These tests can range from simple port scans to all-out hacking attacks. However, since security depends on people, not just on technology, social engineering is one possible tool for use in penetration tests. Deception is a common means of breaching a security system, and a social engineering test can ascertain the strength of policies and how well employees follow those policies.

"However, the use of social engineering in penetration tests raises ethical issues because humans are being used for research purposes," says Brian McCarthy CEO and well known Security Professional for Sencilo Solutions in Lake Mary Florida. Abuses such as Nazi experiments on prisoners and the Tuskegee Syphilis Study have led to a body of widely accepted guidelines for the ethical use of human subjects in research. I will draw upon human research principles and a few sample cases to identify ethical guidelines for the use of social engineering in penetration testing.

Cases

Piggybacking: A security consultant wearing a suit and tie, and carrying a briefcase, stands at the front entrance to a corporation. He waits for an employee to unlock the door with her ID scan and follows her in.

Shoulder Surfing: A security consultant notices employees standing outside a door smoking on their break. He walks over and mills about looking over his shoulder as employees enter the keypad code to reenter the building. With that information he lets himself in.

Computer Technician: Two security consultants walk into an office wearing “Computer Doctors” jumpsuits. They tell the administrative assistant that they have an order to fix the system. The assistant says, “Mr. Smith did not tell me about this, and he’s on vacation today and can’t be reached.” They reply, “We’re booked for the next two weeks. The system is overheating and could melt down at any moment. If it burns up because we were not allowed to work on it, somebody’s going to get fired. Are you sure you didn’t forget the order?” The assistant nervously lets them in.

Bribery: A security consultant posing as a representative of another company approaches an employee outside of work and offers him $50,000 to get some memos concerning the company’s plans for a new product.

The cases described in the previous column have been deliberately ordered from least to most ethically troubling. I would argue that there are morally relevant differences between the shoulder-surfing and piggybacking cases on one hand, and the computer technicians and bribery cases on the other. For one, the latter two penetration-testing cases expose the employee being tested to significant psychological stress. The employee in the computer technician example is worried about losing his job, while the one is the bribery example is faced with an offer to do something illegal.

Moreover, the deception in the latter two cases is established by verbal manipulation. Why is this relevant? After all, all cases involve some level of misrepresentation, and we can just as easily misrepresent ourselves with our appearance and actions as we can with our words.

The difference is that when the deception is established verbally, the deceiver is plugging into deep-seated psychological triggers humans use to establish trust with others. Con men are good at playing on these triggers, and while people can be expected to follow procedures, they cannot be expected to resist the kind of psychological manipulation employed by skilled manipulator. We would say the same thing of an attractive consultant soliciting an executive to see if he would exchange sex for secrets. The enticement is unfair. Moreover, the episode will undermine the employee’s trust in the company.

There is also the question of the professionalism on the part of the consultant when he moves from providing security advice to acting. Once the deceiver starts the charade, he will not know how much acting will be needed to get the employee’s cooperation. At some point the question becomes whether the consultant is measuring the strength of the company’s security policies, or his own acting skills. The consultant has put himself or herself into a compromising situation that could undermine faith in the profession as a whole.

Finally, what is the employer going to do with the employee in the bribery case if he agrees? The employer cannot trust the employee anymore, yet if he fires the employee, he can be accused of entrapment.

The first and most obvious warning is that bad penetration testing in general is pointless unless the organization has implemented the best available security measures it can manage. Why bother testing security if even a simple vulnerability analysis or common sense assessment shows gaping holes? A penetration test of obviously flawed security is a waste of time and money.

In a Network World column published in 2000, I pointed out that deception techniques should be used only with a great deal of preparation of the staff. When preparing for a penetration test that involves social engineering, everyone in the organization should be thoroughly trained to understand the techniques of social engineering before beginning the tests.

The key points were as follows (from my article):
* The entire organization can prepare for social engineering simulations as a team; no one is subjected to attempted deception without knowing that the experience was part of a training and awareness exercise.
* Even if someone falls for a trick, the emotional effect is far less than if the same error occurred without preparation.

I think that preparing staff for the onslaught of skilled social engineers has many benefits. We can frame the exercises as a form of game or contest: who will be the best at spotting the confidence tricksters? Who will be quickest to foil their nefarious plans?

Role-playing games are an excellent way of changing beliefs, attitudes and behavior: having staff members take up the roles of social engineer and defender - and then reversing roles - is not only amusing, but it also has a long-term effect on people’s perceptions. It’s much easier to remember a social interaction we’ve experienced personally than to pay attention to abstract words. We can even turn the event into an opportunity for a good deal of fun and laughter, making security and secure behavior a positive experience instead of the usual drudgery.

Moreover, in addition to risk avoidance (reducing the likelihood of hurt feelings, frustration and anger), solid preparation can result in increased vigilance at all times. Once staff members are sensitized to the social engineering tricks they’ve experienced in role-playing games, they are more likely to recognize them in strangers. Having practiced alerting the security team to apprehended breaches, they will find it easier to take the initiative later when they spot real breaches.

For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/services-penetration.php

About Us

Sencilo Solutions is a Florida-based integrator specializing in network storage and information security solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, EMC, NetApp, Juniper Networks, Hitachi, Symantec, Barracuda Networks, and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, installation, maintenance and knowledge transfer.

Sencilo has offices throughout Florida including: Jacksonville, Daytona Beach, St. Petersburg, Orlando, Hialeah, St. Augustine, Gainesville, Ocala, Palm Coast, Kissimmee, Lakeland, Maitland, Cape Canaveral, Lake Mary
Other products include Barracuda Networks Security RSA Encryption Cisco Decru Neoscale Compliance vs. Gartner Magic Quadrant SSL VPN SonicWall Secure Computing Firewall VPN Endpoint DLP Tumbleweed Ironmail Ironport Secure Computing compare data leakage enVision Data Loss Prevention Encryption and Key Management CA Symantec Juniper Penetration testing Digital data forensics cyber forensics data recovery services Best Practices

What Cisco isn't telling us about VoIP and data leakage - July 17, 2008

Orlando Florida -- Large software and infrastructure vendors have been pushing companies toward unified communications (UC), but many firms are viewing UC as another avenue for data leakage, according to a recent survey conducted by Black Diamond, Wash.-based Osterman Research Inc.

"Some firms are shopping for data leakage prevention tools as part of their unified communications projects. Many fear that sensitive company data could be difficult to control when email, Voice over Internet Protocol (VoIP) and instant messages meld with collaboration systems, multimedia services and transactional systems", says Brian McCarthy President and well-known Security Consultant for Sencilo solutions Lake Mary Florida.

Nearly 50% of respondents are concerned about information leak prevention in their current or planned unified communications implementations, and 23% of those view leak prevention as a top priority, according to an online survey of 109 mid-to-large IT organizations in North America, conducted last month by Osterman Research.

"The major vendors are really pushing that UC message, and I think companies are starting to respond and understand that UC is a good thing, but it creates even more opportunities for data leaks," said Michael Osterman, president and principal analyst at Osterman Research.

The survey was commissioned by Belmont, Calif.-based messaging security vendor FaceTime Communications Inc.

IT pros fear a number of threats posed by melding communications onto one common data network. An attacker can intercept VoIP, instant messaging (IM) and other traffic, or worse, they can conduct a distributed denial-of-service (DDoS) attack by using a VoIP protocol to flood systems with session requests. Others fear an increase in vishing, the VoIP-enabled form of phishing.

But the risk of those forms of attack is minimal, Osterman said. Insider threats from unintentional or accidental leaks pose a greater threat, he said, and the survey suggests that IT organizations are heeding that message. Forty-eight percent of respondents view unintentional or accidental leaks of information by employees as a serious concern, as compared with 31% who named data loss due to malicious software as a serious concern.

Osterman said he's still seeing companies willing to accept the risks involved with UC rather than being proactive by implementing technologies or sound security policies. For example, a consultant couldn't convince a company to implement an email archiving system. The firm decided to pay fines instead.

Companies need to begin with the basics and develop a multi-layer defense strategy, Osterman said. Companies can implement portions of a data leakage prevention system by focusing on the data governing rules outlined by their industry. For example, a merchant can implement a system that monitors all outbound email and IM for 16-digit character strings.

"We're starting to find organizations that are at least thinking about the issues, but there are a lot of companies that don't realize the negative ramifications of what they're doing," he said.

For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/security-compliance-management.php

Sencilo Solutions is a Florida-based integrator specializing in network storage and information security solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, EMC, RSA, Juniper Networks, Hitachi, Symantec, Barracuda Networks, and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, installation, maintenance and knowledge transfer.

Sencilo has offices throughout Florida including: Jacksonville, Daytona Beach, St. Petersburg, Orlando, Hialeah, St. Augustine, Gainesville, Ocala, Palm Coast, Kissimmee, Lakeland, Maitland, Cape Canaveral, Lake Mary

Other products include Barracuda Networks Security RSA Encryption Cisco Decru Neoscale EMC NetApp Compliance vs. Gartner Magic Quadrant SSL SonicWall Secure Computing Firewall VPN Endpoint DLP Tumbleweed Ironmail Ironport Secure Computing compare data leakage enVision Data Loss Prevention Encryption and Key Management CA Symantec Juniper

University of Utah lost 2.2 million Health Care and Social Security Records - June 26, 2008

Courier violated protocol, taking data home instead of directly to off-site storage facility

Orlando Florida -- University of Utah officials this week acknowledged that a metal box of backup tapes containing billing records of some 2.2 million patients was stolen early this month from the car of a courier who left it in a parked car overnight outside his home.

The missing tapes were taken on June 2 from the car of an employee of Perpetual Storage Inc., an independent storage company hired by the university to transport its computer tapes to off-site facilities, said school officials. The tapes contained names, demographic information and Social Security numbers of patients of the University of Utah Hospitals & Clinics.

The health care system has suspended all backup tape deliveries to Perpetual Storage pending a full review of the company's protocols and procedures, said a university spokeswoman.

The spokeswoman confirmed that Perpetual Storage fired the individual involved with the data breach for violating company data security transportation protocols. The driver had been employed by Perpetual Storage for 18 years, she said.

The spokeswoman said the driver informed his employer immediately upon discovering that the tapes were lost. Perpetual Storage informed the University of Utah Hospitals & Clinics officials within 24 hours of the breach, she added.

Perpetual Storage did not immediately return calls by Computerworld seeking comment.

The university spokeswoman declined to say whether any of the missing data storage tapes were encrypted.

Lorris Betz, senior vice president for health sciences and CEO of University of Utah Health & Clinics, said in a posted alert that it's unlikely that any information on the backup tapes will be exposed to thieves. "Although it is unlikely that information on the tapes will be compromised, we are nevertheless taking aggressive steps to protect our patients' confidentiality," Betz said in the post. "Not true" says Brian McCarthy President of Sencilo Solutions and well known speak of backup and security, "if their tapes do not contain encryption any one with a tape drive can read the files."

The university plans to mail notification letters to all patients whose data was held on the stolen tapes and offer them free credit-monitoring services. The missing tapes did not hold any credit card information, noted school officials.

The university is offering a reward of $1,000 for the return of the stolen tapes with "no questions asked." The Salt Lake County Sheriff's Department, the FBI and U.S. Postal Service are investigating the theft.

For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/security-compliance-management.php

About Us

Sencilo Solutions is a Florida-based integrator specializing in storage, security and networking solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, EMC, NetApp, Juniper Networks, Hitachi, Symantec, Barracuda Networks, and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, installation, maintenance and knowledge transfer.

Sencilo has offices throughout Florida including: Jacksonville, Daytona Beach, St. Petersburg, Orlando, Hialeah, St. Augustine, Gainesville, Ocala, Palm Coast, Kissimmee, Lakeland, Maitland, Cape Canaveral, Lake Mary
Other products include Barracuda Networks Security RSA Encryption Cisco Decru Neoscale EMC NetApp Compliance vs. Gartner Magic Quadrant SSL SonicWall Secure Computing Firewall VPN Endpoint DLP Tumbleweed Ironmail Ironport Secure Computing compare data leakage enVision Data Loss Prevention Encryption and Key Management CA Symantec Juniper

Where will it end? PCI compliance now extends to POS car washes, quick lubes - June 17, 2008

When Innive Systems, Inc., began integrating credit card clearing into its point-of-sale systems for car washes by connecting to a credit card clearinghouse over the Internet, executives at the company knew they had to do something to protect the machines.

At first, they advised their customers to install antivirus software. But over time, it became clear the customers weren't heeding their advice: Support calls soared as machines became infected with viruses and other malware. The outbreaks would prevent the vendor's POS applications, which are integrated with the car wash tunnel operations, from running and disrupt business. Support technicians spent hours cleaning up customers' systems.

"It really led us to look at the fact that they weren't being proactive in protecting themselves so we had to look for a solution," said Joe Jennings, network administrator at Daytona Beach Florida-based Innive Systems.

The company began looking for software that would work with its application and provide affordable protection for its customers. Jennings and his team put seven antivirus products to the test on a POS system. They threw viruses and spyware at each, and looked at how fast they allowed the Innive Systems application to run.

"We went through the entire gambit with each one," Jennings said.

In the POS world, anything that slows down the ability to produce a receipt is unacceptable, he explained. "You don't want customers standing there waiting for anything." In that respect, Barracuda Antivirus, stood out from the others. With it, a receipt popped out in less than half a second. CA's antivirus caused the longest lag at 20 seconds, Jennings said.

Jennings and his team also liked Barracuda proactive capabilities in blocking malware, its integrated anti-spyware protection, Eset's automatic updates, and low price. The initial plan was to resell the antivirus protection to customers, but with the PCI Data Security Standard becoming a concern, the company's president decided that it needed to be included with every POS system, Jennings said.

By including the antivirus protection with its systems, Innive Systems is helping its customers at nearly 3,000 car wash and quick lube locations comply with the PCI standard, Jennings said. Barracuda, which is installed with the POS server in active scanning mode for real-time protection, prevents viruses, Trojans or other malware from reading or extracting any of the data flowing from the POS device and server to the credit card clearinghouse, he said. No credit card data is stored on the POS device or server, he added.

The need to secure POS systems was highlighted in the recent indictment of three men on charges of hacking into computer systems at 11 Dave & Buster's restaurants and stealing credit and debit card numbers. The trio allegedly gained unauthorized access to the POS servers at each restaurant and installed packet sniffers designed to capture credit card data.

Security expert Brian McCarthy of Sencilo Solutions in Longwood Florida have said "a common security problem at retail locations are POS systems that are managed by third parties via unsecured remote access systems that often use blank or default passwords."

In addition to providing antivirus protection with its POS solutions, Innive Systems ships to each customer a router that's configured securely, without any standard open ports. And even before PCI compliance became an issue, the company realized it needed to replace its remote support solution for managing client machines with a more secure system, Jennings said. It chose the Bomgar Box, which he described as a secure, encrypted point-to-point system; no standard passwords are used and Jennings requires frequent password changes for employees.

In addition, Innovive Systems is working to get its software validated under the new Payment Application Data Security Standard. FL-DSS is based largely on Visa's Payment Application Best Practices (PABP) program.

Since the vendor starting shipping every system with Barracuda, calls to its support team about viruses and other problems dropped tremendously, Jennings said. The company also replaced its Symantec and Webroot Software antivirus products with antivirus on its corporate network.

For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/security-compliance-management.php

About Us

Sencilo Solutions is a Florida-based integrator specializing in storage, security and networking solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, EMC, NetApp, Juniper Networks, Hitachi, Symantec, Barracuda Networks, and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, installation, maintenance and knowledge transfer.

Sencilo has offices throughout Florida including: Jacksonville, Daytona Beach, Miami, Tampa, St. Petersburg, Orlando, Hialeah, St. Augustine, Gainesville, Ocala, Palm Coast, Clearwater, Kissimmee, Lakeland, Maitland, Cape Canaveral

Key words: Barracuda Networks Security RSA Encryption Cisco Decru Neoscale EMC NetApp Compliance vs. Gartner Magic Quadrant SSL SonicWall Secure Computing Firewall VPN Endpoint DLP Tumbleweed Ironmail Ironport Secure Computing compare data leakage enVision Data Loss Prevention Encryption and Key Management CA Symantec Juniper

CEO fired after major data lost! - June 7, 2008

The practice of sending across the country unencrypted, CD-based files on millions of child benefit claimants could have continued indefinitely if the discs hadn't gone missing, we have learned.

Orlando Florida -- Seven months before the CDs went missing, HM Revenue and Customs had already established a practice of transferring onto CD, for despatch by post, insecure, though password-protected, files on millions of child benefit claimants.

The lost discs contained details of all child benefit recipients: records for 25 million individuals and more than seven million families.

The records included parental names, addresses, dates of birth, child benefit and national insurance numbers and where relevant bank or building society details. Paul Gray, the chairman of HM Revenue and Customs, has resigned because of the incident. This is not uncommon to see CXOs being asked to resign because of a data lost on their watch, after all it's the CXO who is signing or cutting the IT budget, say Brian McCarthy President and well know Security Consultant for Sencilo Solutions based in Orlando Florida.

The practice of transferring all of the child benefit data onto CDs began in March this year after HMRC's auditor, the National Audit Office (NAO), ceased to accept sample records for its audit of the department's accounts.

In the past officials at the Department for Work and Pensions had selected sample child benefit files and passed these to the NAO whose auditors checked for possible fraud and error.

But in March this year, for an audit of HM Revenue and Customs's 2006/7 Resource Accounts, the NAO, to do a more robustly independent check on the child benefit data, requested a full copy of the details of claimants, not merely a part of the data that had been selected by the department.

Though HMRC does have rules on handling sensitive data, it is unclear whether it had specific, established procedures for handling the request of the National Audit Office.

Aware that the files on child benefit claimants were sensitive, the NAO in March 2007 asked that HMRC filter the information before sending it to the audit office. The National Audit Office asked for the child benefit records to be stripped of details of the parents, addresses and bank information, which McCarthy states is a best practice here in the States.

HM Revenue and Customs replied that it could not do this - its systems were not sufficiently flexible. It explained it could download only the whole of the information. So it sent to the NAO, by courier-post, all of the details of parents and children, including some bank account details. Not true states McCarthy, their are disk based encryption appliances on the market today which can protect anything from a USB hard drive to tapes, HM has their heads in the sand.

That was when the insecure practice began of HMRC sending unencrypted files to the National Audit Office. No alarm bells were raised over the practice in March 2007.

It appears that it was thought easier to send the claimant files on CD than trying to send them electronically. This raises questions about whether government departments are routinely sending CDs with sensitive data around the country, thus avoiding technical challenges and security restrictions on exchanging files electronically. Easier, how is anything that is a manual process and the cost of mailing a disc easier?

So in March 2007 HM Revenue and Customs transferred the child benefit data onto CDs and sent them by courier-post from Washington, Tyne and Wear, to the National Audit Office which is near Victoria Station in London. They arrived safely - and the practice became established.

The data was sent to the NAO only partially formatted. It had to be loaded on the National Audit Office's mainframe systems before it could be manipulated.

In October this year, when the NAO wanted to do an audit of HMRC's 2007/08 Resource Accounts, it again asked the department for its child benefit data.

The sequence of events:

2 October 2007: The NAO formally asks HM Revenue and Customs for files on child benefit claimants.

18 October: HMRC tells the NAO that the CDs have been sent

24 October: The NAO informs HMRC that the discs have not arrived. The NAO asks for a second set to be sent - it needs them urgently to ensure an audit of HMRC's accounts is not delayed.

25 October: The NAO confirms receipt of the second set of discs. It staff point out that the first set has still not arrived.

5 November: HM Revenue and Customs confirms that the first set of CDs is still missing.

8 November: The NAO begins a search for the missing CDs and the loss of the data is raised formally as a security incident. It is only at this point that HMRC's senior management is informed - but not the Chancellor of the Exchequer Alistair Darling who is responsible for HMRC.

10 November: HMRC with the cooperation of the NAO begins a search for the CDs at the offices of the audit office at Victoria. The NAO has no record of having received the first set of CDs. Only now is Alistair Darling, the chancellor, informed.

11 November: HM Revenue and Customs and the police search the NAO's offices. Nothing is found.

20 November: Alistair Darling makes a statement to the House of Commons on the missing discs and Paul Gray, the chairman of HMRC resigns.

21 November: HM Revenue and Customs issues an apology.

For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/security-compliance-management.php

About Us

Sencilo Solutions is a Florida-based integrator specializing in storage, security and networking solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, EMC, NetApp, Juniper Networks, Hitachi, Symantec, Barracuda Networks, and HP.

Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses.

Sencilo's professional services include consulting, integration, project management, installation, maintenance and knowledge transfer.

Sencilo has offices throughout Florida including: Jacksonville, Miami, Tampa, St. Petersburg, Orlando, Hialeah, Fort Lauderdale, Tallahassee, Cape Coral, and Pembroke Pines.

Key words: Barracuda Networks Security RSA Encryption Cisco Decru Neoscale EMC NetApp HP IBM Quantum Compliance VTL Data Domain vs Gartner Magic Quadrant SSL SonicWall Secure Computing Firewall VPN Endpoint DLP Tumbleweed Ironmail Ironport Secure Computing compare data leakage enVision Data Loss Prevention Encryption and Key Management

Stolen data ending up in Google cache, say researchers - May 31, 2008

Orlando Florida -- The Finjan security researchers, who uncovered several unprotected hacker servers containing the sensitive email and Web-based data of thousands of people, demonstrated how easy it is to find the data using Google.

By using a simple string of search terms the researchers were able to find stolen passwords and usernames, Social Security numbers, and even the usernames and passwords of internal databases of companies all stored in Google's public caching server.

Google returns the results based on log files available on the unprotected servers. The servers stored stolen data collected by Trojan horses running on infected end-user PCs, Ayelet Heyman, a researcher at Finjan's Malicious Code Research Center, said in Finjan's Malicious Code Research Center blog. It not that hard to protect these assessts, says Security Consultant Brian McCarthy of Sencilo Solutions. Sencilo can provide both security services that can true up open areas but also we offer products to close and protect your company information.

"Google just indexed these log files as they do with any other public file on the Web," Heyman said. "It's not a hoax as some people wrote; it's 100% harsh reality."

It's not the first time the search engine giant was used to uncover sensitive data or common security flaws in websites. Penetration tester Johnny Long was the first to make headlines explaining ways to turn Google into a malicious tool. Long's website has a Google hacking database. Tom Bowers, managing director of Allentown, Pa.-based Security Constructs LLC has also warned that IT professionals must learn how hackers use search engine queries to ensure sensitive data doesn't end up on the public caching servers.

Heyman urged people not to blame Google for caching the stolen information. Google indexed the log files on the server as they do with any other public file their crawlers find on the Web, Heyman said. McCarthy goes on record and says Finjan and Heyman are nuts to cast the blame of Google, or another search engine company.

In April, Finjan announced that it had discovered an unprotected server and others used as a drop site for the AdPack exploit toolkit. The server wasn't encrypted and no authentication was used to access it.

Yuval Ben-Itzhak, Finjan's chief technology officer, said more and more stolen data is turning up on popular search engine caching servers. The increase in sensitive data on search engine servers is likely due to the easy availability of crimeware toolkits such as NeoSploit, MPack, and AdPack. The toolkits make it easy for a novice to quickly find an unused server and begin stealing data.

"The whole idea for selling these toolkits is to provide to people who are not security experts and do not have a computer science background," Ben-Itzhak said. The management features enable the criminal to use social engineering tactics and target a country or IP, or even by log types, he said. http://www.sencilo.com/security-web-application-controllers.php

The researchers discovered sensitive information from Microsoft Outlook accounts including mail and personal folders, calendar, public folders and contacts. A mountain of healthcare information was also discovered, including personal data, health data, treatment, medications, insurance details, Social Security Numbers, and healthcare providers' data, including the physician's name. Banking data, including credit card numbers and account login numbers were also discovered on the server.

Businesses are also not immune. A large chunk of business data was discovered, including network folders and business contacts. Personnel files and business files marked confidential were also stolen using a Trojan. One message revealed details about an upcoming court case, while a few others contained business financial data such as invoice information.

The Finjan researchers said they notified more than 40 major international financial institutions located in the United States, Europe and India whose customers were compromised as well as various law enforcement agencies.

For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/security-compliance-management.php

About Us

Sencilo Solutions is a Florida-based integrator specializing in storage, security and networking solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, EMC, NetApp, Juniper Networks, Hitachi, Symantec, Barracuda Networks, and HP.

Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses.

Sencilo's professional services include consulting, integration, project management, installation, maintenance and knowledge transfer.

Sencilo has offices throughout Florida including: Jacksonville, Miami, Tampa, St. Petersburg, Orlando, Hialeah, Fort Lauderdale, Tallahassee, Cape Coral, and Pembroke Pines.

Key words: Barracuda Networks Security RSA Encryption Cisco Decru Neoscale EMC NetApp HP IBM Quantum Compliance VTL Data Domain vs Gartner Magic Quadrant SSL SonicWall Secure Computing Firewall VPN Endpoint DLP Tumbleweed Ironmail Ironport Secure Computing compare data leakage enVision Data Loss Prevention Encryption and Key Management

State Street's lack of security policies to blame for the lost of 45,000 Social Security Numbers - May 31, 2008

Jacksonville FLorida -- State Street Corp. is the latest firm to acknowledge a data breach, after a contractor hired to conduct data analysis lost a disk drive containing the personal information of 5,500 employees and 40,000 customer accounts.

State Street disclosed the information on its website four months after it learned of the problem. The financial services firm said Thursday that it began notifying employees and customers of the former Investors Bank & Trust Company, which it acquired in 2007.

"As a precaution, State Street is notifying legacy IBT employees and certain legacy IBT customers that have been identified as having certain personal data on the stolen equipment," the firm said in a statement.

IBT contracted out a legal support service to review its electronic records and compile data for federal regulators as part of the acquisition in 2007. The data was initially encrypted, but State Street said the vendor unencrypted the information when it loaded the data onto computer equipment, which was stolen from its facility.

The information included individuals' names, addresses, dates of birth, and Social Security numbers.

State Street said it notified state and federal law enforcement, which is conducting an investigation. The firm said it took several months to reconstruct analyze a copy of the data stored on the stolen equipment. So far State Street customers and employees are not affected by the breach. State Street said it would be offering free to the victims that its analysis indicates may be affected.

The loss of disk drives and tapes is prompting more businesses to encrypt data at rest, said Scott Crawford, an analyst with Boulder, Colo.-based Enterprise Management Associates.

In the State Street breach, the vendor handling the data unencrypted the information to conduct its analysis, but never encrypted it again. It happens often and companies sometimes fall prey to a false sense of security when deploying encryption. Ultimately the data is going to be accessed and sometimes another instance of the data is made that goes unencrypted, experts say.

"The devil is in the details of implementation with crypto, where a poor implementation of a good algorithm gives a false sense of security and it's potentially worse than not using encryption at all," Crawford said. "Even when experts are involved, the processes can be a killer."

What technology can do ends at how effective it is in managing or enforcing how people actually work with the data, Crawford said. Banks and financial services firms must comply with Basel II regulations with address operational risk management.

"Financial services have more motivation to be more thorough in managing operational risk, including risks posed by business partners," Crawford said.

Firms should have a centralized vendor management process in place that takes into account risk factors and be continually assessed to determine if the vendor is meeting the security requirements, said Ramon Krikken, a research analyst at Midvale, Utah-based Burton Group.

"Financial institutions are relatively quickly catching up with whole vendor management issue, but security has been an afterthought with vendor management," Krikken said.

Vendor evaluation should include assigning a risk score based on the sensitivity of the outsourced process. Vendor contracts should cover security issues and safeguards based on the risk factors assigned to the data, he said.

"It all comes down to having solid vendor due diligence, an area getting an increasing amount of attention," Krikken said.

For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/security-compliance-management.php

About Us

Sencilo Solutions is a Florida-based integrator specializing in storage, security and networking solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, EMC, NetApp, Juniper Networks, Hitachi, Symantec, Barracuda Networks, and HP.

Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses.

Sencilo's professional services include consulting, integration, project management, installation, maintenance and knowledge transfer.

Sencilo has offices throughout Florida including: Jacksonville, Miami, Tampa, St. Petersburg, Orlando, Hialeah, Fort Lauderdale, Tallahassee, Cape Coral, and Pembroke Pines.

Key words: Barracuda Networks Security RSA Encryption Cisco Decru Neoscale EMC NetApp HP IBM Quantum Compliance VTL Data Domain vs Gartner Magic Quadrant SSL SonicWall Secure Computing Firewall VPN Endpoint DLP Tumbleweed Ironmail Ironport Secure Computing compare data leakage enVision Data Loss Prevention Encryption and Key Management

Dave & Buster's data thieves will be prosecuted by US Department of Justice - May 14, 2008

Orlando Florida - The United States Department of Justice has charged and intends to prosecute individuals responsible for the theft of credit and debit card numbers from 11 Dave & Busters Inc. locations, including the one in Miami, Jacksonville and Orlando.

The thefts occurred from May to August of 2007. Although the stolen data was never retained or stored by Dave & Buster's, the data was illegally accessed from the Dave & Buster's computer systems during the card verification and transmission process. No personal information -- such as names, addresses, phone numbers, bank account numbers, PINs, or social security numbers -- were stolen.

The other stores involved are in Westminster, Colo.; Islandia and West Nyack, N.Y.; Utica, Mich.; Chicago; Columbus, Ohio; and Frisco, Dallas and Austin, Texas.

Dave & Buster's was alerted to the potential data intrusion in late August 2007. The company worked with both the Secret Service and Department of Justice and assisted them in the investigation. In addition, Dave & Buster's retained outside security experts who identified the source of the data compromise. As a result the company has implemented additional security measures to prevent such incidents from occurring in the future.

"As soon as we became aware of the breach in August 2007, we took steps to secure our systems and remain confident that they are safe today," said CEO Steve King.

Dallas-based Dave & Busters operates 50 restaurant/entertainment complexes in 19 states and in Canada and Mexico.

For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/security-compliance-management.php

About Us

Sencilo Solutions is a Florida-based integrator specializing in storage, security and networking solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, EMC, NetApp, Juniper Networks, Hitachi, Symantec, Barracuda Networks, and HP.

Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses.

Sencilo's professional services include consulting, integration, project management, installation, maintenance and knowledge transfer.

Sencilo has offices throughout Florida including: Jacksonville, Miami, Tampa, St. Petersburg, Orlando, Hialeah, Fort Lauderdale, Tallahassee, Cape Coral, and Pembroke Pines.

Key words: Barracuda Networks Security RSA Encryption Cisco Decru Neoscale EMC NetApp HP IBM Quantum Compliance VTL Data Domain vs Gartner Magic Quadrant SSL SonicWall Secure Computing Firewall VPN Endpoint DLP Tumbleweed Ironmail Ironport Secure Computing compare data leakage

RSA, the Security Division of EMC, Delivers Standards-Based Approach to Help Simplify Compliance - May 6, 2008

Orlando Florida -- RSA, The Security Division of EMC , today announced the findings of a new research paper that details the benefits organizations may gain -- including reduced costs and improved security -- by implementing a standards-based framework of security controls. The paper also details the ability of comprehensive security frameworks to help companies more easily comply with a variety of security requirements handed down by regulatory bodies, industry groups, partners, customers and internal policies.In addition, RSA announced new reports within the RSA enVision(R) security information and event management solution that are designed to enable organizations to more easily report on key aspects of the ISO 27002 standard -- a global code of practice for information security management which is useful in defining an effective set of best practice security controls as part of a compliance framework.

In March 2008, RSA commissioned Michael Rasmussen, industry analyst and President of Corporate Integrity, to undertake a research paper based on what it means to develop a "sustainable and cost-effective IT compliance program." The key findings of this project are that the typical approach to compliance -- responding on a regulation-by-regulation basis without an integrated IT compliance management program -- escalates costs, reduces visibility of the control environment overall, wastes resources, and leads to unnecessary complexity, inflexibility, vulnerability and exposure.

"A proactive approach to IT compliance allows organizations to look confidently to the future while also mitigating risk in the course of business," said Mr. Rasmussen. "An effective IT compliance program should be centered on a comprehensive framework, based on industry-wide standards -- such as ISO 27002."

Security Frameworks-Based Programs to Simplify IT Compliance

As organizations worldwide struggle to both comply with a plethora of compliance requirements and improve enterprise-wide security, a framework-based approach founded upon best practices and controls helps customers to build a proactive security program that may effectively break down the walls that often isolate organizational compliance silos. By driving compliance holistically, rather than on a requirement-by-requirement basis, companies may reduce costs by both avoiding redundant technology controls and easing the process of managing compliance. In addition, leveraging international standards such ISO 27002 as the foundation of an IT security and compliance program helps organizations align efforts to comply with key portions of many global regulations, including: the Payment Card Industry (PCI) Data Security Standard (DSS), HIPPA, Sarbanes-Oxley, the European Union's Data Protection requirements and regional data privacy laws.

"Our forward-thinking customers are using framework-based security and compliance programs to cost-effectively satisfy multiple requirements and manage information risk," said Steven Preston, Senior Director, Solutions Marketing at RSA, The Security Division of EMC. "This goal can be achieved through the application of a consistent, holistic set of repeatable, scalable, enterprise-wide controls, which are centered upon recognized IT security best practices."

RSA Solutions to Establish Security Frameworks for Simplified Compliance

RSA's portfolio of technology solutions offers key security controls that help organizations establish frameworks based upon global best practices and standards. Key controls delivered by RSA's solutions include:

New Reporting Capabilities Within the RSA enVision Platform for ISO 27002-based Security and Compliance Programs

The RSA enVision platform is designed to offer a comprehensive suite of out-of-the box reports, which help enable organizations to effectively monitor their ISO 27002-based security and compliance program. These reports are prepared to align directly with the ISO 27002 standard, and help enable organizations to effectively demonstrate compliance with critical areas of the specification. Reports within RSA enVision platform related to ISO 27002 focus on areas such as computer account logon activity, computer account status, control of collected evidence, control of human resources data, malicious software activity, password changes and expirations and source code access.

Information Security Services to support Framework-based Compliance Initiatives

In addition to delivering a broad range of security controls, various EMC information-centric security consulting services -- leveraging solutions from RSA -- help enable organizations to effectively enact framework-based compliance programs.

For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/security-web-application-controllers.php