TECH Rx: Technology and health care

The move to electronic medical records presents challenges, but tech solutions offer help for health care practitioners, reports Greg Masters.

Data breach defense: Response ability

When a breach occurs, customers expect more than an apology, says Bob Maley, Pennsylvania's CISO. Dan Kaplan reports.

HIPAA: Getting in tune

The heat has been turned up for those charged with bringing their institutions into HIPAA compliance, reports Greg Masters.

IT-GRC: Agiliance

And so we reach the end of this year's batch of innovators. But, as we look at this subcategory, we find that it wraps the whole shebang into a neat package, defining what needs to be done to secure the enterprise (and prove it) and why.

Policy management: LanDesk (Avocent)

All of us old-timers remember LanDesk from its days as part of Intel. It always was a solid suite of products. Now that it is part of Avocent, its promise as a hybrid of network and security policy management is being realized. The notion of managing the desktop and evolving that into security policy management makes a lot of sense.

Content management: Finjan

The views of the visionary I spoke with from this veteran anti-malware company took the conversation in directions I had not expected. He started out by asking, "Why, if I have done everything I can to secure my enterprise, is my data still being compromised?"

Data leakage/extrusion prevention: Trend Micro

I don't recall the first time I heard the term "extrusion prevention system." It was, I think, an effort on the part of some marketer to tie the notion of preventing data from unauthorized exit (extrusion) from the enterprise to the notion of unauthorized entry (intrusion). Very clever.

Encryption: PGP

No matter how much things change, they stay the same. As I have pointed out, there have been massive changes in security drivers over the past 12 months. The changes have generated a new set of challenges, but, even though our encryption innovator has done a first-rate job of addressing them over the past year, the new issues are generating a sort of déjà vu picture of the encryption market.

Email security: Tumbleweed Communications (Axway)

The big question I had for Tumbleweed was, "What is email security?" Over the past two years, as we have passed products through SC Labs, I have noticed that the vendor public relations folks who we talk to seem to have a hard time differentiating between the many aspects of threats associated with email.

Wireless Security: AirMagnet

Wireless, is it? Everything is going wireless - well almost everything. That, in itself, poses a challenge for a wireless security company, such as this innovator. It also offers big opportunities and AirMagnet has identified and addressed them.

IPS: Top Layer Security

If you thought the UTM market was crowded, take a look at the intrusion prevention systems (IPS) market. We bluntly asked our innovator in this product space why they thought that they were innovators in such a commoditized market. The answer was immediate and unambiguous: "When a product category becomes mainstream, there are big opportunities, but you must innovate to take advantage of them."

UTM: Global DataGuard

Sometimes a different approach is needed. The notion of the UTM was developed from the need to consolidate point solutions. There are a lot of problems, of course. They cost more to buy and manage, they use more power and they need a sophisticated staff to manage them.

Forensic tools: Mandiant

Sometimes you run across a company that just deserves to be selected as an innova­tor. You look them over and won­der why you didn't pick up on them before. Mandiant is one of those companies. There is a reason, of course. Mandiant started as a services company providing forensics, litigation support and incident response. So if you were in the product purchasing mood, you would not have run across these folks.

SIEM: ArcSight

ArcSight gets a lot of play among security experts in the security event management (SEM)/security information manager (SIM) game.

Threat analysis: NitroSecurity

How do you differentiate a product that keeps getting mixed up with a commod­itized market, but really doesn't belong there? What differentiators do you look for that can keep you from being included in a herd where you don't belong?

Penetration testing: Core Security

I just love these folks. Take the best open source pen testing tool you can think of, put it on steroids, give it a user interface that makes it simple and fast to pen test in a production environ­ment without losing the granularity of manual testing if you need it, and you have Core Impact. Well, almost. Every year I say that I am going to find a better tool, and I actually do comb the market -- unsuccessfully.

Vulnerability analysis: Mu Dynamics

When your price starts at $50,000 and you are unique in your marketplace, you'd better have a good product. For Mu Dynamics, that is just where the story starts. When I first met the Mu folks, they were Mu Security. A new name later, they still are the innovators they were a couple of years ago. My conversation with a Mu visionary was an eye-opener.

Access magagement: AppGate Network Security

This Swedish company will, I predict, set the benchmark here in the United States for how access to applications should be controlled. AppGate has helped shape the direction of network infrastructure security in Europe for some years, and now this innovator is bringing its unique thoughts to the States.

Multifactor authentication:TriCipher

What sets these guys apart from the multifactor herd? In a word, vision. From the start, TriCipher has had the vision of evolving into a full identity management provider. That is a pretty heady ambition for a developer of multifactor authentication tools. So how does this innovator plan to make the trip from providing a piece of the puzzle to offering the whole thing, already assembled, framed and hung on the wall?

Identity management: Fischer International

Start with the recognition that identity management is just too hard to do, cre­ate a solution for that problem and then morph it into a successful service and you have the recipe for a real innovator.

Credential management: Passlogix

Here is another vendor that we see a lot of in our labs. Passlogix knows who it is and concentrates on doing what it does as well as it can be done. And what they do is credential management.

NAC: Bradford Networks

Bradford Networks is no stranger to these pages. An innovator from last year, Bradford has been reviewed a num­ber of times over the years, always doing well. This year we asked them how well their crystal ball last year worked as 2008 unfolded.

Into the breach

The inaugural SC World Congress takes place December 9-10 in New York City's Javits Convention Center.

Patching a sick health care system

As older generations of non-networked health care machines get replaced with 'smarter' network-integrated versions, the proliferation of embedded operating systems will grow.

Unified GRC: Replacing a piecemeal response to compliance

Though compliance regulations are inherently complex, broad and confusing in scope, addressing them can be simplified by uniting three previously independent corporate silos - governance, risk, and compliance - into one comprehensive automated technical platform known as IT GRC.

Vulnerability management: weathering the storm

John Penrod, CISO of The Weather Channel, discusses how the IT pro can manage business risk.

Survey 2008: Guarding against a data breach

Information security pros are increasingly confronted by cybercriminals trawling their corporate networks for customers' private data. More than 80 percent of the respondants to the SC Magazine/MXI Security survey say guarding against data breaches is the focus of current security initiatives, reports SC Magazine Editor-In-Chief Illena Armstrong.

Product section: Managing access - first line of enterprise defense

Welcome to the first Group Test reviews of 2008. Appropriately, we start this year with two important groups: identity management and multifactor authentication products

Look ahead: Search for pioneers

On the hunt for more innovative solutions to holistically safeguard organizations' growing networks, Peter Stephenson pinpoints the product categories and solutions you might consider next year.

IT Security Reboot 2007

The end of yet another year sees in this final 2007 edition of SC Magazine our annual roundup of top thinkers, interesting happenings, business developments and criminal acts.

Roundup 2007: The year's top fives

The top cybersecurity events of the year.

Roundup 2007: Gazing into the crystal ball

We handed out crystal balls to several analysts, consultants, professors and CSOs and asked them to answer questions about next year.

Product section: Our 2007 industry innovators

This is a very special issue to me and the team at SC Labs because it is based on a year of seeing the good and the not so good. We actually saw almost no bad products, so it was a pretty good year overall. It is special for you because it helps answer the question, "If we are going to buy security tools in the next 12 to 18 months, what should we be looking at?"

Product section: Meeting the challenge of managing access

Access control is the order of the day for this issue. All of our reviews focus on aspects of access control and management. This, of course, is a key aspect of enforcing the security of the enterprise. We address the topic with two First Looks and two Group Test reviews.

News briefs

Harry hack A hacker named Gabriel claimed to have breached the networks of the UKs Bloomsbury Publishing, uncovering the ending of Harry Potter and the Deathly Hallows prior to its release. Experts contended that the claim, posted on hacker websites, was likely a sham, saying that if accurate more evidence would otherwise have been offered.

Company news

Here is an update from the IT security industrys boardrooms.

Me and my job

Five questions for Prabhakar Chandrasekaran, ISO of Spartanburg Regional Healthcare System.

Law and order: A national computer forensic center takes shape

By blood-and-guts standards, Cary, N.C. is as safe a suburb as there is in the nation. The 121,000-person bedroom community regularly ranks near the statistical bottom of all the major crime categories, including murders, aggravated assaults and robberies.

The SC Magazine Awards - be great in 08

Just a week after taking home the Rookie Security Company of the Year prize at the 2007 SC Magazine Awards Gala, The 41st Parameter landed an unexpected meeting with an industry heavyweight. Ori Eisen, founder and chief innovation officer at the Scottsdale, Ariz.-based anti-fraud firm, says executives from Oracle who attended the annual awards ceremony were impressed with The 41st Parameter and wanted to learn more about the company after seeing it win.

News briefs

Campus exploit Hackers exploited an unpatched flaw and a disabled firewall to infiltrate a server at the University of Colorado, Boulder, compromising the personal information of nearly 45,000 students. Attackers exploited a flaw in Symantecs Norton AntiVirus to launch a worm into the server of the College of Arts and Sciences Academic Advising Center, making off with student info.

Company news

Here are the latest happenings from the boardrooms of the IT security world.

Educating the masses for IT security

Never mind the Fourth of July, New Year's Eve or even his birthday. The occasion George Dolicker celebrated most merrily last year was International Computer Security Day. After all, the 19-year-old annual event marked the day that Dolicker, chief information security officer of computer maker Lenovo, unveiled the company's first home-grown information security program, complete with a comprehensive user education component.

News briefs

Fed breach lawA federal ID theft task force backed a breach notification law on government use of personal information. The President's Identity Task Force, co-chaired by Federal Trade Commission Chairwoman Deborah Platt Majoras and Attorney General Alberto Gonzales, urged lawmakers to educate customers, as well as back a federal ID-theft law.

Company news

The Internet Security Alliance, a nonprofit forum for information sharing, has appointed Larry Clinton president. Since 2002, Clinton had served as deputy executive director and COO of the alliance. Prior to joining the group, he was vice president at the U.S. Telecom Association.

News briefs

A vulnerability on the website of former New York City Mayor Rudy Giuliani could have allowed SQL injection attacks and expose confidential information. Meanwhile, the MySpace page of U.S. Sen. John McCain, R-Ariz., was altered by Mike Davidson, who was upset the campaign had used his design templates and imagery without permission.

News briefs

Here is a roundup of the latest IT security news included in April's SC Magazine:

Money matters: SC Magazine/EC-Council Salary Survey 2007

The heyday of massive salaries, extravagant raises and unrestrained bonuses that this industry experienced at the start of the 21st century has long since passed by the information security professional.

Cooperation among departments key to organizational security

As Oracle's Wynn White strolled the floor during this year's RSA Conference, he noticed something odd: No longer was he only surrounded by techies, researchers, product salespeople and security pros.

Company news

Here are the latest corporate happenings in the IT security industry:

Me and my job

Mark Adams, corporate security officer, BlueCross-BlueShield of Nebraska, answers some quick questions about his job.

Company news

Here are the latest happenings in IT securitys boardrooms.

News briefs

Another buySymantec announced its intention to acquire enterprise management software provider Altiris in an $830 million deal. The purchase, intended to better Symantec's standing in the endpoint-management market, came as Symantec representatives said that endpoint security and management markets were converging.

Got something to say?

Send your comments, praise or criticisms to We reserve the right to edit letters.

What does a new Democratic Congress mean for information security?

The new Speaker of the House Nancy Pelosi represents a district not far from Silicon Valley. Freshly minted Chairman of the House Financial Services Committee Barney Frank says past legislation doesn't go far enough to protect consumer data. And Senate Majority Leader Harry Reid is himself a victim of identity theft.

Special report: IT security and health care

HIPAA was introduced 10 years ago. In this special section, we look at the effects of the controversial legislation has had on the IT security industry.

Health care: Where are the penalties for failing to comply with HIPAA?

Ten years after its ratification, there's little doubt that the Health Information Portability and Accountability Act (HIPAA) has provided a strong framework for protecting patients' sensitive medical information against data security threats. What's just as certain, however, is the dramatic way in which HIPAA has changed the lives of the IT professionals in health care organizations charged with implementing the technology supporting the federal legislation.

Health care: Providers fight internal threats with an eye on HIPAA

Each year hundreds of millions of dollars are spent on technology to ward off hackers, viruses, worms, trojan horses and other "barbarians at the gate." Yet as CISO for one of the nation's leading employee benefits organizations, it's not the threat of outside intruders that keeps me awake at night. Today, many of the biggest risks are internal — employees who through mistakes, mischief or malfeasance can cause serious damage to security of our systems and to sensitive data. This includes well-intentioned employees trying to do their job but who, by not following key policies, invite significant risk.

Health care: Duke University Health System's new identity management solution helps doctors and patients

Picture this: A doctor is in a life-and-death struggle to save a dying patient and quickly must check medical records to determine if the patient is allergic to a certain medication. The doctor attempts to sign-on to a hospital application, but cannot. Her password has expired, and she must call the help desk to obtain a new one.

Patching process

There are many different names for the second Tuesday of every month: Patch Tuesday, Super Tuesday, Black Tuesday — and maybe even some other unsavory nicknames not suitable for print. This day, when Microsoft rolls out security updates, is the fulcrum around which most organizations' whole patch management cycles revolve. But just as there are different nicknames for the day, there are also differing opinions about how it should be handled and how quickly organizations should respond with changes.

Encryption a perfect response to the Year of the Breach

2006 will be recorded as the year that security breaches reached the consciousness and awareness of the mainstream consumer. Breaches are certainly not a new phenomena, especially to security professionals. Although events in 2005 all made the headlines, such as the ChoicePoint identification theft that affected 163,000 records, the stolen laptop at the University of California, Berkeley, with more than 98,000 records, and the Boeing stolen laptop with Social Security numbers and bank account information of 161,000 people, the data breach incidents in 2006 occurred at an astounding, costly rate and gained much more media attention.

IT security reboot 2006: The year's top news

As part of SC Magazine's year-end roundup, the U.S. editorial team compiled lists of the most memorable - and sometimes most outrageous - news to cross your screen this year.

Roundup 2006: A healthy approach

Now that healthcare organizations are several years past Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance deadlines, information security experts in the sector are taking the experience and the tools gained through compliance efforts to maximize their security programs in 2007.

Protecting customer information

Everyone knows that losing customers impacts the bottom line, whatever the cause may be. However, losing customers to security breaches and mistrust can be devastating. Consider the following research from Ponemon Institute. Nearly 58 percent of respondents to a national survey of more than 1,000 victims of personal data security breaches said a breach had decreased their sense of trust and confidence in the organization reporting the incident. More than 70 percent of respondents said that two data breaches in the same company would be sufficient grounds for them to take their business elsewhere.

Making the right moves for advancement

In one of our features this month, "2006: Year of exposed IDs," we discuss the various breaches that have plagued businesses of all sizes over the last year. As our edition went to press, still other incidents cropped up.

News briefs

A division of J.P Morgan Chase mistakenly threw out tapes containing the personal information of 2.6 million past and current Circuit City credit card holders. Chase Card Services said it had mistakenly thrown out documentation tape with the personal info of millions of Circuit City customers. The firm said the tapes were compacted and destroyed in a landfill. Chase notified affected customers and offered those customers free credit monitoring for a year. The company said it had not seen reports of any misuse of the personal information.


Should federal agencies be held to the same standards as the private sector?

Company news

Brian Contos, CSO of ArcSight, has launched his new book, Enemy at the Water Cooler: Real-Life Stories of Insider Threats and Enterprise Security Management Countermeasures. The book details the evolution of security threats from hackers to malicious insiders at some of the world's largest corporations and government agencies and examines ways to combat those risks.

Got something to say?

Send your comments, praise or criticisms to We reserve the right to edit letters.

Safe at rest

Walk into one of LifeBridge Health's hospitals or nursing homes, and you would be hard pressed to spot an employee writing something down. "LifeBridge has made an effort to go completely paperless," says Chris Panagiotopoulos, the Baltimore-based healthcare system's director of technology. "We enter everything into computers."

Industry views: Homeland Security directive to drive use of authentication devices

On Aug. 27, 2004 the Bush administration issued the Homeland Security Presidential Directive 12, which outlined a series of objectives to ensure a common identification system across all government agencies. The goal of the mandate is to enhance security and increase government efficiency by reducing identity fraud.

News briefs

Feds: Improve security Federal agencies worked against an August deadline to implement improved security controls designed to better protect the private information of U.S. citizens in the hands of government officials. A memo on the sweeping changes was sent out in late June by the White House's Office of Management and Budget. OMB said it will work with inspectors to ensure agencies are in compliance. "We intend to work with the general community to review these items to ensure we are properly safeguarding the information the American taxpayer has entrusted to us," OMB Deputy Director Clay Johnson III said in a memo.

Company news

Lancope, a network behavior analysis and response solutions provider, has named Adam Powers CTO. Previously director of technology at Lancope, makers of Stealth Watch, Powers will be responsible for leading development of the product, which combines behavior-based anomaly detection with network performance monitoring.


Sign up to our newsletters