The move to electronic medical records presents challenges, but tech solutions offer help for health care practitioners, reports Greg Masters.
When a breach occurs, customers expect more than an apology, says Bob Maley, Pennsylvania's CISO. Dan Kaplan reports.
The heat has been turned up for those charged with bringing their institutions into HIPAA compliance, reports Greg Masters.
And so we reach the end of this year's batch of innovators. But, as we look at this subcategory, we find that it wraps the whole shebang into a neat package, defining what needs to be done to secure the enterprise (and prove it) and why.
All of us old-timers remember LanDesk from its days as part of Intel. It always was a solid suite of products. Now that it is part of Avocent, its promise as a hybrid of network and security policy management is being realized. The notion of managing the desktop and evolving that into security policy management makes a lot of sense.
The views of the visionary I spoke with from this veteran anti-malware company took the conversation in directions I had not expected. He started out by asking, "Why, if I have done everything I can to secure my enterprise, is my data still being compromised?"
I don't recall the first time I heard the term "extrusion prevention system." It was, I think, an effort on the part of some marketer to tie the notion of preventing data from unauthorized exit (extrusion) from the enterprise to the notion of unauthorized entry (intrusion). Very clever.
No matter how much things change, they stay the same. As I have pointed out, there have been massive changes in security drivers over the past 12 months. The changes have generated a new set of challenges, but, even though our encryption innovator has done a first-rate job of addressing them over the past year, the new issues are generating a sort of déjà vu picture of the encryption market.
The big question I had for Tumbleweed was, "What is email security?" Over the past two years, as we have passed products through SC Labs, I have noticed that the vendor public relations folks who we talk to seem to have a hard time differentiating between the many aspects of threats associated with email.
Wireless, is it? Everything is going wireless - well almost everything. That, in itself, poses a challenge for a wireless security company, such as this innovator. It also offers big opportunities and AirMagnet has identified and addressed them.
If you thought the UTM market was crowded, take a look at the intrusion prevention systems (IPS) market. We bluntly asked our innovator in this product space why they thought that they were innovators in such a commoditized market. The answer was immediate and unambiguous: "When a product category becomes mainstream, there are big opportunities, but you must innovate to take advantage of them."
Sometimes a different approach is needed. The notion of the UTM was developed from the need to consolidate point solutions. There are a lot of problems, of course. They cost more to buy and manage, they use more power and they need a sophisticated staff to manage them.
Sometimes you run across a company that just deserves to be selected as an innovator. You look them over and wonder why you didn't pick up on them before. Mandiant is one of those companies. There is a reason, of course. Mandiant started as a services company providing forensics, litigation support and incident response. So if you were in the product purchasing mood, you would not have run across these folks.
ArcSight gets a lot of play among security experts in the security event management (SEM)/security information manager (SIM) game.
How do you differentiate a product that keeps getting mixed up with a commoditized market, but really doesn't belong there? What differentiators do you look for that can keep you from being included in a herd where you don't belong?
I just love these folks. Take the best open source pen testing tool you can think of, put it on steroids, give it a user interface that makes it simple and fast to pen test in a production environment without losing the granularity of manual testing if you need it, and you have Core Impact. Well, almost. Every year I say that I am going to find a better tool, and I actually do comb the market -- unsuccessfully.
When your price starts at $50,000 and you are unique in your marketplace, you'd better have a good product. For Mu Dynamics, that is just where the story starts. When I first met the Mu folks, they were Mu Security. A new name later, they still are the innovators they were a couple of years ago. My conversation with a Mu visionary was an eye-opener.
This Swedish company will, I predict, set the benchmark here in the United States for how access to applications should be controlled. AppGate has helped shape the direction of network infrastructure security in Europe for some years, and now this innovator is bringing its unique thoughts to the States.
What sets these guys apart from the multifactor herd? In a word, vision. From the start, TriCipher has had the vision of evolving into a full identity management provider. That is a pretty heady ambition for a developer of multifactor authentication tools. So how does this innovator plan to make the trip from providing a piece of the puzzle to offering the whole thing, already assembled, framed and hung on the wall?
Start with the recognition that identity management is just too hard to do, create a solution for that problem and then morph it into a successful service and you have the recipe for a real innovator.
Here is another vendor that we see a lot of in our labs. Passlogix knows who it is and concentrates on doing what it does as well as it can be done. And what they do is credential management.
Bradford Networks is no stranger to these pages. An innovator from last year, Bradford has been reviewed a number of times over the years, always doing well. This year we asked them how well their crystal ball last year worked as 2008 unfolded.
The inaugural SC World Congress takes place December 9-10 in New York City's Javits Convention Center.
As older generations of non-networked health care machines get replaced with 'smarter' network-integrated versions, the proliferation of embedded operating systems will grow.
Though compliance regulations are inherently complex, broad and confusing in scope, addressing them can be simplified by uniting three previously independent corporate silos - governance, risk, and compliance - into one comprehensive automated technical platform known as IT GRC.
John Penrod, CISO of The Weather Channel, discusses how the IT pro can manage business risk.
Information security pros are increasingly confronted by cybercriminals trawling their corporate networks for customers' private data. More than 80 percent of the respondants to the SC Magazine/MXI Security survey say guarding against data breaches is the focus of current security initiatives, reports SC Magazine Editor-In-Chief Illena Armstrong.
Welcome to the first Group Test reviews of 2008. Appropriately, we start this year with two important groups: identity management and multifactor authentication products
On the hunt for more innovative solutions to holistically safeguard organizations' growing networks, Peter Stephenson pinpoints the product categories and solutions you might consider next year.
The end of yet another year sees in this final 2007 edition of SC Magazine our annual roundup of top thinkers, interesting happenings, business developments and criminal acts.
The top cybersecurity events of the year.
We handed out crystal balls to several analysts, consultants, professors and CSOs and asked them to answer questions about next year.
This is a very special issue to me and the team at SC Labs because it is based on a year of seeing the good and the not so good. We actually saw almost no bad products, so it was a pretty good year overall. It is special for you because it helps answer the question, "If we are going to buy security tools in the next 12 to 18 months, what should we be looking at?"
Access control is the order of the day for this issue. All of our reviews focus on aspects of access control and management. This, of course, is a key aspect of enforcing the security of the enterprise. We address the topic with two First Looks and two Group Test reviews.
Harry hack A hacker named Gabriel claimed to have breached the networks of the UKs Bloomsbury Publishing, uncovering the ending of Harry Potter and the Deathly Hallows prior to its release. Experts contended that the claim, posted on hacker websites, was likely a sham, saying that if accurate more evidence would otherwise have been offered.
Here is an update from the IT security industrys boardrooms.
Five questions for Prabhakar Chandrasekaran, ISO of Spartanburg Regional Healthcare System.
By blood-and-guts standards, Cary, N.C. is as safe a suburb as there is in the nation. The 121,000-person bedroom community regularly ranks near the statistical bottom of all the major crime categories, including murders, aggravated assaults and robberies.
Just a week after taking home the Rookie Security Company of the Year prize at the 2007 SC Magazine Awards Gala, The 41st Parameter landed an unexpected meeting with an industry heavyweight. Ori Eisen, founder and chief innovation officer at the Scottsdale, Ariz.-based anti-fraud firm, says executives from Oracle who attended the annual awards ceremony were impressed with The 41st Parameter and wanted to learn more about the company after seeing it win.
Campus exploit Hackers exploited an unpatched flaw and a disabled firewall to infiltrate a server at the University of Colorado, Boulder, compromising the personal information of nearly 45,000 students. Attackers exploited a flaw in Symantecs Norton AntiVirus to launch a worm into the server of the College of Arts and Sciences Academic Advising Center, making off with student info.
Here are the latest happenings from the boardrooms of the IT security world.
Never mind the Fourth of July, New Year's Eve or even his birthday. The occasion George Dolicker celebrated most merrily last year was International Computer Security Day. After all, the 19-year-old annual event marked the day that Dolicker, chief information security officer of computer maker Lenovo, unveiled the company's first home-grown information security program, complete with a comprehensive user education component.
Fed breach lawA federal ID theft task force backed a breach notification law on government use of personal information. The President's Identity Task Force, co-chaired by Federal Trade Commission Chairwoman Deborah Platt Majoras and Attorney General Alberto Gonzales, urged lawmakers to educate customers, as well as back a federal ID-theft law.
The Internet Security Alliance, a nonprofit forum for information sharing, has appointed Larry Clinton president. Since 2002, Clinton had served as deputy executive director and COO of the alliance. Prior to joining the group, he was vice president at the U.S. Telecom Association.
A vulnerability on the website of former New York City Mayor Rudy Giuliani could have allowed SQL injection attacks and expose confidential information. Meanwhile, the MySpace page of U.S. Sen. John McCain, R-Ariz., was altered by Mike Davidson, who was upset the campaign had used his design templates and imagery without permission.
Here is a roundup of the latest IT security news included in April's SC Magazine:
The heyday of massive salaries, extravagant raises and unrestrained bonuses that this industry experienced at the start of the 21st century has long since passed by the information security professional.
As Oracle's Wynn White strolled the floor during this year's RSA Conference, he noticed something odd: No longer was he only surrounded by techies, researchers, product salespeople and security pros.
Here are the latest corporate happenings in the IT security industry:
Mark Adams, corporate security officer, BlueCross-BlueShield of Nebraska, answers some quick questions about his job.
Here are the latest happenings in IT securitys boardrooms.
Another buySymantec announced its intention to acquire enterprise management software provider Altiris in an $830 million deal. The purchase, intended to better Symantec's standing in the endpoint-management market, came as Symantec representatives said that endpoint security and management markets were converging.
Send your comments, praise or criticisms to scfeedbackUS@haymarketmedia.com. We reserve the right to edit letters.
The new Speaker of the House Nancy Pelosi represents a district not far from Silicon Valley. Freshly minted Chairman of the House Financial Services Committee Barney Frank says past legislation doesn't go far enough to protect consumer data. And Senate Majority Leader Harry Reid is himself a victim of identity theft.
HIPAA was introduced 10 years ago. In this special section, we look at the effects of the controversial legislation has had on the IT security industry.
Ten years after its ratification, there's little doubt that the Health Information Portability and Accountability Act (HIPAA) has provided a strong framework for protecting patients' sensitive medical information against data security threats. What's just as certain, however, is the dramatic way in which HIPAA has changed the lives of the IT professionals in health care organizations charged with implementing the technology supporting the federal legislation.
Each year hundreds of millions of dollars are spent on technology to ward off hackers, viruses, worms, trojan horses and other "barbarians at the gate." Yet as CISO for one of the nation's leading employee benefits organizations, it's not the threat of outside intruders that keeps me awake at night. Today, many of the biggest risks are internal — employees who through mistakes, mischief or malfeasance can cause serious damage to security of our systems and to sensitive data. This includes well-intentioned employees trying to do their job but who, by not following key policies, invite significant risk.
Health care: Duke University Health System's new identity management solution helps doctors and patients
Picture this: A doctor is in a life-and-death struggle to save a dying patient and quickly must check medical records to determine if the patient is allergic to a certain medication. The doctor attempts to sign-on to a hospital application, but cannot. Her password has expired, and she must call the help desk to obtain a new one.
There are many different names for the second Tuesday of every month: Patch Tuesday, Super Tuesday, Black Tuesday — and maybe even some other unsavory nicknames not suitable for print. This day, when Microsoft rolls out security updates, is the fulcrum around which most organizations' whole patch management cycles revolve. But just as there are different nicknames for the day, there are also differing opinions about how it should be handled and how quickly organizations should respond with changes.
2006 will be recorded as the year that security breaches reached the consciousness and awareness of the mainstream consumer. Breaches are certainly not a new phenomena, especially to security professionals. Although events in 2005 all made the headlines, such as the ChoicePoint identification theft that affected 163,000 records, the stolen laptop at the University of California, Berkeley, with more than 98,000 records, and the Boeing stolen laptop with Social Security numbers and bank account information of 161,000 people, the data breach incidents in 2006 occurred at an astounding, costly rate and gained much more media attention.
As part of SC Magazine's year-end roundup, the U.S. editorial team compiled lists of the most memorable - and sometimes most outrageous - news to cross your screen this year.
Now that healthcare organizations are several years past Health Insurance Portability and Accountability Act of 1996 (HIPAA) compliance deadlines, information security experts in the sector are taking the experience and the tools gained through compliance efforts to maximize their security programs in 2007.
Everyone knows that losing customers impacts the bottom line, whatever the cause may be. However, losing customers to security breaches and mistrust can be devastating. Consider the following research from Ponemon Institute. Nearly 58 percent of respondents to a national survey of more than 1,000 victims of personal data security breaches said a breach had decreased their sense of trust and confidence in the organization reporting the incident. More than 70 percent of respondents said that two data breaches in the same company would be sufficient grounds for them to take their business elsewhere.
In one of our features this month, "2006: Year of exposed IDs," we discuss the various breaches that have plagued businesses of all sizes over the last year. As our edition went to press, still other incidents cropped up.
A division of J.P Morgan Chase mistakenly threw out tapes containing the personal information of 2.6 million past and current Circuit City credit card holders. Chase Card Services said it had mistakenly thrown out documentation tape with the personal info of millions of Circuit City customers. The firm said the tapes were compacted and destroyed in a landfill. Chase notified affected customers and offered those customers free credit monitoring for a year. The company said it had not seen reports of any misuse of the personal information.
Should federal agencies be held to the same standards as the private sector?
Brian Contos, CSO of ArcSight, has launched his new book, Enemy at the Water Cooler: Real-Life Stories of Insider Threats and Enterprise Security Management Countermeasures. The book details the evolution of security threats from hackers to malicious insiders at some of the world's largest corporations and government agencies and examines ways to combat those risks.
Send your comments, praise or criticisms to firstname.lastname@example.org. We reserve the right to edit letters.
Walk into one of LifeBridge Health's hospitals or nursing homes, and you would be hard pressed to spot an employee writing something down. "LifeBridge has made an effort to go completely paperless," says Chris Panagiotopoulos, the Baltimore-based healthcare system's director of technology. "We enter everything into computers."
On Aug. 27, 2004 the Bush administration issued the Homeland Security Presidential Directive 12, which outlined a series of objectives to ensure a common identification system across all government agencies. The goal of the mandate is to enhance security and increase government efficiency by reducing identity fraud.
Feds: Improve security Federal agencies worked against an August deadline to implement improved security controls designed to better protect the private information of U.S. citizens in the hands of government officials. A memo on the sweeping changes was sent out in late June by the White House's Office of Management and Budget. OMB said it will work with inspectors to ensure agencies are in compliance. "We intend to work with the general community to review these items to ensure we are properly safeguarding the information the American taxpayer has entrusted to us," OMB Deputy Director Clay Johnson III said in a memo.
Lancope, a network behavior analysis and response solutions provider, has named Adam Powers CTO. Previously director of technology at Lancope, makers of Stealth Watch, Powers will be responsible for leading development of the product, which combines behavior-based anomaly detection with network performance monitoring. www.lancope.com
Sign up to our newsletters
SC Magazine Articles
- Operators disable firewall features to increase network performance, survey finds
- Waste no time patching Windows Schannel, OLE bugs, experts warn
- Study: 68 percent of healthcare breaches caused by loss or theft of devices, files
- Spin.com redirects to Rig Exploit Kit, infects users with malware, Symantec observes
- Upping the ante: PCI Security Standard
- The Internet of Things (IoT) will fail if security has no context
- Citadel variant targets master passwords, authentication solutions
- USPS draws ire of Congress over data breach response
- Buffer overflow vulnerabilities identified in Hikvision DVR devices
- Android malware 'NotCompatible' evolves, spawns resilient botnet