In our second post on a recent Osterman Research survey, we reveal IT’s biggest concerns with other department leaders and their roles in compliance. Of the 153 members of the Osterman Research panel surveyed, the majority of senior IT decision makers  lack confidence in their own ability to properly manage and meet compliance obligations. Beyond their own capabilities, IT departments also lack confidence in their coworkers’ abilities to manage compliance. confusedCaptureAccording to the survey:

  • When it comes to ownership and taking responsibility, more than one-third (39 percent) of IT professionals are concerned that their security managers leave compliance management entirely up to IT
  • Additionally, 34 percent of IT professionals fear their security managers don’t take an active enough role in enforcing compliance policies within their organizations and 28 percent are concerned that security managers fail to help define their company’s compliance policies
  • Almost half of IT professionals (47%) believe line of business (LOB) managers really don’t understand compliance well

Ensuring an organization understands and maintains compliance is a big job, and one that can’t be manually achieved by a single department. In fact, 34 percent of IT professionals worry that security managers don’t understand how difficult compliance management really is.

Consider MFT

While IT is charged with keeping business processes smooth and secure, they have little control over all file movements across an organization and insight into operations. IT professionals can consider an automated managed file transfer (MFT) solution for transparent movement of files and strengthen related IT processes through scalability, reliability, failover, and disaster recovery. Aberdeen analyst Derek Brink found that organizations with MFT solutions resolve errors nearly five times faster than those without one in place.

The need to manage all of this activity under a tighter security and compliance regimen means nothing can be left to chance. Without an MFT solution, companies run the risk of violating a growing number of statutes and regulations designed to protect sensitive data from being breached.

 

openssl-logo-300x81As you may already know, there was a recent Security Advisory about new vulnerabilities in OpenSSL released in early June. This specific flaw requires a vulnerable OpenSSL library active on both the client and server ends of the transaction. The flaw allows a savvy attacker to sit between the client and server and turn off encryption, silently exposing information exchanged between those two end points. Technologies that only use OpenSSL to accept web-browser (HTTPS) connections will be vulnerable to this flaw only when the browser is using a vulnerable version of OpenSSL. Chrome for Android is the only major browser that is currently susceptible.

Security is a top priority for Ipswitch and our customers. Since this announcement, the Ipswitch Security Team has been working to determine the impact and issue patch fixes where vulnerabilities were found.

Impacted Ipswitch products include:

  • MOVEit Mobile & Cloud
  • WS_FTP Client & Server
  • MessageWay
  • IMail
  • WhatsUpGold

Through your Customer Portal you’ll be able to access instructions to properly implement the Security Update for impacted versions as available.

As with any security advisory, we understand that our customers may have additional concerns. If you should have any questions or concerns, feel free to reach out to the appropriate technical support team:

By now you’ve likely read the articles about the recent Heartbleed SSL vulnerability uncovered in OpenSSL that has affected vendors and companies that rely on this near-ubiquitous open source security protocol. In basic terms, the vulnerability exposes any exchange that uses the OpenSSL 1.0.1 family of protocols to an attack. Bleed

Security is clearly a top priority for Ipswitch and our customers. From the first alert of this vulnerability, the Ipswitch Security Team moved quickly to determine the impact and will issue patch fixes in any case where we find vulnerability. In those cases, we’ve decided to partner with the security community at-large to implement an industry-best solution. We’ll be issuing security patches to disable the OpenSSL heartbeat and will follow-up in the near future with new versions of the OpenSSL library.

As with any wide reaching story, we understand that our customers may have additional concerns. Please don’t hesitate to reach out to our customer support team.

UPDATE (4/11/14)

Some of Ipswitch’s products were impacted because of our use of OpenSSL, and they include:

  • MOVEit Cloud (has been remediated)
  • MOVEit Mobile for MOVEit File Transfer (DMZ) 8.0
  • WS_FTP Server 7.6
  • WS_FTP Pro 12.4 (Only if accessing a compromised website using SSL)
  • IMail, IMail Secure and IMail Premium versions 12.3 and 12.4

Through your Customer Portal you’ll be able to access instructions to properly implement the Security Update for impacted versions.

Products not impacted by this vulnerability are:

  • WhatsUpGold (WUG) and other WhatsUp tools and network products
  • MOVEit File Transfer (DMZ) when MOVEit Mobile server is not installed
  • MOVEit Central
  • MOVEit Ad Hoc Transfer Plug-in for Outlook
  • MessageWay
  • MOVEit EZ
  • WS_FTP Server versions other than 7.6
  • WS_FTP Pro versions other than 12.4, including WS_FTP LE
  • IMail, IMail Secure and IMail Premium versions other than 12.3 and 12.4

As with any wide reaching story, we understand that our customers may have concerns. We’re here to answer your questions and have developed a list of the ones we’ve heard most frequently on the customer portal.

If you should have any additional questions or concerns, feel free to reach out to the appropriate technical support team:

WhatsUp Gold software products have recently been certified under the Common Criteria Evaluation and Validation Scheme (CCEVS). (see today’s announcement for more details).

Most folks call it Common Criteria. If you are not familiar, it’s an internationally recognized standard. It allows organizations to confidently assess the security and assurance of IT software. Specifically, to ensure they meet an agreed-upon security standard for certain government deployments.

CCWith Common Criteria certification in place, our customers have the added confidence that our WhatsUp Gold products have been validated against rigorous security standards. These include user data protection, fault tolerance and authentication.

There’s a lot of work involved. We worked with an authorized third party. Their approach was rigorous and standard and repeatable manner at a level that is commensurate with the target environment for use.

What’s significant about Common Criteria certification for you? It might just get a little easier to procure and use WhatsUp Gold.

If you work for a U.S. Federal government agency:

A U.S. Federal mandate requires that security evaluations of IT products are

  • Performed to consistent standards
  • Encourage the formation of commercial security testing laboratories
  • Meet the needs of government and industry for cost-effective evaluation of IT products
  • Improve the availability of those products

If you work at any organization in any of these 27 countries:

The Common Criteria Mutual Recognition Arrangement has 27 member countries. It includes all of North America, most of Europe, Australia, Israel and beyond. The arrangement leverages the use of Common Criteria certificates by each member nation so that products can be procured without the need for further evaluation. 

WhatsUp Gold software products that now meet Common Criteria standards include:

We’ve been making lots of noise in the security space this year. Last month we joined the Open Web Application Security Project (OWASP).  Additionally, MOVEit® Managed File Transfer software achieved Payment Card Industry Data Security Standard (PCI-DSS) certification.

 

 

A major southern US city school district with more than 40,000 students reached out to the Ipswitch WhatsUp Gold team for help after a failed attempt to implement another company’s network monitoring software. Increased security concerns were driving the school system to increase investment in building and campus safety precautions. But the monitoring software wasn’t cooperating.

In testing the other company’s software, they found it:

  • Didn’t have the Level 2/3 discovery granularity. This was required to identify and monitor everything from servers to applications, to component-level information in servers. As well as switches and other devices like security cameras.
  • Couldn’t create a complete map of a network of schools stretching across the city. That would make it hard to determine what was new new and what was old so they could upgrade efficiently.
  • Couldn’t identify or monitor many SNMP-addressable devices already in place. Devices like metal detectors and the security cameras. Because it didn’t have MIBs for them in its library of devices.

CaptureddBut each area the IT director found fault with could be remedied with WhatsUp Gold, the director was promised by an Ipswitch sales engineer. “I was told it wouldn’t take more an hour,” she said. Skeptical, but intrigued, the director took the plunge and downloaded the software. Less than an hour later she was pleasantly surprised to have in hand a complete map and a detailed inventory of all the devices making up the city’s widely distributed network of schools.

Peace of Mind

Now the school district had the information they needed determine what they could keep and what they’d have to replace. This allowed them to enhance student and staff security and control vandalism of school properties. Unlike the other software, WhatsUp Gold allows administrators to add MIBs for devices not already in WhatsUp Gold’s library in just minutes.

Once the first wave of safety improvements was in place, the IT director used WhatsUp Gold to monitor the health of all the network devices. They were able to take action quickly if WhatsUp Gold detected a problem with any device. For instance, one of the high school’s metal detectors went off line late one afternoon. An automated alert and an intuitive trouble-shooting interface allowed the staff to identify the root cause in minutes and reset the system.  

“The major benefits of using WhatsUp Gold include increased peace of mind, a reduced administrative workload and higher device service levels,” the director reports.

As a product manager of an integrated solution suite, it’s interesting to compare and contrast the similarities and differences between traditional systems management (OS deployment, inventory, software delivery, patching, monitoring) and its major trends (security, virtualization, cloud, efficient data centers) with network management (deployment and configuration, backup/restore, monitoring, traffic analysis, Quality of Service) and networking trends (mobile devices, cloud, virtualization, larger networking demands). There are many similarities between these two IT focus areas and I will “blog” about several aspects as I tie-in and compare systems management with network management over the next year. One similarity that is particularly easy to spot and “leaps off the page” for me relates to discovery. In fact, it ALL starts with discovery.

By obtaining a complete and accurate discovery of your networking “stuff,” you will gain immediate benefits. The first premise here is that, until you know what you have (i.e. your stuff), where it is, and how it is connected, you cannot determine the best course of action to improve services, plan for new capacity, uptime, planned outages, or anything for that matter. Performing a regularly scheduled discovery of your devices will provide benefits that trickle into every other aspect of network management, and IT services in general.

The second premise is that the discovery process should be automated. Let’s face it, we live in a day and age where automation can and should be your best friend. Automation allows an IT administrator to remove the mundane and really boring daily tasks from his/her “to-do” list and to focus on things that add value. Back in the late 90’s, while working in IT at a local private liberal arts college, we performed what I call a “clipboard” inventory 2 times a year. The fact was that our manual inventory was inaccurate the moment we left the professor’s office. Add to that the notion that we could only gather some of the most basic inventory details: CPU, RAM, Network card, Add/Remove Programs. The level of detail that can be obtained today in an automated fashion is very complete and can be adapted to gather almost any piece of electronically stored information on a device. Don’t waste any more time doing manual discovery/inventories!

The third premise is that you need a management system that provides “out-of-the-box” reporting and mapping capabilities that easily and intuitively show discovered devices, their attributes, and their connectivity.  The system should allow the flexibility to generate your own custom reports as needed. As a really cool bonus feature, the reports and maps should also dynamically update as new discoveries are performed so that you not only know how your network looks like right now but also easily visualize to how it is performing.

Imagine going from a world of clipboard inventory, 2 times a year, to a fully automated discovery complete with a dynamically updated map of your network. Does it get any better than that? Possibly not, but then again the only constant with technology is change.

As we begin our discussion on how to provide great IT services, I hope you will start to think about, and hopefully act upon, the premise that “it ALL starts with discovery”.

P.S. As a public service announcement, I am providing you with a product link that can dramatically assist with the process of discovery/mapping and meets every requirement I describe above.  Visit WhatsUpGold Network Discovery for more details.

As companies continue to include the cloud in their overall IT initiatives – taking advantage of elasticity, scalability, interoperability and mobility – concerns around management, governance and control of data are preventing some organizations from fully embracing cloud services.

In fact, according to the recent Ponemon cloud survey, over 30% of IT and compliance respondents claim that concerns about data security have kept their organization from adopting cloud services…. And approximately half place a high priority on security when evaluating cloud providers.

For many, the benefits and the desire to migrate to the cloud in organizations seem to outweigh the security concerns.

That being said, every company’s risk tolerance is different.  Some of the variables in play that impact risk tolerance certainly include the type of information being moved and stored in the cloud, the industry (and associated compliance requirements) and of not only the company but also its business partners, as well as the specific security measures provided (or not provided) by cloud providers they are considering.

Not all cloud services are created equal.  There are absolutely great differences in the measures different providers have taken to protect information they process and store in the cloud.  A few security considerations include authentication and authorization as well as protecting data not only while it’s in transit to the cloud, but also while it remains there.

On January 28th, the U.S. and many countries around the world join to celebrate Data Privacy Day. The annual celebration of Data Privacy Day is intended to promote awareness about how information is collected and to educate individuals of all ages about best privacy practices.  In today’s digital world, where we submit a vast amount of personal information on the web, we need to know how to protect our key information and ask the questions ‘Who is collecting this data?’ and ‘What are they doing with it?’

The National Cyber Security Alliance offers many resources for teens and young adults, as well as parents and kids in hopes of raising privacy issues at home, in the classroom, and throughout businesses.  Visit Staysafeonline.org to explore these educational resources and to spread awareness about Data Privacy Day!

Here at Ipswitch, the WhatsUp Gold offers many products, resources, and tools to help protect the infrastructure of your business and to guard against security threats and loss of key information. Learn more about solutions available from WhatsUp Gold.

Enhanced by Zemanta

Although WhatsUp Log Management Suite v10 makes log management for security and compliance as painless as possible – we’ve now made it even easier to save time! With the version 10.1 update, there are many new ways to enhance efficiency:

  • In addition to preexisting reports for HIPAA, SOX, etc, there are now new out-of-the-box, point-and-click reporting for FERPA, NERC CIP, and NISPOM
  •  Save time adding Syslog-generating devices to your log monitoring and archiving solutions:
  • More ways to be alerted of a potential breach with new alarms for Cisco IOS events

Learn more about WhatsUp Log Management v10.1 and all it has to offer.

Try it FREE for 30-days!

Enhanced by Zemanta

“Compliance & Security for IT Professionals”

  • Date: Tuesday, November 15th
  • Time: 10:00am US EST

Join the WhatsUp Gold team for this exciting webinar to learn what you need to know to keep your compliance and security counterparts off your back! We’ll cover:

  • How to detect and prevent unauthorized access to key enterprise information such as customer credit card data, employee, patient or financial records
  • Compliance regulations like PCI, SOX, FISMA and which ones apply to your business
  • Strategies for making compliance a part of your existing network management practices
  • Key compliance-centric reports you need to generate
  • How to leverage your WhatsUp Gold investment to help you with your security & compliance obligations

Everyone who attends is entered to win an iPad!

Learn more and register today!

Hey SEC, it’s Frank Kenney at Ipswitch. I don’t mean to rock the boat but I had a few quick questions regarding your recent announcement that you are requiring companies to notify their customers of a breach or risk of breach.

  1. What’s a “breach”? Does it mean the bad guys came in and took the data? Or maybe the data was left unencrypted? Or perhaps an executive lost his or her BlackBerry?  Wikipedia talks about breaches of confidence, breaches of contract and breaches of faith. Is it all or none of the above?
  2. What does “notify” mean? Email? Snail mail? SMS? Press release? Facebook status update? Tweet? We just don’t know. And when do they need to send that out? When it happens (or it happened?) When it was discovered? When it was fixed? This is key and I say this because the breaches that happened were reported months after they actually happened. So when?
  3. And by “customers”, do you mean people who pay for my services? What if my services are free like social networks? Does free = exempt? What if I give you my email and contact info, does that make me a customer?
  4. What in the world is “risk of breach” and why shouldn’t I just fix it instead of telling my customers?

If you don’t mind I’d like to give the public in general my 2 cents…

The real story is this: we should all take these breaches seriously because at some point they will impact us individually. We must make it crystal clear to our service providers, our Internet providers and in some cases our employers that there needs to be policies and enforcement around the proper use and retention of our private information. We must also make clear that these same providers must put processes in place to better communicate and resolve any future data breaches. In much the same way we now see consumers making purchase decisions based on the carbon footprint of their suppliers/providers, the same approach will be taken when it comes to private confidential information. We at Ipswitch believe putting a secure managed file transfer solution in place will allow these suppliers to stem breaches by giving them visibility into how data is being accessed and for what purpose BEFORE these breaches happen.

Have you done enough to protect your business against data breaches? Although people assume only large businesses are susceptible to data breaches, research shows that is not always the case.  In fact, attacks on companies with 100 or fewer employees are rising according to Verizon and the secret service.  In 2009, 27% of small businesses were victims, rising to 63% in 2010, which is extremely concerning.  Most data breaches occur when a third party gains access to confidential digitally stored information via weak firewalls or passwords and can result in the loss of anything from bank account information to legal secrets.  To protect against these threats, businesses should be proactive by identifying their weaknesses, strengthening passwords, securing firewalls, properly storing records, and training employees to be watchful and cautious.  If preventative steps are not taken, losses can be substantial and devastating!

Check out this cool infographic on data breaches!  http://networkedblogs.com/nY2xO   

Enhanced by Zemanta