Authentication Bypass Vulnerability in Citrix NetScaler

Please contact our Operations Center if we can assist you with addressing this critical Citrix Netscaler security issue requiring updates.

Sincerely,

Centrinet Support Team

support@centrinetcorp.com

678.373.0450

Authentication Bypass Vulnerability in Citrix NetScaler ADC and NetScaler Gateway Management Interface

DESCRIPTION OF PROBLEM

A vulnerability has been identified in the management interface of Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway that, if exploited, could allow an attacker with access to the NetScaler management interface to gain administrative access to the appliance.

This vulnerability has been assigned the following CVE number:

  • CVE-2017-14602: Authentication Bypass Vulnerability in Citrix NetScaler ADC and NetScaler Gateway Management Interface

This vulnerability affects the following product versions:

  • Citrix NetScaler ADC and NetScaler Gateway version 12.0 earlier than build 53.13 (except for build 41.24)
  • Citrix NetScaler ADC and NetScaler Gateway version 11.1 earlier than build 55.13
  • Citrix NetScaler ADC and NetScaler Gateway version 11.0 earlier than build 70.16
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 earlier than build 66.9
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5e earlier than build 60.7010.e
  • Citrix NetScaler ADC and NetScaler Gateway version 10.1 earlier than build 135.18

MITIGATING FACTORS

In order to exploit this vulnerability, an attacker would require access to the management interface of the NetScaler. In situations where customers have deployed their NetScaler ADC and NetScaler Gateway appliances in line with industry best practice, network access to this interface should already be restricted.


WHAT CUSTOMERS SHOULD DO

This vulnerability has been addressed in the following versions of Citrix NetScaler ADC and NetScaler Gateway:

  • Citrix NetScaler ADC and NetScaler Gateway version 12.0 build 41.24 and build 53.13 and later
  • Citrix NetScaler ADC and NetScaler Gateway version 11.1 build 55.13 and later
  • Citrix NetScaler ADC and NetScaler Gateway version 11.0 build 70.16 and later
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 build 66.9 and later
  • Citrix NetScaler ADC and NetScaler Gateway version 10.5e build 60.7010.e and later
  • Citrix NetScaler ADC and NetScaler Gateway version 10.1 build 135.18 and later

Citrix strongly recommends that customers impacted by this vulnerability upgrade to a version of the Citrix NetScaler ADC or NetScaler Gateway that contains a fix for this issue as soon as possible.

These versions are available on the Citrix website at the following addresses:

https://www.citrix.com/downloads/netscaler-adc/
https://www.citrix.com/downloads/netscaler-gateway/

In line with industry best practice, Citrix also recommends that customers limit access to the management interface to trusted network traffic only.

https://support.citrix.com/article/CTX227928

IT Security Best Practices: Securing Cloud Access Control

Did you know that phishing attacks targeting cloud storage services make up nearly 23 percent of all security attacks, an increase of 125 percent over the past four years? It’s a strategy fraudsters are using as they try to gain access to valuable login credentials for business cloud storage accounts.

And the problem isn’t limited to unauthorized access of vital accounts. Phishing schemes are also the most common way to deliver ransomware to systems belonging to businesses, government agencies, schools, and other critical infrastructure.

It’s an IT security challenge that will become more difficult in the next few years. That means that you, as a cybersecurity leader, must plan and implement best practices to keep your company (and individual employees) from falling victim to these schemes.

As you review these IT security best practices for cloud access control, consider how you’re currently handling them for your company and what changes you might make.

MAINTAIN THE PRINCIPLE OF LEAST PRIVILEGE FOR USER ACCOUNTS

Privileged user accounts give key employees greater access to sensitive data and allow them to make high-level changes to network systems. Because this access is so far-reaching, these credentials are targeted more heavily by hackers looking to bypass firewalls and intrusion prevention protocols.

By incorporating the principle of least privilege—and giving employees the lowest level of user rights that still allows them to perform all necessary job functions—you’re protecting both your business systems and your workers.

You might also like:The Only Checklist You’ll Need to Uncover Your IT Security Risks

You’ll also want to limit the number of privileged user accounts to the minimum necessary, assign privileges by roles rather than to individuals, and log all access attempts and all executed changes from these accounts. Don’t forget to create specific procedures and guidelines to handle employee departures—including suspending account access and retrieving any access tokens and company-owned IT equipment.

REQUIRE MULTI-FACTOR AUTHENTICATION

You can limit unauthorized access to cloud applications by requiring every user to enable multi-factor authentication (MFA). Instead of simply entering a username and password—which could be stolen more easily—MFA includes at least two independent credentials.

These credentials could be something you know, such as a password; something you have, such as a security token; or something you are, such as a thumbprint, a retina scan, or some other biometric marker. If one factor is weakened—say a password is stolen—there’s another line of defense that might not be so easy to breach.

In a perfect world, access to any user account in the cloud would require MFA. But at the least, users with admin privileges—especially those with access to management consoles and other sensitive data—should use approved multi-factor authentication.

ENFORCE CONDITIONAL ACCESS CONTROLS

When you set up conditional access policies for users and devices, you can prevent many problems with stolen and phished credentials. This proactive strategy lets you set specific conditions for users to gain access to applications. It’s also a way to restrict access to those using approved devices and trusted networks.

For example, user access may depend on membership in selected groups, or the device platform used—like iOS, Android, and Windows. The location of the user may also trigger higher-level controls—requiring multi-factor authentication, or blocking access on untrusted networks.

When you use device-based conditional access, you can deny access to users on devices that fall short of your security standards. That means unknown or unmanaged devices, attempts to gain access via unsecured wireless networks, or those without sufficient security controls.

SECURE CRYPTOGRAPHIC KEYS

Most admin accounts require the use of cryptographic keys for access. Often these keys are generated when a new user is created. Because of the power of these keys, you’ll need procedures to manage and monitor their use.

If you have business processes operating in the cloud, as part of an IT security plan, you’ll want to safeguard your keys both internally and in the cloud. Most experts recommend employing a hardware security module (HSM) to control cryptographic keys.

Designed to meet strict regulatory standards, HSMs stand alone in securely storing cryptographic keys while also managing their lifecycle. And with the option of a cloud-based HSM, you may have lower overhead and configuration costs because the physical hardware is maintained by the data center.

As more business applications move to the cloud, take particular care in safeguarding user accounts—especially those with administrative access. It could mean the difference between a thriving company and one that’s no longer in business.

Using security framework, such as Centrinet’s SAFER IT, ensures that organizations are following best practices for IT security. Credentials like passwords and tokens are Safeguarded, business procedures are Adapted for maximum security, IT-managed objects are Fortified, and best practices for user accounts are Enforced. Access to sensitive systems and data is Regulated, high-level standards are Imposed, and Trusted systems get regular checks.

Does your IT security plan cover cloud access control? If not, your business data could be at risk. Working with a company like Centrinet ensures you have a comprehensive security strategy no matter where your data lives.

10 Website Security Best Practices You Can Implement Today

According to a recent Global Security Study from Citrix conducted by the Ponemon Institute, 69 percent of respondents believe some of their organization’s existing security solutions are outdated and inadequate. This is particularly problematic when looking at the state of cybersecurity where many vulnerabilities could be fairly easily eliminated. In order to help businesses strengthen their security profile and reduce vulnerabilities, here are 10 website security best practices that can be implemented today.

BEST PRACTICE #1: ENCRYPTION VIA HTTPS IMPLEMENTATION

While HTTP was conceived as a means to transfer information on the internet, HTTPS provides some important security aspects for businesses and their end users. Overall, the HTTPS authentication spec defines a series of mechanisms to identify users and parties (via credentials).

The main benefit of HTTPS is that it makes your site more secure for your users when they provide any sort of information such as PCI via encryption. Because attackers don’t have the encryption key, it prevents “man in the middle” attacks. HTTPS implementation provides a number of website security benefits, including ensuring to site visitors that:

  • The site they are on is actually the site the URL says it is
  • The content on the site has not been changed in any way by anybody other than the site owner
  • Any information shared between the visitor and the site through a contact form or reservation signup will not end up in the hands of a third party
  • The visitor’s browser history is not being tracked by some unauthorized third party
  • Any payment gateways on the site are secure

You might also like:The Only Checklist You’ll Need to Uncover Your IT Security Risks

BEST PRACTICE #2: SECURE SOCKET LAYER (SSL) CERTIFICATES

Secure socket layer (SSL) is the protocol that HTTPS uses so that the installation of an SSL certificate on your site enables the use of HTTPS. Obviously, all SSL certificates will encrypt data that are sent from a customer’s browser to a company’s server. Encryption ranges anywhere from 128-bit to the recommended 256-bit. In today’s increasingly treacherous online world, the higher the encryption, the better.

BEST PRACTICE #3: MULTIFACTOR AUTHENTICATION (MFA) WITH SINGLE SIGN-ON (SSO)

Multifactor authentication (MFA) is a security practice that goes beyond the basic requirement of website users to provide an additional form of authentication to log in along with their standard user name and password. This is normally accomplished through SMS message, voice message, or a one-time code generated via an application on a user’s mobile phone.

MFA also can and should include more advanced website security methods, such as biometrics, GPS location, or a hardware token, but those can take more time and effort to implement. There are numerous MFA solutions available that can be incorporated into website security for customer and end-user access to a variety of services or applications. The addition of single sign-on (SSO) enables web users who need access to cloud applications, networks, and other business systems via the web to use a single sign-on rather than multiple sign-on steps as they access other connected systems.

BEST PRACTICE #4: UPDATE PLATFORMS AND SCRIPTS

Keep installed platforms and scripts up to date to eliminate security loopholes that allow malicious hackers to take control of the website. Without regular maintenance to all components of a platform, urgent fixes for major user-facing problems can become a large undertaking very quickly. System administrators must subscribe to manufacturer support and product announcements to be aware of current available patches and have a protocol in place to implement them immediately.

BEST PRACTICE #5: INSTALL SECURITY PLUG-INS

According to the most recent survey, WordPress CMS is used by 59 percent of websites with a CMS, from those of individuals to those of the largest enterprises. The most common way that hackers enter a WordPress site is through outdated plug-ins or an outdated WordPress install. Consequently, it’s imperative to install security plug-ins, wherever and whenever possible to actively prevent hacking attempts.

BEST PRACTICE #6: DILIGENCE, POLICIES, AND FIREWALLS FOR XSS ATTACK PREVENTION

It’s imperative that any code you use on your website for functions or fields that allow input is as explicit as possible in order to prevent cross-site scripting (XSS) attacks. XSS attacks consist of attackers injecting malicious JavaScript code that infects web pages and makes use of coding vulnerabilities.

While diligence in the coding process is the most important preventive measure, web application firewalls (WAFs) also play an important role in mitigating reflected XSS attacks. In addition, a robust Content Security Policy (CSP) allows specification of the domains that a browser should consider valid sources of executable scripts when on your page.

BEST PRACTICE #7: IMPLEMENT PASSWORD MANAGERS

More than just having password generators, businesses should implement password managers that can provide a wealth of important features, including:

  • Password generator
  • Local-only key encryption with AES-256
  • Automatic cloud credential backup
  • Master key only visible to administrator
  • Active Directory, LDAP, federated ID management, SIEM, and ticketing system integration
  • Compliance report generation
  • Employee provisioning and deprovisioning
  • Key self-destruct settings
  • FISMA, FIPS, HIPAA, PCI, compliance; SOC-2 certification
  • Security audit capabilities
  • 128-bit SSL for server communication
  • SHA-512 hashing

While all of these features may not be included in a single password manager solution, most are available in the more robust offerings.

BEST PRACTICE #8: LOCK DOWN DIRECTORY AND FILE PERMISSIONS

Locking down your directory and file permissions can be somewhat involved depending on the size of your business and whether or not you have a qualified systems administrator. While file server resource managers (FSRMs) are designed to enable administrators to perform these functions, there are automated tools available that simplify the process in large organizations.

BEST PRACTICE #9: IMPLEMENT MOBILE DEVICE AND MOBILE APPLICATION MANAGEMENT

Solutions to manage access to corporate applications and data where BYOD (“bring your own device”) policies are in place require mobile device management (MDM) and mobile application management (MAM) tools to control approved application installation lists, as well as approved Wi-Fi access points. IT can also require users to employ PINs to access their devices.

BEST PRACTICE #10: IMPLEMENT BACKUP AND DISASTER RECOVERY MEASURES

Perform frequent backups, keep a copy of recent backup data off premises, and test backups by restoring your system to make sure the process works.

Best practice standards and adherence for website security and mobile applications is only the beginning of an enterprise cybersecurity strategy. It’s important to remember that effective website security is an ongoing and evolving process that requires diligence, as well as the use of integrated forward-thinking tools that protect data, users, and customers.

5 Essential Cybersecurity Training Courses and Certifications

Maintaining the highest level of info security for your organization and your customers depends heavily on your workforce. You need skilled employees who can prepare for, recognize, and handle cybersecurity threats.

But keeping up with the latest training courses and certifications for cybersecurity pros can be a challenge. There’s no centralized organization or one specific path to follow. You must be prepared to sift through the options and prioritize based on your business needs.

That’s why we’ve put together a list of essential cybersecurity training and certification programs. It will serve as a guide in making sure new hires have the right background and qualifications and in directing your ongoing education efforts.

TAKE ADVANTAGE OF MOOCS AND FREE ONLINE COURSES

You’ve probably heard of Massive Open Online Courses, or MOOCs, designed to reach many people via the internet. These training programs are also a great way to stay up to date with the latest in cybersecurity strategies.

And you shouldn’t be concerned that these options lack substance or current information. Open courses from the Electrical Engineering and Computer Science Department at MIT feature lectures, reading, and assignments from classes on Network and Computer Security and Computer Systems Security. On the popular learning site Udemy, you’ll find a Cyber Security course delivered via video by an instructor from DeVry University.

You might also like:The Only Checklist You’ll Need to Uncover Your IT Security Risks

GET CERTIFIED WITH AN ACCREDITED PROGRAM

Industry certifications requiring a passing exam score ensure that IT professionals meet a certain standard and prove their knowledge. Independent organizations like ISACA and (ISC)2 offer several vendor-neutral certificates that measure the latest best practices in cybersecurity.

Certified Information and Security Manager (CISM)

Ranked as one of the most sought-after IT certifications, CISM covers the governance and management of info security programs, managing risk to an acceptable level, and detecting and responding to incidents to minimize business impact.

Certified in Risk and Information Systems Control (CRISC)

Measures the identification and assessment of risk in IT systems, strategies for response and mitigation, and avenues for monitoring and reporting.

Certified Information Systems Security Professional (CISSP)

A globally recognized standard in infosec, the CISSP ensures knowledge and understanding of new cybersecurity threats, technologies, regulations, and standards.

ADD A GRADUATE-LEVEL CERTIFICATE

For IT pros with a bachelor’s degree, more colleges and universities are beginning to offer graduate certificates. Compared to a graduate degree, these course offerings can provide a quicker path to a professional credential.

For example, Harvard University offers a Cybersecurity Certificate. Students complete four courses—including two electives—within a three-year period. Often these classes can be completed online, and in many cases, can also be applied toward a master’s degree.

While you and your company can’t go wrong with any of these cybersecurity training programs, these options may not be enough. Cyber threats are approaching from all directions and can impact every business process. Ensure your business is safe.

Partnering with an established company that provides enterprise risk management means that you’re prepared for the latest security threats to people, processes, technology, and facilities.

One proven strategy is to boost your existing workforce with added human capital. Work with highly trained temporary employees with security technology backgrounds, and consulting support when you need it, to handle compliance and regulatory tasks.

Keeping your organization on track for its business goals while fending off growing security risks can be an overwhelming job. Contact us today to find out how we can work together to keep your enterprise protected.

What You Must Do to Ensure Enterprise-Level HIPAA IT Compliance

For enterprises that handle consumer healthcare information, the Health Insurance Portability and Accountability Act of 1996 (HIPAA) has become one of the most important regulations around data security. A lack of understanding of or commitment to HIPAA requirements has proven to be costly for a variety of organizations. For example, CardioNet, a provider of remote mobile care for patients at risk for cardiac arrhythmias, was recently ordered to pay $2.5 million in noncompliance fees for not fully implementing safeguards for electronic protected health information (ePHI).

CardioNet was reported to the government agency that handles HIPAA complaints after an employee laptop was stolen, endangering the personal health data of nearly 1,400 individuals. The $2.5 million penalty will no doubt be a blow to the organization; meanwhile, the damage to its reputation will likely be felt for years to come.

The CardioNet example illustrates how important it is that enterprises meet the strict—and, at times, complex—security and privacy standards set forth by HIPAA. But with so many other cybersecurity concerns to contend with, you may be wondering where to start. Here, we explain what your enterprise must do to ensure HIPAA IT compliance:

You might also like:The Only Checklist You’ll Need to Uncover Your IT Security Risks

MEET BOTH SECURITY RULE AND PRIVACY RULE STANDARDS

The U.S. Health and Human Services (HHS) website explains that organizations must meet two key standards:

  1. The HIPAA Privacy Rule, which establishes national standards for the protection of certain health information
  2. The HIPAA Security Rule, which establishes a national set of standards to protect certain health information that is held or transferred in electronic form

The Privacy Rule applies to private health information in any form, while the Security Rule specifically covers ePHI. The latter was designed to protect people’s health information while providing a path forward for organizations looking to adopt newer technologies and techniques for handling such data, including electronic health records, digital pharmacy and laboratory systems, and computerized physician order entry (CPOE) systems.

To comply with both the Privacy and the Security Rules, you must meet a list of requirements, including:

  • Ensure the confidentiality, integrity, and availability of all ePHI that your enterprise creates, receives, maintains, or transmits
  • Identify and protect against potential threats to the security or integrity of the information
  • Protect against reasonably anticipated, impermissible uses or disclosures
  • Ensure compliance by all employees

To effectively protect patient data, HHS expects organizations to conduct frequent risk analysis to identify potential threats and evaluate their likelihood and impact.

MEET ALL APPLICABLE SAFEGUARDS

The Security Rule is the key to ensuring enterprise-level HIPAA IT compliance. The rule is divided into three different safeguard categories: administrative safeguards, physical safeguards, and technical safeguards. In turn, each safeguard category is divided into standards that are meant to guide an organization toward compliance.

It’s important to note that some implementation standards are mandatory, while others are “addressable,” or recommended. Generally, it’s best to err on the side of caution, but your organization may decide against implementing certain “addressable” standards.

Here is a brief overview of each of the Security Rule safeguard categories:

  • Administrative safeguards govern a company’s workforce and how it handles IT security. Standards cover the following areas:
    • Security management process
    • Security personnel
    • Workforce security
    • Information access management
    • Security awareness and training
    • Security incident procedures
    • Contingency planning
    • Evaluation
    • Business associate contracts and other arrangements
  • Physical safeguards focus on physically protecting electronic systems and data from unauthorized access, environmental dangers, and other outside threats. Standards include:
    • Facility access controls
    • Workstation use and security
    • Device and media controls
  • Technical safeguards protect the data itself and limit access to it. Standards include:
    • Access control
    • Audit controls
    • Person/entity authentication
    • Transmission security

MEET RISK ANALYSIS REQUIREMENTS

The Office for Civil Rights (OCR) also requires organizations to conduct and document risk analyses to identify what steps they need to take to meet the HIPAA Security Rule and to ensure that all ePHI is being properly protected. The risk analysis can be a self-evaluation or can be done by a third-party consulting firm.

The OCR offers general guidelines on those elements of a risk analysis that must be evaluation and documented; however, a full risk assessment will be different for many organizations. It’s important for organizations to realize that risk analyses are in fact required, and documentation of your analysis would be one of the first items requested during a HIPAA audit.

CONDUCT REGULAR REVIEWS

Of course, HIPAA compliance isn’t a one-and-done task. It’s a process that requires regular audits and review, constant vigilance, and ongoing training of new and existing employees.

At an enterprise-level organization, achieving HIPAA IT compliance will require dedicated resources and complete buy-in from the top down. The good news is that thousands of organizations nationwide are successfully meeting HIPAA requirements and, in turn, helping to keep their IT data extremely secure. Working through the HIPAA safeguards and standards may help to heighten your level of IT security enterprise-wide—a goal that all companies could benefit from today.

To get started, you and your team can easily find helpful HIPAA checklists online. However, to ensure ongoing compliance and to meet the requirements for risk analysis, consider partnering with an IT consulting firm that can provide insight into your IT security position and what needs to be done to ensure all applicable HIPAA rules and standards are met.

Best Practices in IT Security Services

In just the past few years, spending on cybersecurity initiatives has soared. For example, Bank of America now boasts a “whatever it takes” attitude toward budgeting for IT security services and cybersecurity. That’s because it’s crucial for businesses to keep data secure while maintaining a network with maximum availability, productivity, and efficiency.

But what about other organizations that don’t have unlimited funds to throw at the problem? Adhering to IT security best practices doesn’t require a blank check, but it does take advance planning and attention to detail. If you’re an IT director looking to bolster security and keep cybercriminals out, then make sure you’ve incorporated each of these security features into your plan.

HANDLE THE BASICS.

Don’t neglect common security controls like firewalls, network-based antivirus protection, intrusion detection systems, and remote-access virtual private networks (VPNs). These basic protections lay the foundation for IT security and repel known cybersecurity threats.

Block unsafe traffic.

As the first line of defense, firewalls filter network traffic—both coming and going—using IP addresses, domain names, protocols, and ports.

Extend remote access.

Many organizations need a way to securely allow access to employees and contractors beyond the office walls. Remote-access VPNs create encrypted passageways that extend the network without compromising security.

Detect and respond to security threats.

Intrusion detection systems (IDSs) operate on networks or individual devices, monitoring traffic and alerting administrators about potential threats. Best-in-class IDSs are reactive, identifying suspicious or malicious traffic sources and responding to threats using predefined actions.

You might also like:The Only Checklist You’ll Need to Uncover Your IT Security Risks

Comply with industry standards.

Most businesses face at least one set of compliance standards—like PCI DSS or HIPAA—to maintain the safety and integrity of consumer data. Instead of viewing these requirements as an unnecessary hassle, use the guidelines to find and close gaps in your IT security services.

Protect against the human factors.

Some of the biggest cracks in your IT security plan can result from the unknowing actions of employees. That’s why you need to set your workers up for success with consistent policies and regular education.

Just right access.

Every employee—from the CEO to the receptionist—should have the right amount of access needed to complete daily tasks. By updating passwords and removing user names for inactive accounts, you’ll know that unauthorized users will have a harder time accessing vital systems.

Promote regular training.

Educating workers about the latest cybersecurity threats can be a challenge. Look for ways to provide daily training tips that will keep information top of mind.

Boost awareness of social engineering tactics.

Most employees are honest and may not realize that fraudulent requests may come via trusted channels—like someone impersonating an IT department worker or even your CEO. Teach your people to be very cautious when giving up user names, passwords, or other sensitive information—especially via email or over the phone.

PREPARE FOR THE WORST.

Preventative measures keep data safe until they don’t. Know what you’ll do when disaster strikes and give the people in your organization opportunities to test those strategies in real life.

Maintain a data breach response plan.

Because so many organizations have experienced cybersecurity breaches, you can’t assume it won’t happen to your company. Take the time now to think about what steps you would take to limit the damage and prevent vulnerabilities—and have that plan ready to go.

Practice disaster recovery.

While most organizations maintain secure data backups and disaster plans, not as many take the next step and put those plans into action. Stage mock scenarios and you will quickly find out what worked and will expose any weaknesses.

PROACTIVELY MANAGING THREATS.

How does your company’s plan measure up? Managing IT security services requires plenty of planning, foresight, and manpower. If you have the first two handled, but are running short on staff, you may want to consider outsourcing cybersecurity measures.

Partnering with an established IT consulting firm means you’ll have access to best-in-breed tools and applications to keep networks running at a high level without compromising security. It can be a cost-effective way to deploy organizational resources while freeing up your in-house team to focus on business development projects.

The Enterprise IT Security Services You Need to Stay Competitive

According to the IDG 2017 Global State of Information Security Survey, 62 percent of the 10,000 respondents use managed security services for cybersecurity and privacy. This shows that enterprises understand the need for end-to-end security and well-defined policies that align with their business objectives. Of course, this journey must start with creating a plan of action for responding to each type of threat and the specific IT security services needed to do so.

IT services should be chosen to enable a comprehensive response strategy to different threats. Although foundational, this goes beyond patch management, data backup, and full disk encryption. By using policy-based solutions like next-generation firewalls, behavioral firewalls, and other network security devices, enterprises can obtain the desired level of security.

FIREWALLS AND VPNS

Next-generation firewalls can help protect the enterprise from attacks outside the perimeter of the network while VPNs provide security with data transmissions inside and outside those parameters. An integrated firewall/VPN client can automatically enforce security on a more granular level with enterprises’ data transmissions on a remote office/branch office and user level. The many features of VPNs and next-gen firewalls enable administrators to:

  • Enforce centrally managed client security policies
  • Implement rule-based access control on clients
  • Specify different policies for different user groups

Related Content:The Only Checklist You’ll Need to Uncover Your IT Security Risks

Organizations with different types of remote-access VPN users—such as salespeople and IT staff—can tailor desktop security policies to the varying needs of their users via the cloud. Other important services for access to cloud applications include:

  • Single sign-on
  • Multifactor authentication
  • Role-based access controls
  • Behavioral firewalls
  • Privileged identity management tools

These can all help rapidly and systematically restrict access to users if required and can define security policies by individual, group, or organization. Then there are other IT security services such as endpoint detection and response solutions, network security monitoring, and advanced security analytics. These services work to provide monitoring and analysis of endpoints, traffic, and log analysis of internal machines and security event/incident management and monitoring.

BACKUP AND RECOVERY

Finally, backup and recovery services are a crucial part of end-to-end IT security services. Cloud backup and recovery has become a part of most enterprises where full, differential, or incremental backups are utilized. The choices of public, private, or hybrid cloud backup is dependent on the security needs as well as the TCO parameters that the business has set.

Hybrid cloud backup is the combination of both cloud backup and on-premises or private cloud backup. Hybrid cloud data recovery utilizes VM image backups that are copies of the current VM or a physical server (V2V and P2V, respectively) as part of the backup process. The local storage appliance stores these images in the event of the primary server going down.

This enables server consolidation where a single server can act as a standby for multiple virtual and physical servers. In this case, hosted disaster recovery services can provide high availability to the production server environments as part of their backup infrastructure. Ultimately, the VM images are moved to the cloud provider, which can provide the backup from a choice of strategically placed data centers.

IT SECURITY IN THE DIGITAL AGE

In the digital age, enterprises must prepare for the inevitability of cyberattacks that can compromise the business in monumental ways. The implementation of end-to-end IT security services, along with the policies that govern their use, provide granular and graduated responses that enable businesses to circumvent attacks. The goal is to give them more options and flexibility so that the entire business does not have to come to a grinding halt to keep threats at bay.

How to Craft an Enterprise-Level IT Security Strategy

Across the nation, corporations are still haunted by some of the largest IT security incidents in history, such as the attack on Yahoo, the hack of the Democratic National Committee, and the difficult-to-forget Target breach. If your enterprise is like most, these types of incidents move IT leadership to action, checking to ensure that security protocols are still in place and followed. But what if you could do more to safeguard your cyber assets?

For a growing number of enterprises, a full-scale IT security strategy has become a necessity. It’s no longer enough to adopt a reactive security position. As cybersecurity threats continue to escalate and grow increasingly sophisticated, now is the time to be proactive and strategic about protecting your enterprise.

Luckily, in this age of hypervigilance over cybersecurity, there are plenty of well-established best practices to help get your IT security strategy started. Here are seven of them:

1. AUDIT YOUR CURRENT CYBERSECURITY EFFORTS.

First, take the time to assess the organization’s current state of IT security. Include key stakeholders who have the technical skills and knowledge to fully assess the risk environment and the company’s position.

Be sure to evaluate the entire security framework. Consider how well-protected the enterprise is against threats, both internal (careless employees, poor data security protocols, etc.) and external (stolen credentials, denial-of-service attacks, etc.). Determine what is working—and what is falling short.

This initial audit should be a starting point for a more in-depth review. When necessary, partner with an experienced IT security consultant for a comprehensive audit.

Related Content:The Only Checklist You’ll Need to Uncover Your IT Security Risks

2. DEFINE YOUR SECURITY GOALS.

Following your audit, assess what needs to change to achieve a higher level of security. Are you effectively protecting data, discouraging high-profile cyberattacks, staying in compliance, and safeguarding the company reputation? If not, define these goals and start working out a way to get there.

3. CREATE A SECURITY ROADMAP.

With your security goals in mind, create a roadmap that will guide you from your current security position to your ideal one. What steps need to be taken to achieve each of your goals? Which departments, stakeholders, or partners need to be involved? It can be helpful to gain leadership approval of your roadmap, and then share it with the appropriate department heads, to ensure everyone understands his or her role and is on the same path toward success.

4. CULTIVATE A MORE SECURE CULTURE.

The most stringent security policies will still be ineffective if your people don’t take cybersecurity seriously. That’s why it is vital to encourage a more secure culture throughout the entire organization, from entry-level employees to your leadership team.

Establishing a set of organization-wide best practices for cybersecurity can help kick-start a more secure culture. How should employees handle passwords? How will data be backed up? Who will have access to sensitive information? These are the types of questions that should have well-established answers. Create your company’s best practices and publish them in a place where everyone can gain easy access.

Then, ensure that cybersecurity is a key part of training for new employees. If necessary, provide refresher training for all employees once a year or so to remind them of existing cybersecurity policies and to introduce new ones.

5. WATCH FOR EMERGING THREATS.

New cybersecurity threats emerge all the time, and hackers grow increasingly sophisticated every year. That is why it’s important to keep an eye on emerging trends and threats that may impact your network. Even now, your organization’s use of BYOD devices or IoT technology could be exposing the network, or shadow IT systems may be gathering vital information on your customers. It’s important to be aware of these new threats so that you can account for them in your planning.

6. INVEST IN CYBERSECURITY.

Today, there is no denying that enterprises must dedicate a portion of their budgets to cybersecurity. Research shows that the average cost of a single data breach now averages $4 million—and that figure grows every year. For some companies, a cyberattack hurts the bottom line (and their reputation) so much that they cannot recover.

But a proactive investment in cybersecurity can shield you from many of the leading cybersecurity risks. A comprehensive approach should include tools such as anti-virus software, firewalls, and cybersecurity training for employees and associates.

7. SCHEDULE ONGOING ASSESSMENTS.

Unfortunately, an initial audit isn’t going to keep your organization secure forever. Be sure to hold regular audits and assessments to continually check for new vulnerabilities and ensure the company is still protected and compliant.

Internal audits are helpful every year or so, while an external assessment can help you gain a more full-fledged picture of your security position. Partnering with a cybersecurity consultant can help you stay up to date on new threats, without having to constantly worry about whether you’re vulnerable.

ADDRESS CYBERSECURITY HEAD ON

IT security threats evolve quickly, and it’s important to stay vigilant of hackers, spyware, and viruses. Centrinet protects your enterprise from cybersecurity threats while ensuring optimal uptime, productivity, and efficiency. We constantly monitor and manage your network using leading tools and partnerships to ensure you are not only well-protected but also achieving the IT performance levels you need in order to be successful.

3 IT Security Compliance Challenges Facing CIOs

In a security landscape that brings new threats and attacker approaches daily, CIOs face challenges of threats on one side of the spectrum and IT security compliance challenges on the other. From the Sarbanes–Oxley Act (SOX) and Payment Card Industry (PCI) Data Security Standard to HIPAA and a host of other regulations, a wide spectrum of business sectors continues to struggle with implementing integrated security technologies.

CIOs must face a variety of emerging ingress and egress security challenges due to IoT, BYOD, cloud computing, and the growing need for application access, among others. These all pose different and overlapping regulatory and other compliance challenges that require CIOs to provide end-to-end, adaptable, and easily reported security measures.

For example, many healthcare organizations still struggle to reach HIPAA compliance, particularly with the HIPAA Security Rule. According to the 2017 SecurityMetrics Guide to HIPAA Compliance research report, smaller-entity non-compliance poses a threat to larger-partner entities. The research shows that:

  • 50 percent of respondents don’t know if their organizations use multi-factor authentication
  • 41 percent don’t know how often their firewall rules are reviewed
  • 26 percent don’t use mobile encryption
  • 27 percent don’t encrypt emails containing patient data
  • 51 percent don’t test employees on HIPAA-related training

Regulatory-compliant firewalls, PHI encryption, mobile device security, wireless network security, emails, and access management are all areas where CIOs in healthcare, finance, and retail can have compliance security challenges. The cloud stack becomes both a source of opportunity and a vulnerability that affects these areas.

Read on to discover the top compliance and security challenges facing CIOs.

1. THE CLOUD STACK, SHADOW IT, AND VPNS

The cloud stack—whether it be software as a service, platform as a service, or infrastructure as a service—has become integral to every sector. This has created an environment where private, public, and hybrid cloud solutions define businesses’ approach to computing, networking, storage, and security. While security is a challenge for every business, it is particularly challenging for the healthcare, financial, and retail sectors, which must deal with data security and compliance regulations.

Essentially, businesses must put processes and technologies in place for data and access management throughout the cloud computing life cycle.

Related Content:The Only Checklist You’ll Need to Uncover Your IT Security Risks

For example, PCI compliance is a major concern on the cloud, as many businesses must provide application access for consumers to make transactions quickly, efficiently, and safely. Here, application delivery controllers can play a major role in securing that access via appliance integrated firewalls as well as load balancing, compression, and caching.

The democratization of the cloud has enabled departments to provision cloud services for storage, communication, application access, and application development, among other things, without going through the IT department. This shadow IT becomes a major security challenge when the CIO’s security team is bypassed and is unaware of its use.

While employees are the weakest link in an organization’s infrastructure, anyone with access to corporate endpoints, data, and applications is a security risk, including contractors and business partners. This can manifest in cybersecurity risks via email, web use, mobile devices, and more.

This requires an overarching set of tools and protocols for monitoring, provisioning, and securing these areas. For example, the right cloud-as-a-service provider can facilitate a customized cloud model to fit both business and compliance needs. Of course, the movement of data to and from the cloud is part of a larger compliance concern that starts with the network.

2. NETWORK INGRESS AND EGRESS SECURITY

The increasing demand for network access has driven a need for securing devices within the on-site network as well as those outside of the network. This has spurred greater regulatory requirements for attaining network security compliance, which includes:

  • Securing mobile devices
  • Enabling protection from malicious software
  • Gaining control over access, permissions, and termination of network devices

Here is where end-to-end cybersecurity support via continuous monitoring tools and protocols can be vital in maintaining compliance with other security standards like HIPAA, SOX, and PCI. A solid continuous monitoring strategy incorporates analysis and reporting, management oversight, tools, training, and testing.

The use of remote-access VPN solutions that integrate Internet Protocol Security and SSL technologies in a single platform can enable unified management while establishing an encrypted tunnel across the internet for remote employee access. The advent of virtual firewalls for private cloud, hybrid cloud, or public cloudenvironments provides uncompromised flexibility, effectiveness, and performance. Some virtual firewalls integrate additional networking functions such as site-to-site and remote-access VPN, QoS, and URL filtering.

Data encryption is an important tool, but encryption alone does not satisfy every IT security compliance challenge. The entire area of access management requires a more holistic approach that integrates technology solutions and protocols to ensure access control and lessen the security compliance burden.

3. ACCESS MANAGEMENT

According to a Citrix/Ponemon Institute survey released in January of this year, 71 percent of IT leaders admit they are at risk from an inability to control employees’ devices and apps. The proliferation of BYOD, coupled with cloud, network, and application access, provides CIOs with access management challenges. Consequently, identity and access management solutions should include:

  • Mobile device management policies and technologies
  • Mobile app management security apps
  • Enterprise mobile management suites
  • Robust encryption and automated encryption key management
  • Multi-factor authentication and biometric tools

When it comes to IT security compliance, CIOs must create a holistic approach to data and access security to protect the organization from both internal and external threats. Data protection requires that CIOs create and oversee holistic policies and integrated technologies to keep their organizations safe and secure.

Staying Ahead of Ransomware: 7 Necessary Tactics

Are you concerned about a ransomware attack on your company? It’s not an idle threat.

In 2016, the number of these attacks each day reached 4,000, up 300 percent from the previous year. Healthcare organizations have been hit especially hard, as more than half of hospitals in the United States faced ransomware attacks between April 2015 and April 2016.

The success of cyber criminals in deploying ransomware depends on catching potential targets without the proper security rules and controls in place. But if your organization knows what to do before the attack comes, you’re less likely to fall victim to these security threats.

Is your company simply reacting when you hear about a ransomware threat on the horizon? Or are you proactive, with an IT security plan in place that adapts to the changing threat landscape?

Integrate these seven key tactics into your organizational plan and you’ll always be on the offensive against malicious attacks.

1. START WITH A COMPREHENSIVE HEALTH CHECK.

Just like a regular physical measures the health of your body, a health check of vital business systems keeps your organization out of trouble. A health check is a review and analysis of traffic and system architecture, along with scanning to pinpoint vulnerabilities.

You might also like:The Only Checklist You’ll Need to Uncover Your IT Security Risks

2. PROTECT IT ASSETS.

Ensuring asset protection readiness includes auditing user accounts to limit or remove administrator rights, taking inventory of systems like software, and configuring settings and access to enhance security and prevent intrusions.

3. UNDERSTAND BUSINESS RESILIENCE.

Can your organization handle emergencies and crises while maintaining business continuity? That’s business resilience. It’s an ongoing process that requires regular attention so that everyone in the company stays ready for the unexpected. As your industry changes, technology evolves, and risk tolerance shifts, the plan to ensure business resilience must adapt.

4. FORTIFY DEFENSES.

Beefing up security for core operations means reviewing access control policies; physical security; encryption; and controls covering email, malware, and ransomware. You’ll also need to configure backup and disaster recovery and implement training for everyone in the organization.

5. MONITOR DEVICES AND SET UP ALERTS.

The advent of BYOD (“bring your own device”) means that employees can unknowingly help penetrate the best security defenses. So you’ll need to monitor portable devices, create alerts that are sure to reach a human, and review log files consistently.

6. DEFEND YOUR CASTLE.

Playing defense never stops, and that means quarterly vulnerability scanning, annual reviews and awareness training, penetration testing, and ongoing risk assessments. You’ll also need to check in with vendors and service providers to confirm compliance.

7. PRACTICE DISASTER RECOVERY.

You probably have a business continuity plan, detailing what needs to happen when things go wrong and data is compromised or lost. But do you and your employees know exactly what to do? And can you do it quickly?

Instead of hoping your plan will work in an emergency, put it to the test. Giving workers mock scenarios and forcing them to restore systems and recover data from a disaster recovery backup is the truest measure of an effective strategy. When problems occur during the practice run, change your tactics and rewrite the plan.

Fending off security challenges requires solid preparation and regular maintenance. But you don’t have to do it alone. Partnering with an organization experienced in end-to-end security services means you won’t have to worry about the potential of ransomware attacks. Have a plan in place to identify, detect, and protect against cybersecurity threats so that you’ll never need to respond and recover.