The Newberry Group Blog


Archived Categories

Sort By: Title   |   Blog Date
Tuesday, August 19, 2014

Keeping Student Data Secure in Education

As students and teachers alike are embracing online learning tools, a need for better internet security in schools is becoming more apparent. The recent report on tech adoption in education by the Consortium for School Networking (CoSN) and the New Media Consortium (NMC), highlights this trend of hybrid learning models that “blend the best of classroom instruction with the best of Web-based delivery.” However, the report also points out that the safety of student data is considered a “difficult challenge” and “solutions are elusive.”

While internet security is a pervasive issue for all industries, schools deserve some extra attention. Along with the increased need for bandwidth to access online courses and tools, students and teachers are all too quick to share personal information through the internet. Schools need to carefully plan their network security in much the same way they plan their physical security. There has to be a good balance between access and security.

The solutions for balancing the security of student data with providing the right level of access required in today’s learning environment don’t have to be “elusive.” There is a full suite of solutions, such as network access controls or web filters, that are available at affordable prices and can offer the necessary protection for K-12 schools up through universities.

So what should you look for in a solution? Here are some good starting points:

  • URL Filtering – In 2013, 85% of malicious links used in web or email attacks were located on compromised legitimate websites. Controlling which websites can be accessed can limit the possibility of malware infecting your network.
  • Secure Data Transfer – An estimated 6% of all PCs will suffer at least one episode of data loss per year. 20% of all laptops suffer hardware related data loss in the first three years. A good IT strategy implements an off-site backup solution for important data. In an education environment, that would include student records. Securing this transfer of data is necessary as not only can the physical data be accessed but the transmissions of that data can also be intercepted.
  • Mobile Device Security – On average, network administrators are only aware of 80% of the devices on the network. In an educational setting, where nearly every student has a mobile device with the ability to connect to a local network, this figure is most assuredly much lower. Utilizing an agentless solution that discovers devices as soon as they access the network will protect vital information such as student records and institutional data while allowing the proper access necessary for the learning environment.
  • Bandwidth – With the inclusion of streaming media in today’s curriculum and the distribution of network resources across a geographically separated campus, load balancing bandwidth is essential to providing consistent access for both students and faculty
  • Efficient Configuration – School IT departments are minimally staffed. And often, the staff is simply challenged by time and resources just to maintain let alone implement and improve the network. Solutions that are easy to configure and maintain yet provide robust security features are a must.


Posted by: Gerald Kennedy
 | permalink





Wednesday, July 23, 2014

How to Choose Security Solutions for Mobile Healthcare - Part 2

To read Part 1 of this series, click here.

According to the HIMSS Analytics 3rd Annual Mobile Survey, the top benefit to having mobile tech in facilities is increased access to patient information, and the ability to view data from a remote location. But this means there are thousands of devices accessing a provider’s network. In order to select a proper security solution that not only meets HIPAA requirements but offers the protection for medical device end points in use, medical IT Administrators must look at a number of factors:

  • What is on my network? This is the first and most important step in providing a secure IT enterprise. Many IT administrators believe they know what devices are on their network. However, healthcare facilities are littered with transient devices such as personal phones and tablets, patient monitors and diagnostic tools that have unique and often antiquated operating systems. These devices may only show up on IT networks once a week or perhaps once a month. It can be a daunting task to know exactly what is connected to the IT enterprise.
  • Controlling BYOD. Practitioners, nurses, and administrative staff often use their own unregulated devices, such as phones and tablets, to record data and communicate with staff and patients. Add to that the fact that many facilities offer open WiFi to their patients and guests. This creates a massive amount of end points that are not monitored and leave the IT enterprise vulnerable to malware, viruses, and advanced persistent threats. Survey findings shows that 32% of hospitals are not even using technology to enforce their BYOD policies.
  • End Point Compliance. Knowing what is on the network is one thing. Keeping known devices compliant is something else entirely. Security of an IT Enterprise is only possible through awareness. Once the devices are discovered IT administrators must be certain that they remain compliant. Having the ability to confirm applications and disable those that are unauthorized, verify whether or not the devices meets established security policies, knowing if the device is compliant with the latest security patch and antivirus definitions is essential.
  • Cost vs. Risk. While the Federal Government provides some mandates that direct medical IT Administrators to protect patient data, the healthcare IT network remains largely susceptible to your average hacker. It is up to each healthcare IT Administrator to protect the physical network to the degree they feel necessary to secure data and network end points. Healthcare budgets, like many vertical industries, are balanced toward production vs. protection. In the HIMSS Analytics survey, lack of funding was the most common barrier to implementing a security solution. An effective solution with low cost of ownership is necessary. And while incentive programs such as EHR Incentive Program may seem to add balance to this in favor of the healthcare facilities, the incentive received is certainly not equivalent to the cost of losing patient data.

Network administrators can’t secure what they can’t see. It is imperative that administrators have access to real-time visibility of everything on their network and be able to control what is on their network at all times. When choosing a solution that meets all of these requirements, look for one that is simple to install on your network, without the need for agents or client software.

If you’d like to talk more about end point security solutions or need help, get in touch with us!


Posted by: Gerald Kennedy
 | permalink





Monday, July 21, 2014

How to Choose Security Solutions for Mobile Healthcare – Part 1

The last time I visited to the doctor, he recorded everything on a tablet device. While it’s convenient, mobile security is always at the forefront of my mind. I was doing a bit of reading on mobile security and came across the Medicare and Medicaid (CMS) Electronic Healthcare Records (EHR) Incentive Program. This program gives healthcare providers a financial incentive for demonstrating the meaningful use of certified EHR technology or for adopting, implementing, or upgrading EHR technology. EHR technology allows providers to easily record and share patient data so that it’s consistent and readily available throughout the provider chain. This is certainly a great benefit to all healthcare providers as well as patients. No need to transfer records and records can be updated in real time through hand held devices, patient monitors, or diagnostic tools connected to the network.

However, broader access to electronic databases and the use of additional devices to access that data only adds to the already vulnerable IT environment within the healthcare industry. IT components within healthcare are already severely susceptible to hacking and advanced persistent threats. Medical device end points, such as monitors and diagnostic tools, could have severely outdated operating systems that don’t lend themselves to standard patching processes. Even personal healthcare devices, such as insulin pumps, have known vulnerabilities as demonstrated by Jerome Radcliffe when he hacked his own insulin pump. These weaknesses, coupled with the fact that medical practitioners regularly bring their own smartphones and tablets and are often unregulated at many facilities, leaves a provider network open and vulnerable.

The HIPAA Security Rule provides standards for the securing of electronic health information. These rules are in place to protect patient data through access control, audit controls, integrity controls, and transmission controls. While important, they rely on the provider to select and implement the necessary security solutions to prevent a data breach. And without proper security for personal and medical end point devices, it is only one finger in a dam that has many holes.

Stay tuned for Part 2 later this week where I discuss the factors to consider when looking at different security solutions.

UPDATE: Part 2 is live! Check out: How to Choose Security Solutions for Mobile Healthcare - Part 2


Posted by: Gerald Kennedy
 | permalink





Wednesday, October 30, 2013

The Responsibilities of Cleared Personnel

Newberry Blog | image of cyber handWith October being National Cyber Security Awareness Month, this is a good time to think about the responsibilities that come with having a security clearance. It’s especially timely with the recent high profile security events of Chelsea Manning, Eric Snowden, or Aaron Alexis. We may seem surprised by their actions, but if we think back to Aldrich Ames or Robert Hanssen, we see that these events are not the first of their kind.

When we obtain security clearances as government employees or contractors, we take on a multifaceted obligation: protect the technology and information that we have access to, ensure that others are doing the same, and ensure that we and our colleagues remain fit to work in a secured environment.

Once we complete the background investigation and possible polygraph process, we are given strict guidelines in how we handle and protect information from both a technological and a philosophical perspective. No matter how obvious it may or may not be, the information we access is directly or indirectly related to the safety and well-being of our warfighters abroad, our allies, our state department representatives, and even civilians. Even if you encounter information or programs that you disagree with from a philosophical, moral, or legal perspective, there are internal government avenues to voice your concern without jeopardizing the information to the general public. Choosing the avenue of public disclosure only serves those who wish to harm our interests or freedoms. That route is very treacherous, possibly traitorous and most likely illegal.

Even though you may be confident and diligent in your efforts to protect information, that doesn’t mean those around you are thinking the same way. It is equally your responsibility to be observant of the actions taken by others working with sensitive information. When suspicions arise, muster the moral courage to approach the appropriate personnel and report your concerns.  Quick action could result in stopping a serious security incident.

Lastly, we must be cognizant that we and our colleagues are displaying the mental capacity to operate in a secure environment. Working in a secure setting can easily create a false sense of security and we assume that individuals around us are just as fit to be there as we are. However, secure areas are just as susceptible to criminal activities as an urban street corner, including anything from theft to shootings. There appears to be a growing number of mentally unstable individuals who have somehow slipped through the security screening process or co-workers who are upset by a life event that feel impelled to pursue indiscriminant or directed attacks against co-workers. We must be alert to suspicious signs and have the moral courage to approach or report those who may no longer be fit to work in a cleared environment.

Some view the Mannings and Snowdens of the world as whistleblowers or even heroes. However, the information they released was not theirs to disclose or release and may ultimately seriously affect the freedoms of Americans. Conversely, attacks within a cleared setting, such as the recent Navy Yard shooting attack, raised concerns about the security screening process.  These unfortunate recent events can serve to reiterate that protecting information and maintaining a secured environment is an ongoing responsibility for everyone with a security clearance. By following tried and true policies and procedures the right outcome can be achieved.


Posted by: Steve Cadogan
 | permalink





Wednesday, August 14, 2013

Employee Data Protection: Securing Your Most Valuable Asset

Graphic Folder with Lock | Newberry Group BlogProtecting employees’ personal data is a big responsibility that falls on the shoulders of anyone who has access to create, store, handle or view personal information that is contained within Personnel and/or Accounting records.  Federal regulations in the Privacy Act of 1974 hold government agencies accountable for the proper management of personal information, which raises the concern for how private employers protect their employees’ personal information.

Personnel files should always be maintained with utmost care and confidentiality and only shared with others on a need-to-know basis, and with the express written consent of the employee, as required by law.

While there is an endless host of actionable possibilities to protect our employees’ personal data, it is important for employers to adapt some commonsense practices, which may include:

  • Never respond to outside inquiries, other than job title, dates of employment, and employee status, for employment verification without prior written consent from the employee.
  • Develop policies and procedures with your IT department and use up-to-date technologies to protect personal information that is maintained in electronic format. Develop internal controls, such as limiting the number of people who can access personal information, as well as limiting which data each individual can view.
  • Safeguard all paper copies of personal information under lock and key with restricted access
  • Only collect information from each employee that is required to pursue the company’s business operations and to comply with government reporting and disclosure requirements.
  • Always keep  the medical history of an employee in a separate file with restricted access
  • After employees are terminated, keep their files in your records in accordance with applicable state and federal laws. You can learn more about federal requirements by visiting the US Department of Labor’s website or by searching individual state Department of Labor sites.
  • Have a written code of ethics and a confidentiality policy, and require every employee to sign an acknowledgment of having read the policy.  Place the signed acknowledgment in each employee’s personnel file.
  • Develop a procedure for the confidential reporting of breaches such as an ethical hotline.
  • Communicate to your employees the types of data that are not considered confidential such as partial employee birth dates, (i.e., day and month only, but not year), an employee’s company anniversary or service recognition information, etc.

The bottom line is that employers should take every reasonable precaution to protect the personal data of their employees, whether that information is held in a government database or not. Not only is it the right thing to do, it’s just good business. After all, our employees are our most valuable asset, and taking extra precaution to protect our most valuable asset is an investment that contributes directly to the company’s bottom line.


Posted by: Brinda Beasley
 | permalink





Tuesday, June 11, 2013

Social Media in the Cyber Security Space

Social Media in the Cyber Security Space | Ryan Steinbach | Newberry BlogLast fall, I started as an intern at the Newberry Group with objectives of assessing the impact of growing a social media presence, developing a strategy for social media use and executing on that strategy. After nine months, my team and I accomplished these objectives and learned a great deal about the cyber security digital community in the process.

In my relatively short, but deep dive into social media strategy and development over the last two and a half years, I’ve witnessed how different the digital communities can be. The cyber security digital community is particularly fascinating. My team found that cyber security professionals tend to fall into two buckets when it comes to social media. There are those who embrace social media due to their above average understanding of its utility, and there are those who avoid it at all costs due to their above average understanding of the risks associated with it.

This creates an interesting obstacle when engaging with the cyber security digital community. The space expects a sophisticated level of engagement, yet can also feel fragmented and reserved. It seems most companies have accepted that they need to be present on social media but there are huge disparities in utilization. Some online presences are merely place holders while others are hosting weekly webinars.

My team at Newberry decided the greatest value was between these two extremes. We saw opportunities for talent sourcing, service promotion, and partnership development, but we also needed to be realistic about the amount of capacity we could commit to these efforts. The value is there to be had, but only with the people and buy-in to capture it effectively.

Social Media Engagement | Newberry BlogWe knew we didn’t have the capacity to be active in every space or create a large amount of unique content so we focused our efforts on building out the spaces we felt had the most value and created a content strategy that balanced quality and thought leadership with consistency and practicality.

Creating a social media policy also became a critical element of our strategy. The greatest enemy of engagement is uncertainty and, in a space as sensitive as the cyber security community, assessing the appropriateness of a 140 character tweet will likely lead to abandonment. We want to be as explicit as possible about our internal expectations for social media because we believe it will remove that uncertainty and foster greater internal engagement.

The development of a social media strategy and policy that balanced value with capacity is the product of what has become my biggest take away from my time at Newberry. I’ve learned that the benefits of social media do not appear over night. Early wins can be few and far between. But, sustainable and consistent execution of social media builds equity in a digital community that eventually translates into real company value.

This kind of sustainability requires a hard look at where a company can be most effective and then tailoring that to the company’s internal capacity. Instead of leaving social media to the intern as many companies do, my team decided early on that there was no point in me doing any of the day-to-day social media work. Instead, I focused on strategy and setting up Newberry’s internal structure – things that once set in place can be utilized with minimal maintenance.

I’m confident that as I leave Newberry my work will be appreciated, not missed. I’ve helped give Newberry the tools to continue to build value in the cyber security digital community on their own. While this was not part of the three original objectives I had going into the internship, I believe it is by far the most valuable and can serve as an example to others in the space.


Posted by: Ryan Steinbach
 | permalink





Tuesday, April 16, 2013

Social Engineering through Social Networking: Defending Your Organization

Newberry Blog - Defending Your Organization graphicHuman beings are the weakest link in data protection. Social networking has made this weakest link, even weaker.  Social engineering continues to be one of the most leveraged attack vectors for targeting an organization’s electronic data or IT systems.  Historically, a social engineering attempt would consist of an unsolicited phone call or e-mail. Attackers would attempt to obtain reconnaissance-related information from an unsuspecting employee or get them to click a link, or download an e-mail attachment, that would introduce malware to the system, potentially allowing backdoor access to the network.  As users have become more educated on information security, they have learned not to open attachments or click links from individuals they do not know or trust.  However, with the continued growing popularity of social networking, potential attackers can perform a more targeted social engineering attack that exponentially increases their level of possible success.  

One piece of information typically found in social networking profiles is employment information.  A quick search on LinkedIn or Facebook can reveal a list of potential social engineering targets for just about any organization.  By using the information found in the target’s profile, the attacker can craft an e-mail that looks legitimate and includes an attachment or link containing malicious software.  If an attacker determines the target worthy, they may even establish a false profile reflecting similar interests and befriend the employee, allowing them to eventually introduce the malware through an e-mail or link. 

Since it is not feasible to control and monitor what employees put on their personal social networking profiles, how can an organization appropriately defend against this type of attack?

Newberry Blog - User Education graphic1. User Education:  This has been, and always will be, the most effective tool for combating social engineering.  In addition to the typical IT security training provided by most organizations today, users should be educated on what company information is appropriate for disclosure on social networking sites and how this information could be used to exploit them.  Employees should understand that individuals they make contact with online should not be considered a trusted contact.  E-mail attachments or hyperlinks from these online contacts should not be accessed from company-owned computers. 

Newberry Blog - Policy and Procedures graphic2. Policy and Procedures:  Organizations should prohibit employees from using, or listing, their company e-mail addresses on social networking sites.  If the social networking sites are a means for networking or marketing and part of official job duties, then look at establishing a generic e-mail account with increased security restrictions that the employee can utilize.  This will allow the employee to identify any contact that is made through the site and treat it as untrusted. 

Newberry Blog - Security Infrastructure graphic3. Security Infrastructure:  A reputable web proxy with malware scanning capabilities should be utilized to scan web traffic for potential malware.  URL filtering should be enabled and sites that contain known malicious code or malware blocked.   Social networking sites should also be restricted for users that do not have a business purpose for visiting them.   URL filters typically have groups of sites that are categorized and updated to make this process easy.  Finally, a spam filter device or service should be used to scan inbound e-mail for malware and filter unwanted e-mail.  Some spam filtering devices also have the capability to scan outbound e-mail for sensitive information such as social security or credit card numbers; this is commonly referred to as Data Loss Prevention (DLP). 

With employees advertising more personal information on social networking sites, we can expect to see a continued increase in targeted social engineering attacks.  As with any security threat; a layered defense strategy is the best defense against social engineering attacks. 


Posted by: Steven Carney
 | permalink





Monday, November 19, 2012

5 Tips for Building a Cyber Security Career

IT career seekerThe cyber security field is rapidly expanding to deal with the accelerated risks of changing technology and now is a great time to make the move into a security career. However, not only do you need the qualifications, but also an analytical mindset and good communication skills to effectively convey your expertise to the wide range of customers. Cyber security experts are always chasing an elusive problem and you have to think outside the box quite a bit to find that advanced persistent threat. Here are five tips on how to build your successful career:

1. Develop a Solid IT Foundation

In the case of cyber security, it's really beneficial to have a strong background in information technology. A lot of universities have modified curriculum to provide security focused-degrees. Previously you might have been restricted to computer science or information technology, but now there are actual degrees tailored around computer security.  These programs are often sponsored by entities that are focused on cyber security and want to help build the workforce. For example, currently the U.S. government has a shortfall of cyber security professionals. So they have started working with universities to establish these programs to help grow the cyber security field and fill the jobs that they know will be out there.

2. Get Certifications and Training

CertificationsCertifications are necessary because they establish a foundation. They identify the individuals that have put in the time and effort to understand the fundamentals of cyber security.  The CISSP certification is a well-known and internationally recognized security certification and is a great starting point. But with all the different domains of expertise within the security field, you should hone your craft and acquire certifications for your specific area.

3. Use Your Past Military Experience

Today, information technology in the military is no different than it is in the corporate world. There are disciplines within the military that focus on IT and cyber security, so veterans have an opportunity to directly transfer their experience from military service into commercial cyber security work. 

4. Use Your Existing IT Career

If you've been in IT for a long time and you have a strong background, you have most likely been exposed to security issues. In all reality, you probably have a level of experience that would qualify you to easily transition and adjust to cyber security work without having to start from the ground up. Talk to your peers or managers about what security opportunities are available to you. Also take some personal initiative to start working on a certification in your area of interest.

5. Build Up Practical Experience

Icon - Build Practical ExperienceAt the end of the day, just like in any field, you need the qualifications and the practical experience.  And you have to work your way up. Unless you have a lot of applicable experience, expect to start at the bottom and prove yourself so that you have the evidence to put in your resume. Certifications are great because they establish a foundation through the training, but practical experience is just as important. If you don't have the experience, be forthcoming about it, but also have the wherewithal to press forward with developing your career.  

Are there jobs out there?

There is a wide range of cyber-related jobs and almost every industry will have availability whether it's on the commercial side or federal side. In some cases, a cyber opportunity might be there, it just might be coupled with 2 or 3 other roles at the same time; You might be the cyber expert and the IT guru. Newer fields within information technology or security, such as cloud security, mobile security, digital forensics, and malware analysis, are all hot domains so you'll see a lot of opportunities advertised. However, no area in cyber security has lost momentum. Cyber security as a whole is a hot industry to be in, and I predict it to be so for the next couple of decades. It's not slowing down.

 


Posted by: Phillip Justice, Jr.
 | permalink





Monday, October 15, 2012

October is National Cyber Security Awareness Month (#NCSAM)

National Cyber Security Awareness MonthWe’re one of the official champions of National Cyber Security Awareness Month (NCSAM) and there’s still time to get involved!  National Cyber Security Awareness Month is a campaign focusing on the need for improved online safety and security for all Americans. The National Cyber Security Alliance has sponsored National Cyber Security Awareness Month every October since its founding in 2003. 

This year’s theme is “Our Shared Responsibility.”  So how can you help?

1. Share Tips and Resources with Your Friends and Family

The National Cyber Security Alliance (NCSA) website is full of tips on how to protect your personal information, teach online safety, and keep your business safe online. Would you know what to do if your accounts were hacked? Do you need resources to help teach cyber security in your classroom?  Does your small business have a Cyber Security Plan?
Find resources and tips on www.staysafeonline.org.

2. Attend An Event and Share It!

Organizations all across the United States are hosting cyber-related events to help raise awareness.

Newberry Group is proud to be a part of National Cyber Security Awareness Month. Anyone can help raise awareness in their community, let’s continue to help others stay safe online!

To learn more about the National Cyber Security Alliance, visit www.staysafeonline.org.


Posted by: Newberry Marketing Team
 | permalink





Friday, August 31, 2012

5 Tips to Get Your Data and Computer Storm-Ready

Newberry Group Blog - storm image
Hurricane season is upon the southern United States and now is a good time to make sure your data and computer is prepared for an emergency too. Here are some tips to get you started:

  1. Backup your data with an online backup service - There are many online backup services to choose from. This article by PC magazine does a great job of outlining the different options available.

  2. Copy your User folder (the folder named "Username") to an external hard drive – This will ensure that all of your documents, photos, videos, music, desktop, and application data such as email archives and application preferences are saved. For the ultimate backup, consider making a "snapshot" of your entire computer with a program such as Acronis True Image (PC) or Carbon Copy Cloner (Mac). The "snapshot" will allow you to boot from that hard drive if you had to completely restore your files.

  3. Use a battery backup + surge protector – If you use a desktop computer, a battery backup will provide some buffer time for you to save your files when there is a power outage. Most battery backups also give you the benefit of a surge protector.

  4. Plug your cable modem’s coaxial cable into a surge protector – If you use a cable modem and your computer is directly connected to it via an ethernet cord, be sure to plug the coaxial cable into the battery backup. This will help prevent power surges being transferred from the cable, through the ethernet cord, and on into your computer.

  5. Unplug your computer when not in use during a storm – The most certain way to avoid power surge damage is to simply unplug your computer from its power cord.


Posted by: Breanna Cooke & Nicholas Trifiletti, contributor
 | permalink






12
Page size:
select