READ ABOUT: INSIDE: • BY OD’s sweeping impact • Th e continuing threat from cybercriminals • Wh y every organization is a target • Expande d cloud security demands • Ne wsmaker Edward Snowden’s effect on enterprise IT • Po tential fallout from the Internet of Things 14 TOP Learning SECURITY TRENDS FOR 2014 Lessons from the NSA

With these six trends in hile the headlines are full of scary Instead, the best approach is to be aware mind, IT teams can lay the Wstories recounting the latest threats to of the long-term arcs in IT and security in enterprise networks, reacting to whatever’s order to have a grasp of what tactics the IT groundwork for a layered on the cover of e Wall Street Journal or the team will need to make sure the organization’s approach to protecting their home page of a slew of technology websites networks and systems stay ahead of the curve systems, data and users. isn’t any way to run a network or an IT shop. — instead of ending up behind a curve ball. 3 28 Keeping 3 the Mobile The Top security Environment Trends for 2014 Safe 9 32 Gettin g Serious Protecting the About Data Loss Network While Prevention Achieving PCI DSS Compliance

next- generation security This 2014 guide identifies the trends affecting enterprise security and provides tactics to help stay ahead of them.

CDW Reference Guide february 2014 | 800.800.4239 | CDW.com/securityGUIDE Fuebr ary 2014 | 800.800.4239 | CDW.com/securityguide share this guide

NEXT-GENERATION SECURITY REFERENCE GUIDE

RIOUS G SE DATA LO in this guide: SS GETTIN PREVENTION T DATA LOSS ABOU ON PREVENTI , LEARN NSTEAD IT SECURITY TRENDS CDW.COM/SECURITYGUIDE | 800.800.4239 EAR DLP  I IM DON’T F FFECTIVELY TO L ISK EXPOSURE HOW TO USE ITZA E TION’S R ese six trends provide 1. BYOD STEAMROLLS Within many organizations, BYOD started • When sensitive organizational data is they’re out there. And they have more time R ORGANI KS. with remote access provided through virtual present on personally owned devices, and energy to devote to the quest of fi nding YOU N LEA a big-picture view of EVERYTHING MATIO private networks. ese VPN deployments what steps must be taken to secure ways around enterprise security than an OM INFOR what is happening in While there’s little consensus on exactly let IT staff give users a way to connect that data against disclosure or loss? organization does to defend against them. FR what BYOD means (beyond bring your own securely when away from the offi ce. is was Broad BYOD adoption raises many  e result has been an escalation in information security device), the rough outline is clear: Someone also the launch of mobility, one of the most questions about enterprise IT that can be arms and defense tactics. As IT managers right now and for wants to connect a personal device to the important work trends of the last decade. easily answered through the installation of a worked hard to ensure 100 percent anti- the near term. ey enterprise network. is isn’t a “Can I have But mobility was more about the few wireless access points and the launch of malware coverage on desktops and servers, some free Internet Wi-Fi to check Facebook connection than the device, and many a network access control (NAC) pilot project: the smartest attackers were looking for also can serve as a on my lunch hour?” kind of connection. organizations used a combination of • If putting a single unknown device techniques completely outside those baseline for must-do is is an “I want to be able to do real work techniques, such as Secure Sockets inside the fi rewall strikes fear into the detected by traditional security tools. If with real data” kind of connection. Layer (SSL) VPNs and device posture hearts of IT staff s, does that mean that there are 10 tools in the security toolbox, strategic initiatives e implications of BYOD from a checking, to accomplish the goal of isolating the security model for the network is then hackers are hard at work developing security and support point of view can semitrusted devices from networks. fl awed and needs to be adjusted? an eleventh attack to get around them all. 9 in 2014 — eff orts that be challenging. From the perspective What’s distinct about today’s BYOD trend • If people will buy and use their own As Princess Leia in the original Star will help organizations of the IT team, there’s a device with is that it’s no longer covert and no longer notebooks, has all the money spent on Wars said, “ e more you tighten your Article 2: DLP EF maintain a secure IT unknown security characteristics that isolated — and certainly no longer casual. standardization, patch management grip, Tarkin, the more star systems will FORTS MU is needs to connect to enterprise networks, But also, BYOD is focused on the device. and endpoint security, designing better deliver and protect applications slip through your fi ngers.” Except today ST BE DRIVEN is in part th anks to DL infrastructure well challengin P being download and then store sensitive data As inexpensive and pervasive access to standardized images, and managing and information — an opportunity that the hackers are the rebels, and everyone ABOUT: BY TH g to deploy READ AB READ P E DESI key re , and this the failur OUT: rent in DL ason: It is for one e rate of DL into the future. that will be largely out of IT control. smart devices reaches staff at all levels, large Windows infrastructures doesn’t come along every day. else is the empire.  e more strident the nges inhe RE is not a di manufa P projec • BY • The challe TO REDUCE TH It’s bo stinct technolo ctur ts, security BYOD, as a large-scale trend, is also organizations that had begun to embrace been a wise investment? OD’s sweeping security measures, the more cybercriminals approach th a collec gy. ers have co impact of this security tion of technolo with me to mark • • The benefits why) RISK E products gy a variety of et frequently shedding some light on the the initial concept of BYOD fi ve or 10 years • As organizations look to outsource or The continuing will seek a way around them. Not a good m (and OF and a methodol products threat a DLP progra DA ogy. at the fu that don’t from cy o should lead TA An IT mana ll DLP space, aim darker corners of the organization’s IT ago were able to expand mobility initiatives just eliminate IT components, is BYOD bercriminals position to be in (especially if the IT team • Wh LOSS ger or security at but look 2. CYBE RCRIMINALS WORK eps to success IN tries to chie a specifi c narrowly policy that typically have been swept at their own pace. But organizations an add-on to existing infrastructure, • Wh y ev fi nds itself on the bridge of the Death Star). s for the 5 st THE install DL f who issue, such MORE LATE NIerGHy orgTSaniza • Detail P products or a spec as complian is tion Gettin g Serious ORGA in the same on a netw ifi c type ce, under the rug: the CEO who wants to use that have addressed BYOD only recently or is it a new way of doing business? a target Ultimately, the increase in hacking NIZA way that ork of data TION an he or sh A limite , such as email. r DLP.  e , intrusio e might inst d scope fo her iPad device to stream presentations to are being rushed into a complex arena  ese are the types of questions Every IT mana• Expande ger should realize by now attempts, particularly by organized fi nitions fo AND TH n prevention all r a DLP pr d cloud varying de AT an system work well oject can security fs have hers. ’S A LO anti-spam ga (IPS) or , as long as video conferencing displays in her offi ce, fi lled with the 300 million Android and that organizations of all sizes are that there are just as ma nydemand black hats as groups, means that complacency is not chie “loss” for ot MORE T teway is o everyone s some and to face fr likely to fa rganization in the now faced with as employees not eak” for y DIFFICU ustratio il and agrees on or the graphics department that (years Apple tablets now in people’s hands. e there are whit• Ne e hatswsma in the security business. an option. IT managers must consider “L” is “l ” others sa LT n. If the go its limi the scop ker Edward revention, THAN EITH project is al of the ted redu e and IT r “p to chec DLP ction ago) insisted its staff couldn’t work without consumerization of IT has become an just ask but expect to be able to use Whether the baSndow guys are looking for fame alternative approaches to defending ” is fo k a bo in ov den’s effe say the “P prevention ER ra x so that For ex erall risk. on ct Some data loss tes the en an audi ample, DL Apple tools when Windows systems unstoppable force for change in enterprise IT. their own devices while on the job. and notoriety, wa enntte torprise make a political their networks and must turn their focus r it’s PLUGGING IN terprise as tor P produc IT ” But whethe tegy eff or compliant, in endpoint ts incorporat “protection. e best stra A t won’t like then th protection ed were the offi cial platforms of choice. At its core, BYOD raises two Of course, BYOD can be constrained and statement, ar• Po e tryingtentia to make money or are to tools, products and techniques that About Data Loss defi ning th DEVICE PR ly achiev e track suites ca l fa , e it n ea llout from ak protection security ob s overarchin traffi c in an sily And many IT teams themselves have been questions for IT staff : turned into a smaller problem solved by just bored anthd lookine Integrnet for some excitement, approach security in diff erent ways. or data le OP jectives either g d out of thos of Things approach ERLY be dr . DLP a natural ex e device umbrella security OR SA iven by th eff orts must tension to s, guilty of covert BYOD adoption, as network • How can it safely allow devices layering NAC, VPN posture checking and r using this tions. TISF e desire to re scanning the malwar fo ny organiza YING of data loss duce the alread e and security engineers often discovered that with unknown security postures to mobile device management (MDM) on top e for ma A GROU in the o risk y taking s a bit elusiv ailable a rganization of tools, place. es remain oducts are av P OF lot more di , and that’s when implemen e types bringing in their own Unix-based notebooks connect to organizational networks of existing networks. But BYOD, the latest hough pr ffi cult than wo ted Because alt AUDI device either pluggi rk well at properly, Why? ers and the TORS or satisfyi ng in a intercepting (running OS X or Linux) gave them and information resources? variation on the mobility trend (which has ctur . ng a grou feedback and prov d small manufa , It’s helpfu p of audito on unin iding additional debugging and troubleshooting been gaining in strength for more than a large an ch year l to draw a rs. tentiona from ts grows ea betw clear as well l data leak Prevention P produc een en distinctio as USB de age, tools for day-to-day work beyond their decade), off ers a unique opportunity for te of DL e terprise n vice leak adoption ra l that thes emer -class DL don’t do age. What skeptica ging subset P and an as well is they enterprise-issued Windows desktops. organizations to radically rethink how to ten remain of DL handle situations gers of and are P technolo more maliciou with IT mana problems now also widely gies that s acto g real security avai cy rs, either are solvin . lable. Aw bercriminals insiders or products data loss 10 are of who ha tions’ risk of beachhea ve establishe TOP r organiza d within d a reducing thei the enterprise SECURITY e best approach is to be network. aware of the long-term arcs 9 TRENDS in IT and security, and then to FO understand what tactics the IT R 2014 team will need to deploy.

4 5 SECURITY AWARENESS LEARNING

LESSONS CDW.COM/SECURITYGUIDE | 800.800.4239 With these six tren mi ds in hile the FROM THE NSA nd, IT headlines teams ca are full of n lay the storie scary grou W s recounti Instea ndwork ng the latest d, the best a for a laye enterprise netw threats to pproach is to approa red orks, reac of the long-t be aware e Edward Snowden aff air off ers some relevant launch points when looking for ways to ch to prot on th ting to whate erm arcs in ecting thei e cover of ver’s orde IT and security shore up your security posture. syst r e Wall Stree r to have a in ems, da home pa t Journal or th grasp of wha ta and ge of a slew of e team w t tactics the users. technology ill need to ma IT isn’t any way to websites ke sure the o run a netw networks an rganization’s THE PARTICULAR CIRCUMSTANCES OF ork or an IT d systems READ ABOUT: shop. — stay ahead of or IT professionals, the drama around instead of ending the curve SNOWDEN’S DRAMATIC REVELATIONS AND THE up behind • Ho w the Snowden incident can Edward Snowden, the former National a curve ball. benefit security awareness F ACCOMPANYING ATSecurityTENTION Agency contra FROMctor who exposeTHE dMAIN STREAM • 4 tools to thwart insider threats MEDIA BRING A NEunWtold URnumberGENCs of fedeYra l TOdocument THsIS WORK. • Wh y access control remains critical about government spying operations, • Th e shifting landscape of encryption represents some of the most interesting 3 and important technology security news of the past decade. An especially fascinating aspect is that it aff ects IT security in two completely diff erent ways. No serious practitioner of information security can look at what happened at the NSA without asking two very the accompanying attention from the MINIMIZING THE temptation that becomes more diffi cult to 3 diff erent sets of questions: mainstream media bring a new urgency INSIDER THREAT resist during times of economic uncertainty. • What is the insider threat within my Article 3: to this work. For many IT managers, the IT security has long-focused on access  e best way to deal with insider threats organization, and are we doing all details of securing enterprise data have controls, especially at the Internet is to stop treating IT staff as if they are been off their radar, with most believingwe can toperime minimitezer, wher thate th evreeratyt?hing not expressly diff erent from other organizational IT that their operating system and security• Is our sensitivpermitete datad is fo beinrbiddeg can.pt Inur mosted enterprises, users.  e long-term attitude within tech Article 1: staff ers are trustworthy and are makingby outsiders,internal an adcce aress we co ntdoinrolsg aralel also in place, shops has always been that enhanced the best security choices available. we can toco mantrokelli suchng bo thmonit networinorkg a cceas ss and access makes their teams’ job simpler As the revelations of the NSA’s once- diffi cult asdata possible and applicat to achiionev accee? ss, and thus and easier, and provides faster resolution secret documents have shown, this is  eoreticallminimiziy, nonnge ofth ethes abilitye line of ans ofy on e party of problems — especially critical ones. All Le arning not a rock-solid assumption to makethough. t shouldto view be ne infowrmatio whenn it no cot meneededs for his or of this is true, but also beside the point. In addition, because of the wide- to IT securityhe. r job.es e quese glarintiong shole focu is susuall on y the IT Enterprise CIOs who wish to maintain the ranging coverage of Snowden’s staff , who might have access to networks, status quo should be required to reaffi rm topics that are day-to-day concerns activities, IT managers now have a systems and applications far beyond the their clear decision to accept the risk off ered for any good IT security manager. T he Top security more concrete context for discussing limits appropriate for their job descriptions. by unfettered network, systems and these issues with organizational  e particular isci isrc noumstt thean onlyces co ofnc ern that should database access, and to explain and justify leaders and other IT staff members.Snowden’s drbeamat a wakeic reve-up calllation to alsl anCEdOs and CIOs that decision to the CEO of the organization. 14 Lessons from For example, trying to bring up the regarding IT staff access. IT staff have the No CIO wants to stand up and proclaim, question of Transport Layer Security ability to exert disproportionate control “I cannot trust my staff ,” just before (TLS) confi guration usually elicits yawns over IT resources, as shown by Terry Childs, changing all access controls. In fact, IT Trends for 2014 14 of disinterest from system managers the San Francisco network administrator staff ers will always have more access than and application owners alike. But when who, in 2008, was arrested and convicted a skeptical auditor would prefer. But IT one can add the clause “… and if you don’t on felony network tampering charges teams should also be willing to put in place the NSA change this, then the NSA or anyone stemming from his refusal to divulge the suffi cient controls and logging such that else can eavesdrop on our web traffi c, as password to the city’s Fibre WAN system no untrustworthy action by any member Snowden revealed.” to a sentence, it makes to his supervisors. With privileged access of the organization will go undetected. a highly abstract security concept real to information, members of the IT staff are Although the biggest change required and creates a new incentive for action. also ideally situated to perpetrate fraud, a to minimize insider threats is a change

15

MOBILE SECURITY

KEEPING THE PCI COMPLIANCE CDW.COM/SECURITYGUIDE | 800.800.4239 LE MOBI CD W.COM/SE TOP MD CURITYGUIDE M EVAL | 800.800.4239 UATION CRIT Criteria ERIA Wh y it matter PROTECTING NMENEnrollment T s ENVIRO process Onboar THE ding device calls. s is a huge t Unless de ask, and PAG0 E 2 vices will small differen proces be manually ce s is crit en s in ease of Platform ical. Enrollment rolled into use can support only MDM so translate happens ftware by th into thousa + No tool once, bu e IT depa nds of te supports t it co rt ch FE all plat lors the enti ment, a bu support SOME OF THE NETWORK SECURITY ADVICE IN PCI DSS IS SA becaus form re MD g-free s, an M an NETWORK e of its d user experien d straight platform s with unsuppor ce. forwar beyond th support ma ted d e basics (i y emphasize platforms w WHILE ACHIEVING PCI DSS COMPLIANCE OUTDATED AND CAN DISTRACT FROM BETTER APPROACHES. OS an th ill co READ ABOUT: BlackBerry d Android is factor to mplain loudly Mobile , Windows devices running o much. IT . But pickin email controls Mobile, Pa curr managers g a to • Why mobile lm or Noki ent softwa must balanc ol just Email is a Symbia re) to handling e the go security makes one of th n devices. othe al of goin attachment e easiest ways fo r types of g READ ABOUT: the IT team a r devices, s or thos data to leak such as system integrator is a co e with a pa outside • Explorin g access control capabilities Encryption mmon featur rticular signatur an organiza NEXT- e that e or tion. Managing co IT • How mobile device ntrols managers type, or by mobile • In terior vulnerabilities Lost will want to using whit email, su management data that’s consider elists or blacklists ch as blocki • encryp enabling of ng large Right-sizing firewalls fits into your properly ted is not . particular encrypte nearly as mail sy • security picture encryption d is key. In bad as lost stems, Universal encryption iOS device data that stretches s that ar is not. • The main features networ into seemingl e always e ability to e hen it comes to compliance, the it is not diffi cult for enterprises to comply k (VPN) co y unre encrypte nsure that of NAC tools for encrypting nnectors lated area d, control data on . More ad s. Some MD integrates devices Big Kahuna remains the Payment with the spirit of the document. But, as mobile security Applicat or otherwis vanced pr M tools with the is W ion and ve e contro oducts ca also precon unlock passcode mana rsion lling sha n reach in fi gure , so Card Industry Data Security Standard. with many standards of this type, it has • Meshing end- gement e in res. to corporat and lock do evitable security e fi le sharing wn virtua GENERATION point and mobile ve bugs , by blocki l private Why? Because PCI DDS aff ects any spawned an entire industry of qualifi ed rsion co and bu ng, objectives ntrol on g fi xes ne allowing, security the operating cessitat enterprise that collects, handles or security assessors (QSAs) that, for a controls system so e a means fo helps to di ftware, r keepin automati stinguish as well as g softwa transmits payment card data, and a lack signifi cant fee, swarm over organizational Deli c installa MDM tools. applications re up to da very mechanis tion and upda Many also . How a to te. MDM to m ting. contain ol does ols can enfo of compliance can result in immediate networks to ensure compliance. Truth MD application this and th rce M tools ar manage e extensiv e split betw ment featur eness of and severe negative impact: the blocking be told, theses assessors are often more early on, whic een cloud es, such as Netw h will and on-p blacklists ork controls also help narr remises models and of payment processing capabilities. interested in enforcing the letter of the ow produc . IT mana In addition stigating these productt options. gers will g senior IT manage tors loss inve need to decide Every organization — large, medium, law and documenting “compensating SECURITY obility initiatives are drivin (including and theft, whic IT mana g h mode S NEED TO tegories encryptionwill discover a mix of overlappingers ma l they re small, commercial, charitable nonprofi t — controls” than helping organizations I.T. TEAM in every type of business capa requir y be wo quire managers rticularly ements an to rried abou ADVANTAGE OF M as ma whilnye manufauser cturers seekd VPN in t network must comply with the standard if they want improve their security posture. TAKE to rethink workfl ow options,specifi s are on th tegration) use of mobile and organization ed geogra e roadeet. Sophis can be impo device THESE FOUR TIPS HELP MANAGE broaden the scopphice of location their tools to m ticate rtant for e s. Wi-Fi a to handle money via payment cards such Enormous sections of the standard, TOOLS TO operations. But at some s), may d featur nsuring ccess policies and day-to-day beuser wos.rt h es, such as secure WILL HELP YOU PASS SE SECURITY the increasing mobility demands of considerin geo-fencin use of mobile as credit or debit cards. Even merchants which includes 12 chief requirements ENTERPRI fi nd themselves looking to g dependin g (contr devices, point, most these products g on the olling acce A PCI AUDIT WITHOUT SPARATE  erefore, it’s wise to consider sensitivit ss when in that completely outsource their payment under six main categories, come down ACROSS DI chnology staff s to handle the job y of the data EXPOSING YOUR their te ary tools that, when involved NT DEVICES. s, as a suite of complement . processing must comply, at least by to common sense. And, if followed, ENDPOI of supporting these mobility initiative ORGANIZATION TO n, can help an organization of nsuring used in conjunctio attesting that they have no data onsite PCI DSS can help maintain security of particularly when itMDM, come NAs toC e SECURITY THREATS. WHITE PAPER and endpoint e mobility without exposing assets and have a written agreement with their important network information. What’s PAG2 E 2 somee environments. securityembrac the security of thes combinat — or ion of thes risks. Any IT manager looking Althoughill need a broad e technoloto security MOBI payment handler to remain in compliance. more, an IT team can apply the standard Not every initiative w encryption gies. LE DEVI THE PRINCIPLES OF and for full coverageMA when it comes to securingCE Although PCI DSS only applies, in theory, to more than just payment card data. clea prrloducy w ts, but most will authentica NAGEME suite of security ill play crit tion ill be acNTting to PCI COMPLIANCE ical roles their mobile enviroMDnment w ol as well to to the part of a network that has payment However, it’s critical to understand e one or bemo lereve prraoducge ts in fi ve key as well, they M tools en enforce requir d from th can em intefogrrceat oren. policies the same as e exisDMti),ng somewhat akinmobile to a syst terprise policies on la set of card data, many enterprises have not really that some of the network security Need a primer on PCI DSS? eas: mobile de vicean org manaanizagement (M infrastruc devices, ge on rger mobile ar tion adopts ture s, a move neto ramobilitylly only or devices. What endpoint mobility For most enantedrprise tablets. smartphones segmented their network suffi ciently advice in PCI DSS is outdated and can network access cont roarle (N thAC), . es e is white paper off ers an e featur fe its use will requirpoliciese deploy govement NE used thenticaestion that. shoulda broadening ofatur es such rn TWORK to reduce the scope of compliance. distract from better approaches. security, encryption to di anffder auentiat be as applicat ACCESS overview of its guidelines: e these pr security ion confi CONTRO Depending on the organization and the What that means is that the IT shop simplify sele oducts an settings guration, L ction? An d and versio Networ organiza d how should MDM n contro k acce size of the network, PCI DSS may cover needs to make sure that adherence to MOBILE SECURITY tion an products l. ss cont CDW.com/securityguide3 decide al ro ****** so l is which to includ universall focused, netw user- every network device and transmission, as PCI DSS does not run up against solid suit its en ols will e some type y ork-base vironmen best of remo of wh d mana 28 some t? What fo function te-wipe o can acce gement well as every physical and virtual server. network security. Here are four tips to key fundamentals llows are ality, consider ss the netw abou becaus ed a must NAC to ork. Because PCI DSS is targeted and has an keep compliance and network security and endpoint t MDM, e of th -have ols are technolo security NAC e high rate wo gy suit , alon theft of va of loss an rk with exis es that easy-to-understand set of requirements, in harmony. sheets that g with chea luable d ting netw list the t mobile de sit in-lin ork equipmen co most critical MDM to vices. e as a di t (o nsider an criteria ols gene stinct en r d why thos to rally do no to defi forcemen when e features support fo t include ne access t point) securing will matt r notebooks controls fo a mobile er or running on user r device environment. Mac OS. Windows identifi cation s based 32 33 is means assessment and security will usuall that IT mana post PAG4 E 2 y need gers s. es e to ure an ol endpoint users, co s authenti security llect authenti cate sour cation from ces and co trusted mbine authenti cation PLCI COMP IANCE 29 PAG6 E 2 Article 4: Article 5: DA TA LOSS Kneepi g Protecting the PREVENTION 28 the Mobile 32 Network While Environment Achieving PCI DSS Safe Compliance

Keure p Yo Data and Other Resources Safe For more information on CDW’s security solutions and services, visit CDW.com/security Read about: • B YOD’s sweeping impact • Th e continuing threat from cybercriminals • W hy every organization is a target • E xpanded cloud security demands • Ne wsmaker Edward Snowden’s effect on enterprise IT • P otential fallout from the Internet of Things top secu rity trends for 2014

With these six trends in hile the headlines are full of scary Instead, the best approach is to be aware mind, IT teams can lay the Wstories recounting the latest threats to of the long-term arcs in IT and security in enterprise networks, reacting to whatever’s order to have a grasp of what tactics the IT groundwork for a layered on the cover of The Wall Street Journal or the team will need to make sure the organization’s approach to protecting their home page of a slew of technology websites networks and systems stay ahead of the curve systems, data and users. isn’t any way to run a network or an IT shop. — instead of ending up behind a curve ball.

3 se tycuri trends

These six trends provide 1. BYOD Steamrolls Within many organizations, BYOD started Everything with remote access provided through virtual a big-picture view of private networks. These VPN deployments what is happening in While there’s little consensus on exactly let IT staff give users a way to connect what BYOD means (beyond bring your own securely when away from the office. This was information security device), the rough outline is clear: Someone also the launch of mobility, one of the most right now and for wants to connect a personal device to the important work trends of the last decade. the near term. They enterprise network. This isn’t a “Can I have But mobility was more about the some free Internet Wi-Fi to check Facebook connection than the device, and many also can serve as a on my lunch hour?” kind of connection. organizations used a combination of baseline for must-do This is an “I want to be able to do real work techniques, such as Secure Sockets with real data” kind of connection. Layer (SSL) VPNs and device posture strategic initiatives The implications of BYOD from a checking, to accomplish the goal of isolating in 2014 — efforts that security and support point of view can semitrusted devices from networks. be challenging. From the perspective What’s distinct about today’s BYOD trend will help organizations of the IT team, there’s a device with is that it’s no longer covert and no longer maintain a secure IT unknown security characteristics that isolated — and certainly no longer casual. needs to connect to enterprise networks, But also, BYOD is focused on the device. infrastructure well download and then store sensitive data As inexpensive and pervasive access to into the future. that will be largely out of IT control. smart devices reaches staff at all levels, BYOD, as a large-scale trend, is also organizations that had begun to embrace frequently shedding some light on the the initial concept of BYOD five or 10 years darker corners of the organization’s IT ago were able to expand mobility initiatives policy that typically have been swept at their own pace. But organizations under the rug: the CEO who wants to use that have addressed BYOD only recently her iPad device to stream presentations to are being rushed into a complex arena video conferencing displays in her office, filled with the 300 million Android and or the graphics department that (years Apple tablets now in people’s hands. The ago) insisted its staff couldn’t work without consumerization of IT has become an Apple tools when Windows systems unstoppable force for change in enterprise IT. were the official platforms of choice. At its core, BYOD raises two And many IT teams themselves have been questions for IT staff: guilty of covert BYOD adoption, as network • H ow can it safely allow devices and security engineers often discovered that with unknown security postures to bringing in their own Unix-based notebooks connect to organizational networks (running OS X or Linux) gave them and information resources? additional debugging and troubleshooting tools for day-to-day work beyond their enterprise-issued Windows desktops.

4 C /DW.com securityguide | 800.800.4239

• When sensitive organizational data is they’re out there. And they have more time present on personally owned devices, and energy to devote to the quest of finding what steps must be taken to secure ways around enterprise security than an that data against disclosure or loss? organization does to defend against them. Broad BYOD adoption raises many The result has been an escalation in questions about enterprise IT that can be arms and defense tactics. As IT managers easily answered through the installation of a worked hard to ensure 100 percent anti- few wireless access points and the launch of malware coverage on desktops and servers, a network access control (NAC) pilot project: the smartest attackers were looking for • If putting a single unknown device techniques completely outside those inside the firewall strikes fear into the detected by traditional security tools. If hearts of IT staffs, does that mean that there are 10 tools in the security toolbox, the security model for the network is then hackers are hard at work developing flawed and needs to be adjusted? an eleventh attack to get around them all. • If people will buy and use their own As Princess Leia in the original Star notebooks, has all the money spent on Wars said, “The more you tighten your standardization, patch management grip, Tarkin, the more star systems will and endpoint security, designing better deliver and protect applications slip through your fingers.” Except today standardized images, and managing and information — an opportunity that the hackers are the rebels, and everyone large Windows infrastructures doesn’t come along every day. else is the empire. The more strident the been a wise investment? security measures, the more cybercriminals • A s organizations look to outsource or will seek a way around them. Not a good just eliminate IT components, is BYOD 2.r C ybe criminals Work position to be in (especially if the IT team an add-on to existing infrastructure, More Late Nights finds itself on the bridge of the Death Star). or is it a new way of doing business? Ultimately, the increase in hacking These are the types of questions Every IT manager should realize by now attempts, particularly by organized that organizations of all sizes are that there are just as many black hats as groups, means that complacency is not now faced with as employees not there are white hats in the security business. an option. IT managers must consider just ask but expect to be able to use Whether the bad guys are looking for fame alternative approaches to defending their own devices while on the job. and notoriety, want to make a political their networks and must turn their focus Of course, BYOD can be constrained and statement, are trying to make money or are to tools, products and techniques that turned into a smaller problem solved by just bored and looking for some excitement, approach security in different ways. layering NAC, VPN posture checking and mobile device management (MDM) on top of existing networks. But BYOD, the latest variation on the mobility trend (which has been gaining in strength for more than a decade), offers a unique opportunity for organizations to radically rethink how to

The best approach is to be aware of the long-term arcs in IT and security, and then to understand what tactics the IT team will need to deploy.

5 se tycuri trends

Detecting malware is far from the best sandboxing and reputation-based tools approach to avoiding security compromises. moving into mainstream use. They can Instead, IT managers should think about also practice malware avoidance by using ways to avoid malware altogether. If techniques such as application whitelisting. it’s not on the network, then it doesn’t have to be detected and neutralized. Often, the rise in shifting attacks requires 3. Targeted Attacks re-evaluating traditional security products Hit Their Marks in a new light. Intrusion prevention systems (IPSs) have been seen as tools to detect As IT managers within high-profile active server attacks, but they’re equally (and low-profile) targets are discovering, valuable as a means of protecting end- there are some things organizations user systems if properly configured and just can’t protect against. managed. IT managers should evaluate Traditional network security and anti- as a first layer for defense. But when the their IPS investment to see if it is providing malware is designed to handle the low-level stakes are high enough, attackers take an effective protection to users. malicious background radiation that occurs unique paths and craft custom tools, and Similarly, URL filters have often been all the time on the Internet: automated there is no simple off-the-shelf solution deployed to prevent misuse, but they can systems looking for things to crack into, to these threats. Social engineering and also be easily configured to help block users old malware hoping that someone will click plain dumb luck are the bullets that have from connecting to suspicious sites. with their anti-virus software turned off hit home, time after time, when attackers In some cases, a bigger shift may and so on. Many enterprises don’t even carefully and quietly aim at specific targets. be necessary to put up a strong front have the resources to look at their IPS logs The trend might not be new, but more against new attack techniques. Traditional thoroughly because doing so creates a IT managers are becoming aware that firewalls have been seen as ineffective constant workload of addressing unknowns: they don’t have to be a bank or a Defense when so much Internet traffic passes Is this attacker real, or is this just someone Department site to become a target. barely examined through ports 80 and trying to guess passwords randomly? Cybercriminals have many motivations 443. But next-generation firewalls, with Does this alert mean anything or not? — commercial, political, personal — for their application awareness and focus on The constant attack load across common their targets, and it’s becoming quite deep packet inspection, can be a valuable vectors is a known: It happens all the time, clear that no one is too insignificant part of a well-rounded security program, and it happens to everyone. It’s the reason or too obscure to be a target. providing visibility into user activities and that IT shops buy off-the-shelf products For example, when the Syrian Electronic enabling control over outbound traffic. Army wanted to hack The Onion website The same is true of tools such as in early 2013, they first went after a series traditional anti-malware. These need of completely unrelated nongovernmental to be re-evaluated for effectiveness. IT organizations, in the hopes of finding a managers should be looking at alternative user to hack who’s identity would be in a options for malware detection, such as

Targeted attacks per day in November 2013 were almost double the number during November 2012.

SOURCE: Symantec Intelligence Report (December 2013)

6 C /DW.com securityguide | 800.800.4239

What Is BYOD Really?

The drivers and definition of a bring-your-own-device initiative vary by industry. The simplest case is in large organizations where staff already have mobile devices of their own, such as smartphones and tablets, and they want to use those devices productively when in and away from the office.

In K–12 and higher education trusted relationship with their final target 4.l C oud, Cloud, Cloud — environments, it’s quite common for — a strategy that proved very successful. Did I Mention Cloud? both students and faculty to want to If everyone is a potential target, then what Ask three people about cloud security, use their own notebook and desktop are the best security strategies to thwart and they’ll likely provide a dozen definitions computers. In environments such such attacks? The two most important are of what the term means. The difficulty as healthcare, financial services good logging and log analysis tools, followed in defining cloud security is unavoidable and in cases of collaboration by data loss prevention (DLP) systems. and has huge undesired consequences: among multiple organizations, For many intrusions, logs provide Organizations are moving applications to work boundaries quickly displace critical clues and evidence. As IT managers cloud data centers and service providers enterprise boundaries, and typical drown in a sea of logs, it can be tempting whether or not security teams approve. IT infrastructures must serve very to disable or discard information. Although IT managers with great ideas about how different populations of users with log analysis tools may not be able to spot to evaluate the security of cloud service a wide sweep of device types. an attack in progress, they are useful in providers often find themselves in security alerting IT teams to unusual patterns. planning meetings after the contract has BYOD programs can support many When an incident is discovered, good logs been signed. And showstopper questions, needs — from staff members who help to piece together what happened and such as whether the enterprise can easily need anywhere, anytime access to to understand the extent of the damage retrieve its data if it changes providers work files to cost-saving demands done. For many organizations, knowing might be met with shrugs of “not sure.” within an organization that doesn’t that an intrusion occurred is not nearly as In short, organizations are moving want to procure devices for all useful as knowing what happened during business-critical applications out of its users. Although smartphones the intrusion — what information was enterprise data centers, and security and tablets drove the initial BYOD stolen and what actions the intruder took. teams are running after them trying to movement into high gear, it hasn’t make sense of all the repercussions. taken long for management to see that personal notebook computers (and even desktop computers) can fall under the umbrella of BYOD.

No matter what the motivation for launching a BYOD program, the result is the same: A device that wasn’t chosen by the organization needs access to important enterprise data, starting with email and directories, and often extending to Intranet applications and document stores.

7 se tycuri trends

6. Th e Internet of M ost businesses have at least one and capability to intercept communications or Things Expands the cloud-based application already, gather information from service providers. Attack Surface whether something as innocuous as IT managers probably don’t have anything web conferencing and training or as they want to hide from the government, The notion of the Internet of Things has come mission critical as email. Often, the but that doesn’t mean they shouldn’t be a long way over the last 25-plus years. Back in security team does not play a key part conscientious and thorough about encryption 1985, an SNMP-connected toaster oven drew of the decision-making process. and data protection. They certainly have applause; and in 1995, Ethernet-connected Security teams trying to play catch-up information they want to keep safe from printers and copiers were all the rage. with cloud-based applications need to focus cybercriminals, information they are required But in this century, the trend has become more than ever on risk-based security to protect and information they know mustn’t reality. More things — many with poorly analysis. It’s not a question of enumerating get into the hands of their competitors. designed security — are going to be connected all the possible security problems. Instead, IT managers can use the Snowden to data networks. And unless IT shops give the goal must be to identify the most likely event as an opportunity to review their these new network visitors attention, they will security concerns and those that pose the have almost no way to mitigate security issues. organization’s use of encryption tools, such greatest effect on the enterprise, so that the Whether it’s branch office firewalls with as SSL in web servers and email systems, IT team can focus on mitigating the risks. unprotected web-based graphical user to be sure that cipher suites are at the Presenting specific security issues interfaces, printers that send alerts when appropriate strength, keys are adequately as business risks alongside a prioritized they need maintenance, thermostats that protected and secure defaults are chosen. list of which have the greatest likelihood are constantly uploading environmental Unencrypted application servers, of occurring helps keep things in information to cloud-based services or display even within an enterprise network, can perspective and provides senior screens running 15-year-old versions of be identified and moved to more secure managers with actionable information. Windows, the challenge remains the same. operation modes, because enterprises never They create the potential for uncontrolled can predict when someone might be listening. items on the network with unpatchable IT managers who audit their own SSL policies software and unknown security problems. 5. T he Snowden Effect and configurations might be surprised to find Creates Awareness For IT managers who have been making how easy they’re making it for an outsider exceptions to security policies for the Former National Security Agency to decrypt or intercept important data. occasional embedded system (a more contractor Edward Snowden might seem Key lengths and key stores, on-disk technical term for the Internet of Things), like an unlikely “trend,” but he may be encryption management, VPN settings, 2014 will be the year to rethink and rebuild having more of an effect than any other cloud-stored data, network DLP and networks specifically to handle such devices. trend in raising security awareness and mobile data security practices — all are Security researchers are already publishing inspiring needed public discussion. fair game for re-evaluation. Snowden’s research that details how easy it is to break In the organizational security arena, revelations may have been bad news for into embedded systems and how vulnerable IT managers can use the example of the NSA, but they can serve as a teaching home users are to poorly designed devices government surveillance to revisit their own moment for IT managers trying to put with network-ready sensors. Now is the data communications security. After all, it’s security best practices into place and teach time for forward-looking IT teams to begin not just governments that have the interest their value to managers and users alike. to address this now-known vulnerability. n

8 Gettine g S rious About Data Loss Prevention Don’t fear DLP — instead, learn how to use it effectively to limit your ORGANIZATION’S risk exposure from information leaks.

Read about: • T he challenges inherent in DLP • T he benefits of this security approach • W ho should lead a DLP program (and why) • D etails for the 5 steps to success

chiefs have varying definitions for DLP. The IT “L” is “leak” for some and “loss” for others. Some say the “P” is for “prevention,” others say “protection.” But whether it’s data loss prevention or data leak protection, defining the best strategy for using this umbrella security approach remains a bit elusive for many organizations. Why? Because although products are available from large and small manufacturers and the adoption rate of DLP products grows each year, IT managers often remain skeptical that these products are solving real security problems and reducing their organizations’ risk of data loss.

9 dsata los prevention

DLP efforts This is in part thanks to DLP being the failure rate of DLP projects, security challenging to deploy, and this is for one manufacturers have come to market must be driven key reason: It is not a distinct technology. with a variety of products that don’t aim by the desire It’s both a collection of technology at the full DLP space, but look narrowly products and a methodology. at a specific issue, such as compliance, to reduce the An IT manager or security chief who or a specific type of data, such as email. risk of data tries to install DLP products on a network A limited scope for a DLP project can loss in the in the same way that he or she might install work well, as long as everyone in the an intrusion prevention system (IPS) or organization agrees on the scope and organization, an anti-spam gateway is likely to fail and its limited reduction in overall risk. and that’s a lot to face frustration. If the goal of the DLP For example, DLP products incorporated more difficult project is to check a box so that an auditor in endpoint protection suites can easily rates the enterprise as compliant, then the track traffic in and out of those devices, than either effort won’t likely achieve its overarching a natural extension to the malware plugging in a security objectives either. DLP efforts must scanning already taking place. These types device properly be driven by the desire to reduce the risk of tools, when implemented properly, of data loss in the organization, and that’s work well at intercepting and providing or satisfying a lot more difficult than either plugging in a feedback on unintentional data leakage, a group of device or satisfying a group of auditors. as well as USB device leakage. What they It’s helpful to draw a clear distinction don’t do as well is handle situations with auditors. between enterprise-class DLP and an more malicious actors, either insiders or emerging subset of DLP technologies that cybercriminals who have established a are now also widely available. Aware of beachhead within the enterprise network.

10 CDW. com/securityguide | 800.800.4239

Building a Solid leakage of sensitive information assets. finances and staff are two types of data Enterprise-class DLP The successful deployment of DLP that must be protected. In an organization E very DLP maker has its own depends on bringing a team of stakeholders with any type of web presence, the methodology for successful deployment, to the table, defining the scope and goals of web application owners must also take and these approaches are linked closely the project, and getting true consensus from part, because they are likely collecting to the technology being deployed. It’s all stakeholders. In this case, stakeholder sensitive information about constituents helpful when considering DLP projects to buy-in represents more than an agreement or customers, ranging from simple also look at a technology-independent to participate in initial activities. It means an demographics to financial information. methodology to understand whether a agreement by all data owners to continue to And, most important, the line-of- DLP initiative will achieve its goals when play an active role for the foreseeable future. business teams must each be represented, deployed inside an enterprise. The following DLP introduces a continuing process because these teams stand to lose steps will help the project team flesh within an enterprise because any effective the most if there’s data leakage. The out the elements critical to ensuring a solution will generate frequent incident data they manage can span the gamut, successful DLP deployment and operation. alerts. If the stakeholders don’t agree to from source code and manufacturing Start from the top and get buy-in. allocate resources to analyze incidents designs to proprietary planning When running a DLP project, the chief and respond to alerts, then DLP can turn documents and historical records. security officer or chief financial officer of into an expensive piece of shelfware. Set goals and requirements. The nature the organization should lead the initiative, The appropriate participating of the DLP project needs to be defined in with the IT team providing technical stakeholders will vary depending on the detail before moving to product selection. support and assisting in deployment and organization, but the critical participants are On the technology front, DLP offers many design. It’s important that IT managers the data owners — the people responsible benefits, but it’s critical for the organization not be delegated the role of DLP project for creating, managing and protecting to identify and prioritize project goals leader because this immediately sends certain types of information. It’s useful to to set a clear direction forward. the wrong message to the organization. look across all parts of the organization For example, one of the initial drivers It can create the impression that DLP is a to understand what information is at for DLP is often compliance — making sure technology solution that will be addressing risk and needs to be protected. applicable regulatory requirements are a technology risk or problem, such as a In a typical enterprise, this means properly supported. This will vary based crashed hard drive. Instead, it is essential that staff members from the human on industry and enterprise type, but that DLP be viewed as an enterprisewide resources and finance departments must few organizations can operate without strategy to mitigate business risk — the participate, because information about some type of compliance program.

11 dsata los prevention

Typically, compliance rules stakeholders that every goal listed as that want the data and want to exploit it. govern activities involving: part of the project may result in some If a notebook with customer data is • S pecific information sets, such as cost — management, human resources lost, that’s a problem. But depending on financial records, personally identifiable and even direct equipment or licensing how the data has been protected and information or patient health data; expenses. This reminder will help ensure how the notebook was lost, the incident • S pecific transmission channels, such that the initial plans and final agreement may not represent a huge risk to the as email or instant messaging. are based on sound business principles. organization. If an attacker breaks in DLP can clearly help with such oversight, Apply a risk-based model. Measuring specifically to steal customer data, then but only if compliance is identified as part risk and return on investment (or return on the goal is clearly to exploit the data, which of the initiative early on. More important security investment) of security projects obviously raises the risk to the enterprise. is a solid definition of exactly how DLP will can be tricky. Even so, risk measurement Using a risk-based model doesn’t mean be used as part of compliance processes. A should be a strong part of any DLP that the IT staff should forego looking one-word check box labeled “compliance” project. What that means is that the risk for inappropriate FTP servers. It just won’t ensure success because neither measurement should be used to direct means that the DLP project should start the right techniques nor tools will likely the project, not merely to justify it. with a goal to mitigate the greatest risks be considered, purchased or applied. Traditional risk measurement suggests first. Notice that the previous example Although an enterprise can deploy that an organization should factor the cost or using the notebook includes risks that DLP as a compliance-only project, it impact of a loss against the probability of the have nothing to do with a DLP product. will get greater value if the initiative is loss. The DLP project’s stakeholders typically Finding poorly secured or inappropriate tied to specific business risk mitigation can estimate the overall organizational cost FTP servers can be the job of a vulnerability strategies, such as ensuring that intellectual of a particular type of data loss. But this analysis or network mapping tool, while property or commercial data is not shared leaves the DLP project team the unenviable tracking down customer information in the inappropriately. Whatever the ultimate and generally impossible task of estimating wrong file shares is an entirely different goals, they should be noted explicitly the probability of each particular loss. exercise, and ensuring that whole-disk and in as much detail as possible. Rather than try and dive deep and assign encryption is in place on every notebook Because DLP is as much a process as random numbers to loss probabilities, the DLP is yet another task. It’s the identification a group of products, the program goals team should focus on the most likely types of these different issues that helps move should also focus on user behavior, which of loss based on the goals of the project. DLP away from a “buy a product to solve could include identifying inappropriate For example, if protecting customer a problem” initiative and toward the much user activities, providing awareness and data is a goal, then identifying the most more effective “reduce the risk of this feedback to users, helping to train users likely vectors for loss of customer data will particular type of data loss” effort. about how to manage specific data types help when attempting to measure risk and Determine a strategy. With goals properly, and, if necessary, using the DLP prioritize DLP techniques. Customer data and risk measurement taken care of, technology as a discovery and investigation can be lost by having inappropriate FTP or the next step is to determine the DLP tool when malicious actors are detected. web servers, by a malicious staffer removing strategy that will detail the fastest and It’s important that the stakeholders data on a USB drive, by a notebook falling into most effective ways of meeting a specific participating in DLP goal-setting agree the wrong hands, or possibly by someone set of goals and reducing business risk. on the defined goals and consider emailing data accidentally outside of the Obviously, part of the strategy will likely them worthwhile business objectives. enterprise. But by and large, the greatest involve identification of a DLP product, and CSOs leading DLP projects can remind risk comes from attackers — cybercriminals that’s where the IT team will play a critical

Wb e inar Layering Security Watch this webinar for guidance on developing an integrated approach to security: CDW.com/securityguide1

12 CDW. com/securityguide | 800.800.4239

role in the project. But it’s possible that products will be needed, it’s likely that evolution that must occur within a explicit DLP products may not be needed. at least one or two will be procured and successful DLP program. Over time, both A variety of IT controls can be applied installed as part of the DLP project. incidents and the changing IT landscape will to enterprise assets, either through But even after products have been require that data owners be prepared to new products or simply by redesigning installed and policies changed within the make policy decisions about data archiving, policy in existing products (such as URL existing infrastructure, the strategy role-based access controls, policy content filters, anti-spam gateways and phase should not end. With DLP, as refinements and adaption of DLP processes firewalls) to achieve the DLP objectives. already noted, the organization must to changes within the IT infrastructure. But even under these scenarios, the IT make a long-term commitment to Measure results and give feedback. team must help provide the background implementation and enforcement. DLP projects require regular evaluations information and technology guidance For many enterprises, DLP is more so and audits — like any other business necessary to move forward. about user training and user feedback as it is initiative. Just as the continuing cost As the strategy begins to shake out, the about external cybercriminals and malicious of incident management and policy project group will enter the product selection actors. The continuing chain of incident refinement must be a factored into the process. The IT staff can take the business alerts must be investigated, which implies organization’s annual budget for DLP, so goals and risk measurements and help a full workflow of incident qualification, too must periodic review of the program. identify the most appropriate products to research, notification and resolution. And Well-run DLP projects will hinge help meet the DLP goals of the organization. then all learnings must be pumped back on development of key performance Advice at this stage of the project is into the strategy and the process (and indicators to help measure success. These plentiful from product manufacturers, possibly some technology tools) refined. metrics can be used as guideposts, where third-party consultants and analyst Squeezing the takeaway from incidents needed, for setting strategy changes firms. And although it’s possible that no is only part of the continuing strategy and ensuring project realignment. n

are There Ale t rnatives lto Ful DLP? ? E nterprises that want some type of data loss Subset DLP products aren’t limited to email, protection but can’t realistically engage in a full however. For example, several of the larger endpoint project can investigate easy-to-deploy subsets security protection providers have DLP add-ons, of DLP aimed at a particular type of information and products also exist to help with DLP issues for traffic. The use of such products can provide communications tools such as instant messaging. limited risk reduction in an economical manner. Enterprise firewalls are also obvious places to install some The most popular limited DLP subset (sometimes called type of DLP scanning, although the heavy use of Secure channel-specific DLP) covers products crafted for Sockets Layer encryption can reduce the effectiveness of email. The ability to funnel standard email, such as mail the tools without an accompanying firewall upgrade. Next- managed using enterprise Exchange servers, through a generation firewalls, which can act as man-in-the-middle chokepoint for anti-virus and anti-spam scanning also elements to decrypt Internet-bound communications, are a provides an obvious point for scanning content for DLP requirement for any firewall-based DLP tool to be effective. purposes. Most anti-spam gateway manufacturers either While these DLP subset products can provide good offer add-on DLP functionality or partner with a DLP results and assist in compliance requirements, they don’t maker for bolt-in DLP protection for outbound email. necessarily provide significant risk reduction across a large Experts agree that email-based DLP is generally useful for organization. Data loss through nontraditional channels catching unintentional data loss — someone forwarding typically pose the greatest risks after all, and point DLP a message that contains sensitive data far down in the approaches won’t likely protect against insiders removing reply chain, or messages with errant email addresses data on USB media or pre-encrypting or obfuscating that accidentally leak data outside of the organization. data before sending it to the Internet, for instance.

13 security awareness Learning Lessons from the NSA

The Edward Snowden affair offers some relevant launch points when looking for ways to shore up your security posture.

Read about: or IT professionals, the drama around • H ow the Snowden incident can Edward Snowden, the former National benefit security awareness F Security Agency contractor who exposed • 4 tools to thwart insider threats untold numbers of federal documents • W hy access control remains critical about government spying operations, • T he shifting landscape of encryption represents some of the most interesting and important technology security news of the past decade. An especially fascinating aspect is that it affectsIT security in two completely different ways. No serious practitioner of information security can look at what happened at the NSA without asking two very different sets of questions: • W hat is the insider threat within my organization, and are we doing all we can to minimize that threat? • Is our sensitive data being captured by outsiders, and are we doing all we can to make such monitoring as difficult as possible to achieve? Theoretically, none of these lines of thought should be new when it comes to IT security. These questions focus on topics that are day-to-day concerns for any good IT security manager. The particular circumstances of Snowden’s dramatic revelations and

14 C DW.com/securityguide | 800.800.4239

The particular circumstances of Snowden’s dramatic revelations and the accompanying attention from the mainstream media bring a new urgency to this work.

the accompanying attention from the M inimizing the temptation that becomes more difficult to mainstream media bring a new urgency Insider Threat resist during times of economic uncertainty. to this work. For many IT managers, the IT security has long-focused on access The best way to deal with insider threats details of securing enterprise data have controls, especially at the Internet is to stop treating IT staff as if they are been off their radar, with most believing perimeter, where everything not expressly different from other organizational IT that their operating system and security permitted is forbidden. In most enterprises, users. The long-term attitude within tech staffers are trustworthy and are making internal access controls are also in place, shops has always been that enhanced the best security choices available. controlling both network access and access makes their teams’ job simpler As the revelations of the NSA’s once- data and application access, and thus and easier, and provides faster resolution secret documents have shown, this is minimizing the ability of any one party of problems — especially critical ones. All not a rock-solid assumption to make. to view information not needed for his or of this is true, but also beside the point. In addition, because of the wide- her job. The glaring hole is usually theIT Enterprise CIOs who wish to maintain the ranging coverage of Snowden’s staff, who might have access to networks, status quo should be required to reaffirm activities, IT managers now have a systems and applications far beyond the their clear decision to accept the risk offered more concrete context for discussing limits appropriate for their job descriptions. by unfettered network, systems and these issues with organizational This is not the only concern that should database access, and to explain and justify leaders and other IT staff members. be a wake-up call to all CEOs and CIOs that decision to the CEO of the organization. For example, trying to bring up the regarding IT staff access. IT staff have the No CIO wants to stand up and proclaim, question of Transport Layer Security ability to exert disproportionate control “I cannot trust my staff,” just before (TLS) configuration usually elicits yawns over IT resources, as shown by Terry Childs, changing all access controls. In fact, IT of disinterest from system managers the San Francisco network administrator staffers will always have more access than and application owners alike. But when who, in 2008, was arrested and convicted a skeptical auditor would prefer. But IT one can add the clause “… and if you don’t on felony network tampering charges teams should also be willing to put in place change this, then the NSA or anyone stemming from his refusal to divulge the sufficient controls and logging such that else can eavesdrop on our web traffic, as password to the city’s Fibre WAN system no untrustworthy action by any member Snowden revealed.” to a sentence, it makes to his supervisors. With privileged access of the organization will go undetected. a highly abstract security concept real to information, members of the IT staff are Although the biggest change required and creates a new incentive for action. also ideally situated to perpetrate fraud, a to minimize insider threats is a change

15 security awareness

in attitude, there are also many IT managers getting serious about IAM firmware or other hardware upgrades. technologies that can be brought to should also audit their enterprise equipment An initial concern voiced by most IT bear on the problem. A host of products to gauge support for and compatibility staffs considering IAM deployments is can help both with imposing controls with network-based authentication and what happens in the worst-case scenario and providing necessary auditing and authorization. Although many embedded of the network itself going down and logging. The products tend to fall into four and security devices include RADIUS, blocking access because staff cannot major categories: identity and access TACACS or LDAP as an authentication be authenticated to a network-based management, data loss prevention, digital method, some devices (particularly older authentication server. A specific subgenre rights management and encryption. uninterruptible power supplies and power of the IAM marketplace addresses this management systems) may not support concern: the ability to have “last gasp” root Co ntrolling Access, these authentication technologies without or system administrator passwords stored Still Job No. 1 The identity and access management market is filled with manufacturers offering products primarily designed to T ools to Curtail Insider Attacks help authenticate users safely, generally Tool Value by going far beyond normal username– Identity and access • S erve as enterprise authentication servers, offering a stronger password pairs. A wide variety of management; authentication method than username–password combinations technologies are now available, from the privileged user • H elp enforce access policies, separate security duties and provide prosaic and familiar one-time password management logging and auditing of both successful and (more important) paired with a multifactor hardware unsuccessful access attempts token to X.509-based smartcards and • O ffer a single point of go/no-go checking for user access certificates, biometrics of all flavors and • Include privileged user management systems, a variation on identity out-of-band authentication systems and access management (IAM) tools, that focus on operating system and embedded devices where discretionary access controls on such as Short Message Service– privileged users may not readily exist based password confirmation. • C an help with long-term password management of locally administered In the context of addressing threat passwords management, what’s more useful is the ability to use these identity and Data loss prevention • R educe risk of improper transfers of data from organizational systems typically from users inside the network access management (IAM) tools to • U se data registration (generating a fingerprint for specific documents) control access to physical devices and content classifiers (identifying documents by specific content, (such as network hardware), operating such as having many Social Security numbers or a string such as systems, databases and applications. IT “enterprise confidential”) to identify information of interest managers deploying IAM tools for normal • O perate at both endpoint level (for on-device applications and USB user access should also consider how access) and network level (for other types of transmissions) these products can be integrated into • H elp reduce the risk of information leakage by detecting and, in some the general IT operations workflow. cases, blocking unauthorized transfers All offer authentication lookup using Digital rights • H elp limit access to information and track unauthorized dissemination Remote Authentication Dial-In User management after the fact Service (RADIUS), the most popular • C ontinue to evolve their enterprise-focused capabilities (from their form of remote-access authentication. roots as music and video management tools) Many also support Terminal Access Encryption • R educe the risk of unauthorized users gaining access to sensitive data Controller Access-Control System through “encrypt everything, everywhere” policies (including data in (TACACS), which can be especially transit across trusted networks) useful for network devices, and the • C loses the window to an insider who may have physical access to a Lightweight Directory Access Protocol device (LDAP). Both TACACS and LDAP are • C an make it very difficult for privileged system administrators to spy on worthwhile for differentiating between coworkers and managers (through the end-to-end encryption of email multiple user accesses and privileges. using Secure/Multipurpose Internet Mail Extensions, for instance)

16 C DW.com/securityguide | 800.800.4239

in a secure location and available should The Snowden documents have listening. But IT managers looking for the such an emergency arise. These solutions listed many types of surveillance. But most complete picture should consider generally go by the term privileged user from an IT perspective, there were these tools as good basic forensics and access control and serve to solve this key techniques that most enterprises alerting systems. This can be yet another particular problem, as well as others related should review. What’s more, the quick reason to consider their deployment. to root and sysadmin access to devices. answer is that encryption is remarkably effective in most cases, especially if the People Still Don’t Lea rn by Example cryptography is carefully managed. Encrypt Everything For most security experts, the peek The Snowden affair shines a spotlight on E ncryption is the simplest and behind the veil of national security two issues that would be worthwhile for most fundamental building block for surveillance was more a confirmation of IT managers to review with their security keeping secrets. It remains a security what many had long suspected. Whether teams — both to help tighten security truth. Astonishingly enough, the NSA complicit with large service providers or and reduce the risk of data breaches. reported enormous amounts of clear- through illicit methods, the public networks text, or unencrypted traffic, even — voice, MPLS, frame relay, private line or The NSAB ehaves Like a Hacker among services that offer encryption, Internet — have all been assumed to be open O ne of the techniques the government such as Facebook and Google. books to anyone with sufficient motivation. employed successfully was the targeted This suggests three different action But the dramatic effect of so many attack using zero-day (previously items for organizations that want to revelations, so closely spaced and covering unknown or known but unpatched) batten down the hatches on their data: such a broad range of topics, has been vulnerabilities. This methodology works 1. I.T. managers should be sure enormous and provides an opportunity for the bad guys, so it might as well that any enterprise traffic for IT managers to delve into the security work for the NSA, too. Although user traveling over any network, even posture of their own organizations. education and a good security awareness a private one, is encrypted. Branch The goal here is not necessarily to campaign can help, technology provides office wide-area network circuits can’t block access by the NSA (or any other support in the form of log analysis tools be considered secure just because the government organization), but to recognize and data leak protection systems. lines are sold as MPLS virtual private that if the NSA can do it, then many other Not many U.S. organizations are going networks or dedicated leased lines. motivated parties could do it as well. If the to install DLP or security information With the wide and easy availability of VPN government can tap a fiber-optic cable, event management (SEIM) tools because services in firewalls, the only excuse not to then someone can tap the NSA’s tap. they think that the NSA might be encrypt all traffic over all types of circuits is

17 security awareness

the additional overhead of the IP security Extension (S/MIME) is used to provide protocol encryption headers. Encryption end-to-end encryption, because S/ also is needed for inter-data-center traffic, MIME mail does not hide metadata such even over dark fiber, and for traffic to any as sender, receiver and subject lines. cloud service provider. While IPsec isn’t IT managers can use firewalls andI PS free from a bandwidth perspective, only tools to make sure that services, such as highly constrained environments should search engines, software updates, instant even be considered for unencrypted traffic. messaging, webmail and social networking, 2. I.T. teams should work to are all pushed out over encrypted channels. ensure that employees using the 3. The I.T. shop should ensure Internet select encrypted and that secure channels are secure alternatives. This should be available for enterprise services. the case even for their personal use, such Most obvious web services, such as as personal email or social networking. enterprise webmail, are all already Because many staff members use work PCs encrypted — and this encryption should to connect to Internet services, accessing be enforced. But for others, such as unencrypted data streams invites man-in- wherever possible and to offerT LS when the organization’s general website, the-middle attacks and eavesdropping. receiving mail. For close partners, TLS encrypted HTTP should also be enabled The same rules should apply to encryption of all mail flowing across the and visitors transparently redirected enterprise outbound email: All email Internet should be enforced. This is true to HTTPS whenever possible. servers should be configured to selectT LS even if Secure/Multipurpose Internet Mail

RADIUS vs. TACACS+ F or many system administrators, As a general-purpose protocol, many TACACS+, designed by Cisco Systems Remote Authentication Dial-In User technology manufacturers have for its own devices, has almost no Service is the gold standard for remote repurposed RADIUS attributes (or added presence anywhere else, but does authentication. But, in fact, RADIUS is the attributes) to include authorization have a huge benefit over RADIUS. best-supported authentication protocol, information. Others combine RADIUS for It can be used for authorization available in virtually every network authentication with Lightweight Directory information because it separates out services platform and operating system. Access Protocol (LDAP) for authorization. authentication from authorization in a way that RADIUS does not. Cisco In advanced authentication systems, devices can submit every single such as 802.1x protocol used for wireless privileged user command to a TACACS+ authentication and wired network- server and get a “go/no-go” answer, access control (NAC) solutions, RADIUS effectively moving authorization off is the preferred back end. So why do the device and to a central server. network managers show interest in Terminal Access Controller Access- USERAE N M Because TACACS+ offers authorization Control System Plus (TACACS+), an older on a per-command basis, and and not widely supported protocol? PASSWORD because of Cisco’s dominance in the enterprise routing and switching The answer goes back to a major space, IT managers may need to design decision in RADIUS to support R emember me LOGIN ü support both (hopefully from the authentication but not authorization. same server) to implement strong In other words, RADIUS is great privileged user controls when at authenticating a user, but has Cisco networking gear is in use. almost no features for transmitting B ut in either case, it’s a bad idea to try authorization information, such as group to make the protocol do something membership or other access controls. it wasn’t well designed to handle.

18 C DW.com/securityguide | 800.800.4239 Disclaimer The terms and conditions of product sales are limited to those contained on CDW’s website at CDW.com. Notice of objection to and rejection Not all Encryption is Equal Hashing Algorithm 1 (SHA1) avoided and of any additional or different terms in any E ncrypting securely involves more SHA-256 used wherever possible. form delivered by customer is hereby given. For all products, services and offers, CDW® than simply checking a box in a graphical Meanwhile, features such as perfect- reserves the right to make adjustments due to user interface. TheIT staff needs to forward secrecy (PFS) using Diffie- changing market conditions, product/service establish options for key management, Hellman group 5 or 14 should be selected. discontinuation, manufacturer price changes, key length, encryption and authentication Authentication using preshared secrets is errors in advertisements and other extenuating circumstances. CDW®, CDW•G® and The Right algorithms, and more, depending on the common, but changing the secret frequently ® Technology. Right Away. are registered protocols and cryptosystems used. is not — and IT managers should set a trademarks of CDW LLC. People Who Get It™ IT managers should audit their own schedule for regular updates and changes. is a trademark of CDW LLC. All other trademarks encryption systems to be sure that current The same type of auditing should be and registered trademarks are the sole property of their respective owners. CDW and the Circle algorithms and the most secure options done on SSL TLS traffic, such as enterprise of Service logo are registered trademarks of remain in use, and that enterprise systems web and email servers. Vendor-provided CDW LLC. Intel Trademark Acknowledgement: block all insecure methods of communication. defaults, such as short encryption Ultrabook, Celeron, Celeron Inside, Core Inside, For example, all VPN traffic should now keys, Elliptic Curve encryption methods Intel, Intel Logo, Intel Atom, Intel Atom Inside, Intel Core, Intel Inside, Intel Inside Logo, Intel use at minimum the 128-bit versions of the or outdated message authentication vPro, Itanium, Itanium Inside, Pentium, Pentium Advanced Encryption Standard (preferably algorithms should all be disabled in favor Inside, vPro Inside, Xeon, and Xeon Inside 192- or 256-bit keys), while blocking of Diffie-Hellman key agreement and are trademarks of Intel Corporation in the algorithms such as the Data Encryption strong encryption and authentication. U.S. and/or other countries. AMD Trademark Standard and Triple DES. Similarly, message Changing the crypto suites offered by web Acknowledgement: AMD, the AMD Arrow, AMD Opteron, AMD Phenom, AMD Athlon, authentication using Message Digest 5 and email servers may require some research, AMD Turion, AMD Sempron, AMD Geode, Cool (MD5) should be disabled, with Secure as technology makers such as Microsoft ‘n’ Quiet and PowerNow! and combinations don’t make it easy to edit and reorder the list thereof are trademarks of Advanced Micro of cryptographic parameters. Organizations Devices, Inc. HP Smart Buy: HP Smart Buy savings reflected in advertised price. HP Smart using Apache web servers will have an Buy savings is based on a comparison of the easier time managing their crypto suites. HP Smart Buy price versus the standard list IT managers should also consider re- price of an identical product. Savings may evaluating their use of certificates signed vary based on channel and/or direct standard pricing. This document may not be reproduced by external certification authorities. In the or distributed for any reason. Federal law past, most enterprises preferred to have a provides for severe and criminal penalties for single private key and a wildcard certificate the unauthorized reproduction and distribution to avoid having to buy multiple certificates of copyrighted materials. Criminal copyright and manage multiple keys. That’s still a infringement is investigated by the Federal Bureau of Investigation (FBI) and may constitute big advantage, but the disadvantage is a felony with a maximum penalty of up to five that the more systems with copies of the (5) years in prison and/or a $250,000 fine. Title private key, the greater the possibility that a 17 U.S.C. Sections 501 and 506. This reference determined attacker will be able to grab it. guide is designed to provide readers with information regarding software management, One option is to go for a hybrid approach, licensing and selection. CDW makes no warranty protecting the most important systems as to the accuracy or completeness of the with their own individual 4,096-bit private information contained in this reference guide BLOG keys and certificates, and reserving nor specific application by readers in making decisions regarding software purchase or use of wildcard certificates and shorter L earning from implementation. Furthermore, CDW assumes private keys for less critical systems. the Target no liability for compensatory, consequential or Security is critical to operations, but too other damages arising out of or related to the Data Breach often an afterthought. By using Snowden’s use of this publication. The content contained in this publication represents the views of Aaron Colwell, Inside Solution Architect revelations to drive awareness of and the authors and not necessarily those of the for CDW, shares his insights into the interest in security, security leaders certainly publisher. holiday season data breach at Target: can help keep efforts to protect data, ©2014 CDW LLC. All rights reserved. CDW .com/securityguide2 systems and networks a top priority. n

19 WE GET next-generation security STRATEGIES TO BREAK THE SECURITY STALEMATE

The security landscape is changing. Cybercriminals are becoming increasing innovative in their attacks. And as your network expands, so do the avenues of attack and scales of the challenges presented to your security. Things like mobility and remote access create complexity and can generate large holes in your security. And if your breach detection protocols are lacking or nonexistent, your data could be exposed, causing disruption. Outside of IT, the rest of your organization may not think of security integration as part of their day-to-day responsibilities. Their actions can make your organization vulnerable by creating new avenues for threats. A holistic approach helps you put the right pieces in the right places to protect your IT environment. But without guidance, you may miss a move that would protect your data from capture.

Defense in Depth integrates the layers you need to protect your IT The New York Times environment and rapidly recognize and react to breaches. We design each suffered a 4-month- aspect of a Defense in Depth solution around three core processes: long cyberattack THREAT PROTECTION — We emphasize flexibility to adapt to the from Chinese hackers. Their ever-changing threat landscape. anti-virus software BREACH DETECTION — By understanding that no defense is completely was able to detect impregnable, we help keep you vigilant for inevitable breaches. 1 of the 45 pieces of malware installed.1 BREACH REACTION — Once a breach is detected, our processes help you guarantee fast response and containment — minimizing impact.

Ae Defens in Depth strategy sets up your organization to take advantage of key opportunities:

INCREASED AVAILABILITY: By minimizing your QUICKER CONTAINMENT: Some attacks are threat risk, you can ensure that your infrastructure inevitable. With the proper protocols and tools in + and data are at a lower risk of being compromised, place, you can spot and contain these breaches maximizing their availability to your users. sooner, preventing them from running rampant.

DATA CONFIDENTIALITY: With a more complete INCREASED PRODUCTIVITY: By responding in understanding of who is accessing your data and an organized and predictable manner to new where it’s residing, you can rest easy knowing security threats and breaches, you will save that your data will be kept confidential. time and maximize IT productivity.

DATA INTEGRITY: Strong infrastructure security means your data cannot be inappropriately altered — ensuring that security breaches don’t lead to incidents that can threaten your organization.

20 CDW.o/ c m securityguide | 800.800.4239

$5.4 Million The average cost of a security breach.2

IMPROVE YOUR DEFENSE BY PLAYING WITH THE BEST Our account managers and experienced security solution architects have a high level of expertise and deep knowledge in security strategies. They undergo constant training in new Defense in Depth developments and can help you through every stage of your solution preparation and deployment. And our partnerships with industry-leading security vendors give you access to the best products on the market, while our comprehensive approach guarantees that you get the right components for your unique situation.

CDW.com/checkpoint CDW.com/trendmicro CDW.com/hp CDW.com/mcafee

The Check Point Intrusion Trend Micro Deep Security Enable tools to configure the McAfee Next Generation Firewall Prevention System (IPS) provides a server security network for efficient transport — Powered by Stonesoft. Software Blade combines platform that simplifies security of information, bandwidth Unified, modular security built for outstanding IPS protection with operations while accelerating optimization, and enhanced manageability, anti-evasion, and breakthrough performance at the ROI of virtualization and application performance or high availability. a lower cost than traditional, cloud projects. Tightly integrated automation of operations. • A unified software-based design stand-alone IPS solutions. The modules expand the platform to Applications in this category for all network security controls IPS Software Blade delivers ensure server, application and enable efficient transport from One adaptive, affordable complete and proactive intrusion data security across physical, LAN to service provider, across • solution for all environments prevention — all with the virtual and cloud servers, and WAN links between sites and deployment and management virtual desktops. applications hosted in the • An integrated central advantages of a unified and data center. management center extensible next-generation • A single dynamic, contextually firewall solution. aware solution

We’re here to help you master all of your security challenges. Learn more at CDW.com/DefendIT

1Source: nytimes.com 2Source: Verizon 2013 Data Breach Investigations Report 21 WE GET mobile security

SECURITY TO GO

M obility has opened up workers to a world of productivity, but they’re not always using their work-related devices to get there. Increasingly, workers are using their personal devices to access sensitive work-related data, taking the network into their own hands — and taking security out of IT’s control. And the BYOD trend isn’t going anywhere. In fact, it’s gaining popularity, and today’s organizations have no choice but to implement new mobile security measures to keep up. Fifty-five percent of organizations will accommodate or encourage BYOD by the end of 2013, and 71% will do so by the end of 2014.1

80% The percentage of BYOD access that is inadequately managed or not managed at all by organizations.2

So How Are They Doing It? MOBILE DEVICE MANAGEMENT (MDM) SOFTWARE MDM Software has become the primary way in which IT maintains control of user devices, from those issued by your organization to your workers’ personal devices. It relies on content-security capabilities like:

Remote Locking and Wiping: Mobile Application Management (MAM): IT staff can remotely lock a given device on Application sandboxing “wraps” an application so demand, blocking user access to key credentials. that when it executes, inside information cannot Staff can even wipe a device in case of loss. go out, and outside information cannot come in.

DATA LOSS PREVENTION (DLP) Also known as data leakage protection, this kind of security software helps monitor the use of organizational data on personal devices in order to protect it from possible exfiltration. It can help monitor three types of information: • Stored information • Transmitted information • Information manipulated by actions on each device

22 CDW. cOM/securityguide | 800.800.4239

M ore than 1 million malware threats targeted Android devices during the first nine months of 2013, up from 175,000 a year earlier.3

NT E WOrk SECURITY

Distinct BYOD Networks: Net work Access Control (NAC): By creating a separate, dedicated network for A NAC solution evaluates the security BYOD access, organizations can isolate their characteristics of a device that is attempting internal networks from BYOD traffic and thus to connect to the wireless network. If it’s not protect themselves from any risks it might carry. up to organization standards, the device is either denied access or directed to a separate “remediation” network for corrective action.

CDW.com/rsasecurity CDW.com/airwatch CDW.com/mcafee

Defending against advanced AirWatch provides a complete McAfee Next Generation Firewall — The MobileIron Mobile IT platform threats requires an adaptive Enterprise Mobility Management Powered by Stonesoft secures and manages apps, approach, oversight of processes (EMM) solution. The solution Unified, modular security built for content and devices for global and reporting key metrics. Unlike enables you to quickly enroll manageability, anti-evasion and organizations. It supports both traditional signature-based devices in your environment, high availability corporate-liable and individual- endpoint security solutions, configure and update device liable devices, offering true One unified software-based RSA provides an integrated set settings over-the-air, securely • multi-OS management across design for all network security of tools and services that can distribute organizational content the leading mobile OS platforms. controls easily fit into your existing and resources, and support MobileIron is available as both environment, enabling you to personal devices accessing your • One adaptive, affordable solution an on-premises system through identify, protect and respond to network, email and apps. for all environments the MobileIron VSP and a cloud security incidents rapidly. • One integrated central service through the MobileIron management center Connected Cloud. • One dynamic, contextually aware solution

We’ve helped lots of companies embrace the benefits that BYOD has to offer and we’re here to help you too. Learn more at CDW.com/mobilesecurity

1Source: Citrix, Mobile Workstyles on the Rise, 2012 2Source: BYOD Survey, Ovum, September 2012. 3Source: Trend Micro 23 WE GET PCI Compliance

SECURED TRANSACTIONS

The rapid adoption of virtualization has made Payment Card Industry Data Security Standard (PCI DSS) compliance more complex than ever. There are more rules, more regulations and more ways for your system to be compromised. Payment card user data is one of the most sought after targets for hackers. To help protect this data and cardholders, a robust set of requirements was created. These requirements extend to all IT environments that store, process or transmit payment card data. With the rise of virtualized environments, those standards now apply to more applications, servers, networks and storage systems than ever before — making compliance more complex.

Ob ls sTAc e to Compliance: Complexity | The PCI DSS is 75 pages long and contains 12 high-level requirements and more than 200 sub-requirements. Virtualized environments add new levels of complexity to compliance due to the fact that any virtual machine that stores, processes or transmits cardholder data is considered in scope.

ONLY 16% Validation | You will be required to provide quarterly network vulnerability scans and of organizations reported being either a self-assessment questionnaire or an independent annual audit. prepared with proper Oversight | Many organizations do not have adequate systems, policies and practices in security policies to place to be compliant. confront an advanced persistent threat.1 Costs | Noncompliance can be costly to organizations due to civil penalties, class-action lawsuits and loss of clients, reputation or both.

5 Benefits of Compliance Many organizations consider compliance with PCI and other regulations a nuisance imposed upon them by regulators. But it’s important to realize that compliance also brings business benefits. STRAIGHTEN OUT YOUR SECURITY Here are five specific benefits that organizations typically realize as a result of their PCI compliance efforts: PCI compliance in a virtualized environment requires both the right technology and security processes to be effective. 1 Decreased risk of a security breach Specific features should be designed to provide key 2 Peace of mind capabilities such as: 3 Avoidance of costly fines • Pr ivileged user access • Secure multitenancy 4 Easy path to a secure environment and activity monitoring • Hypervisor hardening 5 Customer confidence boost • Segregation of duties

1Source: Lawmakers Increase Attention to Online Data Security and Privacy, Itknowledgeexchange.com 24 CDW. cOM/securityguide | 800.800.4239

F IND YOUR PATH TO COMPLIANCE As organizational needs change, often your IT infrastructure does as well. But if you’re accepting credit cards as payment — as most organizations do — these changes to your infrastructure can rattle your compliance with the Payment Card Industry Data Security Standards (PCI DSS). A concise plan to become or remain PCI DSS compliant can eliminate the compliance confusion * that puts cardholder data at risk.

CDW.com/hp CDW.com/websense

HP’s networking solutions Palo Alto Networks is protecting Today’s business environment Sophos UTM gives you complete help enable IT agility, business thousands of enterprise, is exposed to advanced threats security from the network continuity and improved service government and service provider and data theft, plus evolving firewall to endpoint anti-virus delivery. HP’s unique ability networks from cyberthreats. regulatory compliance controls. in a single modular appliance. It to build a high-performance, Unlike fragmented legacy Your challenge is to contain such simplifies your IT security without resilient, energy-efficient, products, the next-generation threats, protect sensitive data the complexity of multiple-point secure and flexible network security platform safely enables from leaving your organization solutions. The intuitive interface enables organizations to reduce business operations and delivers and comply with regulations. will help you quickly create complexity and operational costs protection based on what Websense Data Security policies to control security risks. while supporting new applications matters most in today’s dynamic Gateway delivers real-time data and enhanced services. computing environments: theft analysis beyond traditional applications, users and content. network defenses for email and web channels, plus over 1,700 policies and templates for compliance.

CDW partners with industry leaders that set the bar for security solutions. Learn more about how we can help you develop a PCI compliance strategy that keeps you up to date. Visit CDW.com/PCIcompliance

25 WE GET data loss prevention

HANDLE IT WITH CARE

Your data is valuable. But to be useful, it has to be accessible, shareable and mobile. Which makes your data vulnerable. To keep it safe while it travels, treat it like precious cargo. A multilayered Data Loss Prevention (DLP) solution can help safeguard your sensitive data as it is sent and received across the network perimeter, enabling your workers – and your data – to be productive and protected near and far. Most security measures focus on protecting an organization’s systems. But how can you protect your data once it’s been sent beyond the perimeter? A strong DLP solution can help seal it for your protection, allowing you to track and control it wherever it goes.

$300 billion. Estimated annual loss due to intellectual property theft.1

ENCRYPTION DATA LEAKAGE PRODUCTS By converting both stored and active data into secret These products allow IT staff to monitor, control and code, encryption renders your sensitive information protect data no matter where it resides. IT can even undecipherable to unauthorized users such as restrict classified data from being printed, emailed hackers who do not possess an encryption key. or copied.

NETWORK-BASED TOOLS CHANNEL-SPECIFIC PROTECTION By examining network traffic, these tools can report Designed to protect a single channel such as email rather or lock transactions that violate policy, such as sending than an entire network, these tools help fill in specific private ID numbers off-network. security holes more tightly.

In addition to providing peace of mind, preserving your organization’s reputation and protecting your intellectual property, a DLP solution delivers benefits such as:

DATA INTEGRITY | DLP techniques ENHANCED INSIGHT | By consolidating DATA CONFIDENTIALITY | By regularly help prevent your data from being and categorizing your data, you gain updating your security policies and inappropriately altered and thus, help enhanced visibility into its structure, processes, you learn how and who prevent the spread of misinformation. helping you identify new opportunities is accessing your data, how they’re to improve efficiencies. accessing it and where it’s going.

26 1Source: National Bureau of Asian Research, “The IP Commission Report,” 2013 CDW. cOM/securityguide | 800.800.4239

SAFE TRAVELS DLP is a journey, not a destination. Yet with so many possible security strategies, it can be hard to know where to start. Our assessments and services can help you do the heavy lifting. And our security team can point you in the right direction to help keep your data – and your IT staff – from getting lost en route.

1 4 5 2 3

OUR FIVE-STEP DLP PROCESS S tep 1: DisCOVER Identify data stores and traffic paths to ensure that STEP 4: DESIGN security controls are properly assigned. Create security policies that apply protections based on how data was categorized. This helps support objectives, industry STEP 2: CATEGORIZE mandates and adherence to government regulations. Classify data based on value, sensitivity and confidentially to establish a baseline for your security measures. STEP 5: EXECUTE Educate users and enforce policies to help ensure STEP 3: CONSOLIDATE that your sensitive data is properly protected and in Aggregate your data stores. This improves the event of a breach — data loss is minimized. manageability and facilitates the deletion of outdated files — simplifying the security process. Learn more at CDW.com/DLP

CDW.com/symantec CDW.com/fortinet CDW.com/barracuda CDW.com/juniper

Symantec’s data loss prevention The award-winning FortiGate Secure your network with Your security ecosystem (DLP) solutions reduce risks Network Security Platform integrated next-generation starts here. Juniper Networks and protect critical information delivers exceptional performance security based on application connectivity solutions enable with a single-source, multilayer and protection while simplifying visibility and user-identity organizations to use the technology that results in the network. Fortinet offers awareness — with optimal same enterprise network measureable reduction of models for any deployment efficiency and throughput. infrastructure to securely risk. CDW works closely with requirement, from the desktop The Barracuda Firewall makes connect remote and local users Symantec and has a Symantec FortiGate-20 series for small it easy to regulate bandwidth and devices. This security is DLP risk assessment team onsite. offices and retail networks and includes link balancing and essential technology for enabling to theFortiGate-5000 series failover. Compute-intensive initiatives, such as BYOD, that for large enterprises, service content and malware filtering, as increase employee satisfaction providers, data centers and well as reporting, are offloaded and productivity. Enterprise carriers. Every FortiGate product to the cloud, ensuring maximum network security solutions help guarantees value and ease of performance. With unlimited VPN IT administrators guarantee management combined with licenses and no per-user fees, consistent security and policy strong protection. the Barracuda Firewall is highly applications across the entire scalable and affordable. data center.

T o learn more about DLP, contact your CDW account manager, call 800.800.4239 or visit CDW.com/dlp-delivered

27 mobile security keeping the mobile environment safe

Read about: • Wh y mobile security makes the IT team a system integrator • H ow mobile device management fits into your security picture • T he main features of NAC tools for mobile security • Me shing end- point and mobile security objectives

I.T. teams need to obility initiatives are driving senior IT managers investigating these product take advantage of Mmanagers in every type of business categories will discover a mix of overlapping tools to help manage and organization to rethink workflow options, as many manufacturers seek to enterprise security and day-to-day operations. But at some broaden the scope of their tools to meet across disparate point, most find themselves looking to the increasing mobility demands of users. endpoint devices. their technology staffs to handle the job Therefore, it’s wise to consider these products of supporting these mobility initiatives, as a suite of complementary tools that, when particularly when it comes to ensuring used in conjunction, can help an organization the security of these environments. embrace mobility without exposing assets Not every initiative will need a broad to security risks. Any IT manager looking suite of security products, but most will for full coverage when it comes to securing require one or more products in five key their mobile environment will be acting areas: mobile device management (MDM), somewhat akin to a system integrator. network access control (NAC), endpoint For most enterprises, a move to mobility or security, encryption and authentication. a broadening of its use will require deployment

28 C DW.com/securityguide | 800.800.4239

Top MDM Evaluation Criteria

Criteria Why it matters

Enrollment process Onboarding devices is a huge task, and small differences in ease of use can translate into thousands of tech support calls. Unless devices will be manually enrolled into MDM software by the IT department, a bug-free and straightforward process is critical. Enrollment only happens once, but it colors the entire MDM experience.

Platform support No tool supports all platforms, and users with unsupported platforms will complain loudly. But picking a tool just because of its platform support may emphasize this factor too much. IT managers must balance the goal of going beyond the basics (iOS and Android devices running current software) to handling other types of devices, such as BlackBerry, Windows Mobile, Palm or Nokia Symbian devices.

Mobile email controls Email is one of the easiest ways for data to leak outside an organization. Managing mobile email, such as blocking large attachments or those with a particular signature or type, or by using whitelists or blacklists of particular mail systems, is a common feature that IT managers will want to consider enabling.

Encryption controls Lost data that’s encrypted is not nearly as bad as lost data that is not. The ability to ensure that data on devices is properly encrypted is key. In iOS devices that are always encrypted, control integrates with the unlock passcode, so encryption stretches into seemingly unrelated areas. Some MDM tools also preconfigure and lock down virtual private network (VPN) connectors. More advanced products can reach into corporate file sharing, by blocking, allowing, encrypting or otherwise controlling shares.

Application and version The inevitable security bugs and bug fixes necessitate a means for keeping software up to date. MDM tools can enforce management version control on operating system software, as well as applications. How a tool does this and the extensiveness of the controls helps to distinguish MDM tools. Many also contain application management features, such as blacklists and automatic installation and updating.

Delivery mechanism MDM tools are split between cloud and on-premises models. IT managers will need to decide which model they require early on, which will also help narrow product options.

Network controls In addition to loss and theft, IT managers may be worried about network use of mobile devices. Wi-Fi access policies (including encryption requirements and VPN integration) can be important for ensuring secure use of mobile devices, particularly while users are on the road. Sophisticated features, such as geo-fencing (controlling access when in specified geographic locations), may be worth considering depending on the sensitivity of the data involved.

of MDM, NAC and endpoint security — or Mobile Device tool as well to enforce the same set of some combination of these technologies. Management policies on larger mobile devices. Although encryption and authentication MDM tools enforce enterprise policies on clearly will play critical roles as well, they can mobile devices, generally only smartphones N etwork Access be leveraged from the existing infrastructure and tablets. These policies govern Control as an organization adopts mobility. features such as application configuration, Network access control is user- What are the features that should be security settings and version control. focused, network-based management used to differentiate these products and MDM products also universally of who can access the network. simplify selection? And how should an include some type of remote-wipe NAC tools are technology suites that organization decide which tools will best functionality, considered a must-have work with existing network equipment (or suit its environment? What follows are because of the high rate of loss and sit in-line as a distinct enforcement point) some key fundamentals about MDM, NAC theft of valuable mobile devices. to define access controls for devices based and endpoint security, along with cheat MDM tools generally do not include on user identification and security posture sheets that list the most critical criteria to support for notebooks running Windows assessments. These tools authenticate consider and why those features will matter or Mac OS. This means that IT managers users, collect authentication from trusted when securing a mobile environment. will usually need an endpoint security sources and combine authentication

29 mobile security

Top NAC Evaluation Criteria

Criteria Why it matters

Authentication and NAC solutions are user-focused, so they need to authenticate authorization (or otherwise identify) end users and network devices, allowing the NAC policy to be applied. Integration with Active Directory is usually considered a starting point, but NAC manufacturers differentiate their solutions by the types of endpoint authentication technologies available and the breadth of device support included. For example, users might be authenticated when they connect using 802.1x protocols, a web-based portal or through some specific NAC agent installed on their notebook or desktop. But Voice over IP (VoIP) phones might be authenticated by having a particular media access control address and by asking for specific Dynamic Host Configuration Mobile malware Protocol (DHCP) options. is on the rise, Connection support All NAC solutions assume a LAN or WAN environment, usually with variants with Wi-Fi Protected Access 2 (WPA2) for wireless and various other options for wired connections. But NAC is also applicable spiraling from in wide-area remote access VPN topologies as well, both for just more than IP security and Secure Sockets Layer (SSL) VPNs. If the NAC solution is meant to be universal and cover on-campus and off- 4,000 in November campus connections, remote access should be evaluated. 2012 to 7,480 in 1 Endpoint posture NAC solutions usually include a variety of environmental November 2013. information, such as access method (wired, wireless, VPN) and time of day, but the main NAC use has always been endpoint posture assessment. A NAC solution must include some type of endpoint assessment tool, whether installed on the client information with policies to define access or downloaded on the fly. Other endpoint security assessment controls. This is typically based on group strategies, such as external fingerprinting, can be part of a NAC membership information stored in a central solution as well, but obviously are not preferred in the case of managed desktops. repository such as Active Directory. These policies can also be influenced by Enforcement options Enforcing policies and determining access controls are key a posture assessment or security health features. Options range from a simple go/no-go answer or check of the connecting device. Such virtual LAN switching to basic packet filters or full stateful inspection. Enforcement will vary based on the switching assessments are often based on a device infrastructure in place and the NAC goals. A credible NAC fingerprint or an on-device analysis of solution will support at least one (and usually more) of these endpoint security, for example the presence four methods. As with endpoint security, additional access of approved anti-malware software and control methods may well fit into a NAC strategy, but an recent patches. Based on authentication architecture that does not include an element of direct, in-line and posture assessment, the NAC tools access control is not worth considering as a NAC solution. push access control settings into a network Management methodology A NAC solution must bring together multiple products, possibly dynamically to provide enforcement. from multiple vendors, to a single integrated network security NAC tools mainly have been used solution. The only way to do this effectively is to have a on-campus for wired and wireless clearly integrated management system that ensures access LAN deployments, although some NAC control, end point security and that authorization policies are implemented without ambiguity or missing elements. Because manufacturers have branched out to VPN NAC solutions often affect core infrastructure components, connections and smaller WAN-connected such as switches, firewalls and routers (all of which have their services. For the mobility deployment, own management systems), figuring out universal applicability NAC tools offer a way to also verify that takes time and negotiations involving an organization’s IT, appropriate MDM agents are present on network and security teams. devices as part of posture assessments.

30 1SOURCE: Symantec Intelligence Report(December 2013) C DW.com/securityguide | 800.800.4239

Mobility Evaluation Criteria for Endpoint Protection

Criteria Why it matters

MDM features Most EPP suites traditionally focus on enterprise use of desktop and notebook systems. As mobile workers move to other platforms, such as tablets and smartphones, having an integrated EPP console that covers all types of devices is a plus. Even more important is the integration of MDM agent features (such as policy enforcement on devices) and MDM server features (such as remote wipe and remote backup) with the EPP toolkit, reducing the need to maintain two tools that provide overlapping coverage.

Mobile data protection File, folder and disk encryption are vital tools for mitigating the risk of device loss and theft. Although the actual mechanics are often pushed into the operating system, policy definition and enforcement need to be an enterprise concern. EPP tools that can enforce encryption policies on all types of devices help ease the support of mobility security.

Application whitelisting Users rarely have administrator access to on-campus systems, such as desktop computers, but often have elevated privileges on personal notebooks — and sometimes even on enterprise ones. Although application whitelisting isn’t universally accepted as a tool to fight malware, many organizations are using it as an interim technology with great success. Whitelisting is a more critical feature in mobility deployments than for on-campus use.

NAC and DLP support The fewer agents installed on end-user devices, the more reliable and supportable those devices will be. As many mobility and bring-your-own-device initiatives include either NAC client software or on-device DLP, or both, having built-in EPP tools can reduce management footprint and increase device user satisfaction.

Platform support EPP tools have mostly focused on Windows, with some support for Mac OS X and other Unix operating systems. The requirements for anti-malware on mobile devices, such as iOS and Android smartphones and tablets, are not well defined. It’s clear that traditional anti-malware isn’t the main requirement, but other features of EPP, including anti- phishing, host-based intrusion prevention, firewall and security policy enforcement, are all going to be critical.

EP nd oint Protection there is considerable overlap, and it is base operating systems, reducing room for E ndpoint protection (EPP) software runs likely that EPP and MDM will merge either differentiation by third-party EPP vendors. on end-user devices and servers to provide partially or entirely over the course of the When evaluating EPP tools for mobility anti-malware, firewall, host-based intrusion next few years. This will happen in part security initiatives, IT managers are prevention and other security related because of the growing enterprise use of constrained because most organizations services. Enterprise endpoint security mobile devices, in addition to and sometimes already have EPP tools installed. This means software adds the capability to deploy instead of desktop and notebook systems. that any switch in products comes at a and manage these tools from a central In response to these market changes, EPP high cost and will need to be justified by a management point. EPP makers increasingly manufacturers have begun to address the corresponding increase in functionality. n are expanding into the data loss prevention special requirements of mobile devices. and network access control categories Five vendors — Kaspersky, McAfee, because of the natural complement Sophos, Symantec and Trend Micro — between EPP and these other products. dominate and control nearly 90 percent of Although EPP and mobile device the EPP market. At the same time, Microsoft management have distinct overall goals, has increasingly included EPP features in its

For most organizations, a move to mobility or a broadening of its use will require deployment of MDM, NAC and endpoint security — or some combination of these technologies.

31 pci compliance p rotecting the network while achieving pci dss compliance

Read about: • E xploring access control capabilities • Interior vulnerabilities • R ight-sizing firewalls • U niversal encryption

These four tips will help you pass a PCI audit without exposing your organization to security threats.

******

32 C DW.com/securityguide | 800.800.4239

Some of the network security advice in PCI DSS is outdated and can distract from better approaches.

hen it comes to compliance, the it is not difficult for enterprises to comply WBig Kahuna remains the Payment with the spirit of the document. But, as Card Industry Data Security Standard. with many standards of this type, it has Why? Because PCI DDS affects any spawned an entire industry of qualified enterprise that collects, handles or security assessors (QSAs) that, for a transmits payment card data, and a lack significant fee, swarm over organizational of compliance can result in immediate networks to ensure compliance. Truth and severe negative impact: the blocking be told, theses assessors are often more of payment processing capabilities. interested in enforcing the letter of the Every organization — large, medium, law and documenting “compensating small, commercial, charitable nonprofit — controls” than helping organizations must comply with the standard if they want improve their security posture. to handle money via payment cards such Enormous sections of the standard, as credit or debit cards. Even merchants which includes 12 chief requirements that completely outsource their payment under six main categories, come down processing must comply, at least by to common sense. And, if followed, attesting that they have no data onsite PCI DSS can help maintain security of WHITE PAPER and have a written agreement with their important network information. What’s payment handler to remain in compliance. more, an IT team can apply the standard The Principles of Although PCI DSS only applies, in theory, to more than just payment card data. to the part of a network that has payment However, it’s critical to understand PCI Compliance card data, many enterprises have not really that some of the network security Need a primer on PCI DSS? segmented their network sufficiently advice in PCI DSS is outdated and can This white paper offers an to reduce the scope of compliance. distract from better approaches. Depending on the organization and the What that means is that the IT shop overview of its guidelines: size of the network, PCI DSS may cover needs to make sure that adherence to CDW.com/securityguide3 every network device and transmission, as PCI DSS does not run up against solid well as every physical and virtual server. network security. Here are four tips to Because PCI DSS is targeted and has an keep compliance and network security easy-to-understand set of requirements, in harmony.

33 pci compliance

Ti p 1: Don’t Forego a host, and only that host is then allowed to Access Controls connect further inside. In some cases this A n IPv6 Hurdle TheS PCI DS documentation makes it helps, but in other cases it simply adds a The Payment Card Industry quite clear that organizations need to have complication to already complicated web- Data Security Standard an1 enterprise DMZ and that there has to be based applications. IT managers can work perpetuates a longstanding a firewall between the DMZ and the internal with application developers to ensure that a myth that Network Address network. That was all well and good in 1990 multitier application architecture is present, Translation (NAT) is a security when firewalls were expensive,E thernet along with all appropriate network access mechanism. It’s an issue that ports were scarce, and the IT industry hadn’t controls, both satisfying the requirements security professionals have figured out how to provide separation of of PCI DSS and avoiding unnecessary tiers. been working to educate devices for security purposes. But now the network managers about idea of a DMZ serving as a bad neighborhood for more than a decade. where all the Internet services reside and Ti p 2: Consider It’s particularly short-sighted the internal network acting as a single Vulnerabilities Inside in an era where enterprises security domain is hopelessly outdated the Network Too are planning migrations to and far from a security best practice. PCIS DS has a strong orientation toward IPv6, which does not use NAT. Organizations hosting Internet services 2the Internet as the source of attacks. Many (or actually any kind of internal or external of its requirements call for controls regarding Unfortunately, PCI DSS is very services) want to isolate those systems so that traffic to and from theI nternet. But the clear: NAT use is required for IP security problems on one host do not spread same controls aren’t in place for traffic to addresses. This requires that network managers will have to to other hosts, and so that traffic between the rest of the enterprise. The effect of this create a compensating control hosts is properly controlled, managed and is to push attackers from direct Internet to satisfy audit requirements, audited. That means going far beyond a two- access to indirect access by bouncing even as new network gear zone DMZ–internal approach. Instead, the IT through compromised hosts on the inside. uses IPv6 by default. department should begin segmenting every In fact, many of the high profile breaches system and defining the appropriate inbound since the advent of PCI DSS a decade and outbound rules for those systems. ago have come from exactly this source: This segmentation work requires that someone on the inside who, intentionally or the IT team explore the access control unintentionally, evaded controls because capabilities built into existing switches, load they were on a trusted network. balancers and routers, as well as consider IT managers who want to gain a stronger the expansion of firewall presence within security posture should reread PCI DSS the network. More important, it may require and recast every place it says “Internet” that the IT team redeploy hosts into different to “from anywhere.” In other words, all parts of the network to be sure that control controls, audits and access restrictions points, whether switch, firewall, router or must be in every direction, and to and from load balancer, are present between devices. every network, not just the Internet. In extreme instances, an enterprise might PCI DSS provides strict requirements The IT shop need every host, virtual or physical, to about access controls both below the have its own set of access control rules for network layer (such as physical access) and needs to make all inbound and outbound traffic enforced at the application layer, but it’s mute on the sure that at the network layer. Not every network issue of strong internal network controls. manager will want or need to go that far, This means that compromised systems adherence to especially when hosts are clustered for and stolen credentials are more easily used PCI DSS does not availability purposes. But good security will by attackers, especially since two-factor run up against require a dramatic increase in the number authentication is only required from external of security zones to lock down all traffic. networks, not on the inside — another solid network PCI DSS implies a two-tier model of security gap in PCI DSS where IT managers security. processing: traffic from the Internet goes to will want to go beyond the minimum.

34 C DW.com/securityguide | 800.800.4239

Ti p 3: Go Deep with Your Firewall Use PCIS DS uses the term firewall frequently, without ever defining what it means by 3the word. In one important area, PCI DSS contradicts itself by referring to stateful inspection (a term invented by the security developer Check Point and associated with its widely imitated, patented firewall technology) and then referring to established connections as firewalling, although established firewalls are not stateful. PCI DSS is also intentionally vague on where and how firewalls should be deployed, especially in modern networks with multiple chains of components, and how host-based firewalls fit into the picture. IT managers can take advantage of these ambiguities and contradictions to right-size their firewall technologies to the needs of the network. By placing the appropriate technology at the right point in the network, the IT team can provide host or zone in the data center. As natural Rather than simply requiring that all far greater security while keeping costs groupings of hosts come together, more network transmissions be encrypted, the reasonable and performance up to par. sophisticated firewalls, such as normal standard differentiates between several There are at least four kinds of stateful firewalls and next-generation types of networks, such as wireless, network-based firewalls available: firewalls, can be added to provide better public, private and internal, and then offers • s imple access lists in switches auditing and easier configuration changes. varying advice on encryption for each. and routers; Unfortunately, PCI DSS actually When encryption was expensive • a ccess lists with transport layer works against deep firewalling in its and difficult to implement, this knowledge (the “established” type of requirements for auditing and change approach made sense, but such access list) in switches and routers; control. This is because the standard differentiation today adds complication • f ully stateful transport layer firewalls; assumes that all firewall and router and confusion. This puts the onus on • n ewer application layer firewalls found configurations are manually constructed, application owners and developers to in next-generation firewall hardware. approved and can be easily audited. be frightfully aware of the underlying There are also some other very IT managers engaging in deep firewalling network topology in their organization. specialized firewalls, such as web may need to separate out a minimum subset Applications must be strongly bound application firewalls and application- of firewalls to keep their QSA requirements to their lowest level infrastructure specific firewalls. satisfied, following the usual rules for manual because if the network changes By using a mix of firewalls — a concept configuration, change control and audit, characteristics, then the application often referred to as “deep firewalling” — while implementing additional security using or part of the network transport an organization can place firewalls and automated tools deeper in the network must change to remain compliant. other security devices (such as intrusion and out of scope of the PCI DSS audit. Binding applications in this way is a prevention systems) closer to the hosts nonsense requirement in a world where they protect, rather than hanging out at all private networks are essentially the edge of the network. At a minimum, Ti ncp 4: E rypt Everything public in how they function. The each host on a network should have The standard offers great advice on simplest and safest thing to do is to simple or transport layer access lists encrypting data at rest, but PCI DSS is caught apply universal encryption to all data, in place, protecting it from every other 4in the past when it comes to data on the move. all over the network, in transit. n

35 February 2014 shar e this guide

about the contributors

Aaron Colwell is an Inside Solution Architect specializing in network security for CDW. With more than seven years of experience in IT, he works with organizations to help refine their security policies and practices and assists them with industry and government regulatory compliance. He often speaks at conferences and has been quoted in many industry publications.

Matthew Jach has been a Senior Security Engineer with CDW for the past thirteen years. During his tenure, he has worked as a penetration tester, functioned as the information security technical lead for CDW’s data center operations, and led an engineering team focused on conducting data loss prevention risk assessments. In his current role, he supports CDW’s Security Assessment Team, which is responsible for providing professional security consulting services, including vulnerability assessments, application security reviews, incident response and forensics, and various compliance and risk management gap analysis projects to assist customers with developing cost-effective strategies to safeguard critical data and infrastructure.

Joel Snyder, Ph.D., is a senior IT consultant with more than 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Dr. Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations around the world.

SCA! N THIS B rowse our digital i s your Network Safe From Malware? Make Sure. publications on the go with the CDW Threat Check CDWPubs app. Learn how this service works, passively scanning your network for malware, giving you the data you need to better plan your security future. CDW.com/threatcheck

CDW Reference Guide february 2014 | 800.800.4239 | CDW.com/securityGUIDE

140203 143415