Home » Blog


Posts Categorized Under "DATA SECURITY"

Linoma Software products are not affected by Heartbleed bug

Heartbleed bug graphic from heartbleed.comIf you are a Linoma Software customer using any of our products such as the GoAnywhere suite (Director, Services, Gateway, Open PGP Studio), Crypto Complete, Surveyor/400 or the RPG Toolbox, we are pleased to report that our products are NOT vulnerable to the Heartbleed bug.

The CVE-2014-0160 exploit, or Heartbleed bug, has made big headlines over the last 48 hours. The Heartbleed bug exploits vulnerabilities in the popular OpenSSL server software potentially allowing the memory of SSL/TLS encrypted systems to be compromised. The bug essentially allows access to the memory of the SSL/TLS protected systems and attackers can potentially steal and read formerly encrypted information such as usernames and passwords, credit card numbers and other sensitive data. To learn more about the Heartbleed bug please visit Heartbleed.com. Additional resources allow you to check and see if your website or server is affected by the Heartbleed bug: Heartbleed Test and LastPass Heartbleed Checker.

GoAnywhere Suite (Director, Services, Gateway, Open PGP Studio) GoAnywhere does not use native libraries for SSL/TLS and relies on the JSSE libraries of the JVM that GoAnywhere is running on. This exploit does not exist in the JSSE implementation of SSL/TLS. While Tomcat does, however, have the ability to utilize native SSL/TLS capabilities for its HTTP/S connections with the APR Connectors, GoAnywhere does not employ this functionality. GoAnywhere Secure File Transfer mobile apps: For Apple devices: The GoAnywhere Apple app uses the Secure Transport implementation of SSL/TLS and is not affected by Heartbleed. For Android devices: The GoAnywhere Android app uses the JSSE implementation of SSL/TLS and is not affected by Heartbleed.

Surveyor/400: Surveyor/400 does not use native libraries for SSL/TLS and relies on the JSSE libraries of the JVM that Surveyor/400 is running on. This exploit does not exist in the JSSE implementation of SSL/TLS.

Crypto Complete: Crypto Complete does not use SSL/TLS for Field or Backup encryption and is not affected by Heartbleed.

RPG Toolbox: Our RPG toolbox does not use any encryption and is not affected by Heartbleed.

Linoma Software and HealthIT Security Partner on HIPAA Best Practices Guide

SystemiDeveloper_logoAt Linoma Software we understand the importance and challenges of HIPAA compliance. Whether your organization has been compliant with the HIPAA Omnibus Rule for months or it's still shoring up some compliance gaps, there are likely tips you've picked up along the way.

Our partnership with HealthIT Security allows us to bring timely and actionable information to healthcare IT professionals and executives. This HIPAA Best Practices Guide uses expert analysis and industry expertise to focus on exactly what will be expected technically, administratively and policy-wise among HIPAA covered entities and business associates (BAs) during potential audit scenarios.

With the estimated cost of compliance falling around $14.5 million annually, regulated healthcare businesses can't afford HIPAA non-compliance with PHI.

If you have a regulated healthcare business, learn how the HIPAA Onmibus Rule could affect you and how to protect your company by ensuring your forms, files, policies and procedures are 100% HIPAA compliant.

Click here to download the HIPAA Best Practices Guide today.

Data Breaches Threaten Companies Worldwide

As technology staffs contend with ongoing changes to the data distribution landscape, it is important to keep abreast of data security risks and to understand the significant importance of properly managing customer's private data.

data breachThe Ponemon Institute recently released its annual data breach report which provides stats on data security issues and trends. With more than 277 companies involved and 1400 individuals interviewed, this report provides a current and unique perspective of potential security risks associated with even the smallest data breach.

Below are highlights of the report which indicates data breaches remain a difficult challenge.

  • The report identifies three key causes of data breaches worldwide:
    • Malicious Attacks - 37%
    • Negligence - 35%
    • System Errors - 29%
  • The average per capita costs of a data breach increased to $136 per capita over the $130 per capita from the previous year.
  • The US had the highest total per incident cost of $5,403,644.
  • In 2013 the average number of breached records was 23,647
  • Healthcare, Financial and Pharmaceutical industries continue to be the top industries with the highest per capita costs incurred.
Ironically, the report noted that organizations that notified victims too soon following a data breach actually incurred higher costs. This is an indication that an incident management plan should be in place to properly mitigate the data breach event.

It's clear, based on the data in this report, that companies need to look beyond technology solutions that secure systems and communications. It is important that the human factors are considered like employee training and creating an incident management plan to provide a full proof data security strategy.

Take a look at the full 2013 Ponemon Institute Data Breach report for more information on the top reasons that data breaches occurred and ways to decrease the risks and costs associated with them.

For information on how your company can build a better strategy to avoid data breaches, download our free white paper "Defending Against Data Breach: Developing The Right Strategy for Data Encryption."


Upcoming Webinar: Focus on FTP Server Compliance

Get Your FTP Server in Compliance

Revised - Watch the Latest Webinar Recording

With the recently added rules for the Healthcare Insurance Portability and Accountability Act (HIPAA) that now holds trading partners and business associates accountable if they also handle patient data, it's a good time to review whether your FTP server is updated and ready to meet compliance requirements. Learn how to keep your data as well as trading partner files protected within your network and still allow external access without opening inbound network ports. You can also see a demo of Linoma Software's GoAnywhere™, a managed file transfer solution that includes a secure FTP server and a reverse proxy DMZ gateway with clustering and load balancing capabilities to ensure high availability.


IBM i Encryption Made Easy with DB2 Field Procedures

Now Available On Demand

IBM i 7.1 DB2 Field Procedures, data encryptionDuring this recorded webinar, you can learn about how to make the DB2 Field Procedures Tool in IBM version 7.1 work even more efficiently as part of a more comprehensive solution, one that makes it easier to implement encryption, manage keys, and generate auditing reports so important for meeting compliance regulations like HIPAA and PCI DSS,. You can also see a demo of Linoma's popular encryption software Crypto Complete.

Learn more

All of our webinars are recorded, so if you register and are not able to attend live, you'll be able to review the webinar at a more convenient time.

We look forward to having you join us and will be happy to answer any questions you have.



What Can We Learn from the LinkedIn Breach?

Today is another unfortunate reminder that no matter the size of a company or its industry, a data breach makes headlines.

Not only does it attract negative attention and erode customer confidence, an announcement that your company's data has or may have been compromised can result in some steep financial penalties. If fines associated with violating regulations like HIPAA or state privacy laws don't get you, potential lawsuits might.

Take LinkedIn, for example. Earlier this month, the social network of business professionals reported that nearly 6.5 million encrypted passwords had been leaked online.

Today, Mashable.com reports that LinkedIn is facing a $5 million civil lawsuit from a user claiming that LinkedIn's security policy violated industry standards for database security.

There really are no lessons for the rest of us to learn from this latest breach, because most of us already know what we're supposed to do.

  • Keep passwords secure, reasonably complex, and change them regularly.data breach
  • Ensure your company is using only the most secure encryption standards like AES or Open PGP.
  • Stay abreast of the latest news and techniques for keeping your company security policies and practices up to date and as impenetrable as possible.
  • Invest in solutions that streamline your data encryption processes, that include comprehensive auditing and reporting tools, and that ensure the security of your data at rest and in motion.

The question is how much longer can you postpone taking these steps to ensure that your company isn't making news next week with an embarrassing and costly data breach?

Tokenization: A Powerful Weapon Against Cyber Attack

Tokenization in the data security world is the process of moving sensitive data from a company network to a separate location or sever, and replacing and referencing that data on the company server with a unique token.

If hackers attempt to access sensitive information like credit card numbers from a server, they'll instead encounter the token which prevents them from finding the original data without a specific encryption key or knowledge of the tokenization system.

Linoma Software GoAnywhere Managed File Transfer SolutionFor example, say a merchant acquires a credit card number by swiping a customer's card with a card reader. If the merchant has implemented tokenization, this card number information is immediately replaced in the merchant's database by a token number while the actual card number is sent and stored (in encrypted form) at a different location, along with the reference from the token.

Because the actual card number is never stored in the merchant's front-end system, hackers have a much more difficult time stealing it. Customers can therefore be assured that it is safe to let that merchant use their card information because the actual credit card numbers are not stored in an easily accessible location.

All organizations that capture credit card data are required by the PCI DSS government regulations to secure and protect this data. Originally, this presented a challenge to the payment industry until Shift4 Corporation presented tokenization solutions at an industry Security Summit in 1995. The adoption of tokenization became a popular solution to meet the PCI DSS compliance regulations.

>>Check out these white papers discussing PCI DSS compliance issues, and data breach threats

Other industries are beginning to adopt tokenization to protect confidential information such as banking transactions, medical records, criminal records, vehicle driver information, loan applications, stock trading and voter registration.

Finding the most efficient way to implement tokenization is challenging, but the growing threat of cyber attack and the expense of data breach have motivated IT shops to research options in earnest.

A variety of third-party software solutions, such as Linoma Software's Crypto Complete, deliver tokenization tools as well as additional options for managing encryption keys, audit logs, message alerts; storing tokenized data; automatically assigning token identifiers; and providing a central management platform for the entire tokenization process.

When a greedy hacker in anticipation of scoring a cache of customer credit card data finds instead a series of tokens, companies win another battle in the war against cyber thieves.

AIX Webinar Next Week To Make File Transfers Easier

As any AIX administrator or programmer knows, file transfers can be a huge headache. Writing all of those shell scripts is not only time consuming, but it's tedious and presents many opportunities for errors. Then there's keeping track of which files need to be sent, which need to be placed in the DMZ for trading partners to retrieve, and which ones may be being sent ad-hoc from elsewhere in the company.

Another huge hassle is verifying that every file actually reached its intended recipient intact, which often requires checking multiple times and then tracking down what went wrong.

Finally, don't forget the pressure to meet compliance regulations such as PCI DSS, HIPAA, SOX, and state privacy laws. With the Global Systems data breach still fresh in the news, it's obvious that no AIX administrator wants to have to explain how sensitive data was compromised.

Fortunately, there are tools and processes available that can minimize the time and effort involved with file transfers while increasing efficiency and data security.

We invite you to sit in on this AIX-only webinar on Thursday, April 12, at noon CDT to learn about how a managed file transfer solution can cure the headaches of manual file transfers while preventing future headaches related to the possibility of compromised data.

Now Available On-Demand. View the webinar recording here.

How Managed File Transfer Changed My Life

In addition to being one of Linoma Software's expert bloggers, Daniel Cheney is also in the IT trenches, and it was here that he first discovered the impact the switch to a managed file transfer solution had on his daily work life.
_ _ _ _ _ _ _ _ _ _

As a technology administrator at a major healthcare administration company, sending and receiving sensitive files between various systems used to be a daily grind and a consistent source of stress. We were using PC-based freeware FTP tools and the built in FTP functions on the IBM iSeries. The best we could do with scripting was to use CL command scripts to call the FTP function and hard code the login information. RPG programs would then call the CL scripts and retrieve and send the needed files, but there were insufficient logs and alerts for such automated activities.

The biggest headache for me was that these scripts, and the resultant sending of files, had to be error-free and reliable! Add to that the pressure of knowing how critical exchanging files is to the operation of the business and the challenge of having a single person responsible for its success -- it all became an unrealistic expectation. On top of this, because most of these files are sent over the Internet, and because of the inadequate tools we had at hand, the security of our FTP processes was insufficient.

I knew it was time to find a better solution and after doing some evaluation of available managed file transfer products for IBM iSeries, I selected GoAnywhere™ Director from Linoma Software.

Our installation of GoAnywhere Director made a huge difference almost immediately.

First, Director provides me with all the possible security protocols available, including SFTP, FTPS, and standard FTP with PGP encryption. It also has powerful scripting functions to login to HTTP and HTTPS sessions in order to automate logins to partner sites for file transfers.

Director makes it possible to automate all of the company's file transfers with a schedule and log so we know the path and time of every transaction. Alerts are automatically sent to us if there are any problems, or if we wish, every time it succeeds. Responsibility can be distributed to various departments as needed to receive these alerts and/or to begin the execution of the transfers when ready.

The simple-to-navigate web interface makes it easy for any user to view, verify, change and execute these file transfers. The scripting is easy for the average user to setup. If there are any challenges that we come up against with our file transfer processes, Linoma support has always been extremely effective at showing me how to do a successful execution.

I know how frustrating it can be to initiate, monitor, and track the ever increasing number of file transfers my company requires, especially without an all-in-one tool like managed file transfer. It amazes me how many IT people still don't realize there's a better way to do things -- a way that gives them more control, and more time to devote to all the other projects demanding their attention. I know managed file transfer -- and specifically GoAnywhere Director -- changed my life at work. I hope more of my IT colleagues discover the advantages soon.

Citigroup Breach Triggers Congressional Response

The data breach at Citigroup in May - a breach which reportedly exposed an estimated 200,000 customer accounts - has motivated members of the U.S. Congress to re-introduce legislation to penalize the very organizations that have been victimized by hackers. What are the next steps your company should take?

New bills to protect consumers' personal data

Linoma Software Managed File Transfer SolutionsTwo bills are proposed by both House and Senate legislators.

First, Sen. Patrick Leahy (D-Vt.) has introduced the Personal Data Privacy and Security Act of 2011. The new bill provides:

  • Tough criminal penalties for individuals who intentionally or willfully conceal a security breach involving personal data;
  • A requirement that companies that maintain personal data establish and implement internal policies to protect data privacy and security; and
  • A requirement that the government ensure sensitive data is protected when the government hires third-party contractors.

This act would also require, under threat of fine or imprisonment, that businesses and agencies notify affected individuals of a security breach by mail, telephone or email "without unreasonable delay." Media notices would be required for breaches involving 5,000 or more people. The FBI and the Secret Service would need to be notified if the breach affects 10,000 or more people, compromises databases containing the information of one million or more people, or impacts federal databases or law enforcement.

But that's not the only security bill that has businesses concerned.

In the House, Rep. Mary Bono Mack (R-Ca) is holding hearings in preparation of a bill she's named The SAFE (Secure and Fortify) Data Act that would also require "reasonable security policies and procedures" to protect consumers and enable disclosures to victims and the Federal Trade Commission within 48 hours of a data breach.

Companies no longer viewed as the victims

All this sounds good from the consumer's point of view. But what about the expense - and potential Linoma Software GoAnywhere Managed File Transfer Solutionpenalties - suffered by the "owners" of the data: the businesses themselves?

While these bills may address the public's interest for notification -- and indeed they would bring some semblance of a national standard - they also represent an interesting shift in the liabilities that companies will face. How is that?

Though we currently have no federal data breach notification law, federal policies now view the companies that experience a data breach as the victims of crime. However, under the proposed legislative bills, companies that do not act quickly to appropriately secure the personal data of customers - or fail to report a data breach in a reasonable amount of time - would not only suffer the theft of data, but also be held liable for its loss.

This is a significant shift. Companies are now being viewed not as the owners of consumer data, but merely guardians and trustees whose job it is to protect that data or face criminal penalties. And the message is clear: if companies won't take adequate precautions to secure the sensitive data of our customers, they'll pay a hefty price.

Where does your company stand?

In a world in which diligent hackers have the power break into seemingly secure networks and systems, what can your company do?

The challenge is first to determine exactly what qualifies as adequate precautions.

GoAnywhere Secure Managed File Transfer A review of the HIPAA HITECH security provisions that took effect last year provides some insight about what the government considers adequate protection.

HITECH strongly recommends the use of encryption technology. Encryption is a good place for your company to start, especially when dealing with the data your company stores on its servers. If sensitive data itself is kept securely encrypted, a data breach doesn't expose the content of the information itself.

Secure managed file transfer protocols - which send data using encryption - is the second place to focus attention.

If data is encrypted when it is being securely transmitted between business partners, the value of that data should it be breached - through hacking, theft, or other malicious actions - is worthless. Encryption and secure managed file transfers can dramatically minimize the holes of technical breaches, significantly reducing an organization's liability.

Preventing exposure

The Citigroup data breach has rekindled the momentum for a nationwide, cross-industry data breach reporting standard. This standard will not to eliminate the physical breaches themselves. What's needed is legislation to encourage companies secure the underlying data that is the target of the hackers.

Isn't it time for your company to take a serious look at its liabilities and to investigate how encryption and managed file transfers can close these important security holes?