Biscom Delivery Server is now “in process” for FIPS 140-2 certification. FIPS 140-2 (Federal Information Processing Standard) certification is a US Government security standard for accrediting cryptographic modules. The National Institute of Standards and Technology (NIST) defines the cryptography requirements in its FIPS 140-2 publication, and software like BDS must pass the Cryptographic Module Validation Program (CMVP) in order to receive certification. Level 1 is geared towards software solutions, whereas level 2 is required for hardware solutions that have physical security mechanisms.
On the heels of my last blog post about dumpster diving online storage and file sharing services, Wired posted a story on the validity of Dropbox’s claims about their data security.
I guess the bottom line is you have to really understand how applications and services handle your information, and how it may affect your own security policies and requirements, especially SaaS services.
File sharing services are under scrutiny and most of them fail miserably. Researchers were able to harvest 310,735 files in just one month using a crawler, and included photos, zip files, PDFs, and office files. InfoWorld reported the results of the study, and “what they found will raise — no, curl your eyebrows.” And the study shows that there are people all over the world who are actively dumpster diving for files on these file sharing sites.
These file sharing and collaboration sites committed several sins, including the use of sequential IDs in their URLs. This is a good lesson for those of you looking for ways to send or share your files – make sure your vendor has extensive security experience, implements a secure architecture, and actively defends against common penetration attacks. Almost anyone can offer a secure file transfer solution, but not all SFT vendors are created equal. Do your homework, weed out the wannabes, and choose wisely. Or, you can just pick Biscom Delivery Server and be done with it.
SQL injection is still out there as an attack. It worked against Twin America LLC, and it was only discovered this past October, after hundreds of thousands of records were stolen. It’s a well known ploy – you take advantage of web sites that have a form for inputting information. If a site doesn’t employ techniques to nullify SQL injection, an attacker can easily see your entire database, which often includes usernames, passwords, and account information, or worse, download the information and then destroy the database.
Two common areas that are potentially open to attack are unfiltered escape characters, and poor type handling. In an unfiltered web form, a form variable is plugged directly into a SQL statement. If I crafted just the right input, I could potentially append my own SQL clause to the one being executed. The classic example is:
SELECT * FROM user_table WHERE username = ‘ ” + username + ” ‘;”
If instead of a valid username, I entered ‘ or ’1=1, I’d now be running this statement:
SELECT * FROM user_table WHERE username = ‘ ‘ OR ’1′=’1′;
The OR ’1′ = ’1′ clause will always evaluate to true, retrieving all columns from the user table.
A second potential hole exists if the programmer does not check for type constraints. If a SQL statement is expecting a number, the input to supply that variable should be checked to make sure it truly is a number. Again, like the trick above, I could insert an entirely new statement like DROP TABLE user_table after entering a number into a form. The back end would then execute whatever statement I presented to it.
There are several techniques to protect a Web application from these types of attacks, including the use of parameterized statements, or even escaping characters that have a special meaning in SQL. But programmers have to be diligent about adding this protection, because hackers will find even the smallest hole and take advantage of it.
Biscom spends its time worried about these types of hacks, so you don’t have to. Countless penetration tests have proven our security model. We think our customers want a secure file transfer solution that is actually secure.
I’ve recently returned from the ILTA Conference in Las Vegas and if you haven’t heard, there’s been a lot of exciting buzz about the event. Biscom had the opportunity to exhibit at ILTA this year, we had a great turn out and when looking back, I’m pleased to say I left with many new connections, friends and valuable information (can’t say I left Vegas any richer though, the casinos won this time).
While the e-discovery, litigation support, and case management were among the usual hot topics at ILTA, discussions I’ve had with legal professionals suggest security and data protection are the new black. We experienced record crowds at the booth from law firms looking to solve the growing challenges of preventing unintended employee data breaches and meeting compliance with data privacy regulations. Furthermore, we were featured as one of the top 20 booths to visit at ILTA, according to Law Technology News we were the only secure file transfer provider at the conference, reinforcing our leadership in the legal market and our commitment to meeting the specific needs of law firms and corporate legal departments.
It was an exciting and successful event and one where we gained valuable insights regarding the needs and challenges of law firms, such as:
• Legal IT is growing increasingly frustrated with the cost and inefficiency of transferring large files through the traditional methods of e-mail , FTP and overnight courier. This was validated by the 2010 ILTA Member Purchasing Survey released at the conference. For the second year in a row, e-mail management was identified as the biggest challenge facing legal IT overall.
• File transfer security is an increasing concern. Security moved from the 7th position last year to the 4th position in the ILTA purchasing survey’s “biggest challenge facing IT”.
Somewhere in the middle of manning the Biscom fort in the exhibit hall, I had the chance to attend two very informative sessions; “Taming the E-mail Filing Monster with iManage WorkSite 8.5.” This session included an open panel discussion of three law firms and how they deployed iManage to move e-mails out of exchange to iManage for tracking e-mail content by matter and reducing exchange storage – a growing need for law firms. The other, “The Changing Regulatory Landscape and its Effect on Law Firms,” featured Beth Chiaiese, Director of Loss Prevention, and Jodi Malek, CIO, of Foley & Lardner. Key topics discussed involved HIPAA, HiTECH and the Massachusetts Data Breach regulations and the specific compliance requirements for each, including the important role technology plays in meeting compliance, such as the encryption and secure transfer of sensitive data.
We also had an opportunity to meet with several members of the press. Sean Doherty, Sr. Technical Editor, Law.com was excited to hear about the new BDS 4.0 features, integration with iManage and plans to integrate with SharePoint (Last December Sean published an in-depth BDS product review in Law.com). We certainly appreciate his time.
Overall, the ILTA Conference was a rousing success and we look forward to next year’s conference.
As an added benefit, you may also enjoy the these post-ILTA reviews:
I’ve recently returned from the ILTA Conference in Las Vegas and if you haven’t heard, there’s been a lot of exciting buzz about the event. Biscom had the opportunity to exhibit at ILTA this year, we had a great turn out and when looking back, I’m pleased to say I left with many new connections, friends and valuable information (can’t say I left Vegas any richer though, the casinos won this time).
