Tag Archives: Case study

Information Security Best Practices

What is more important – patient safety or hospital IT?

What is more important – patient safety or the health of the enterprise hospital Windows network?  What is more important – writing secure code or installing an anti-virus?

A threat analysis was performed on a medical device used in intensive care units.  The threat analysis used the PTA (Practical threat analysis) methodology.

Our analysis considered threats to three assets: medical device availability, the hospital enterprise network and patient confidentiality/HIPAA compliance. Following the threat analysis, a prioritized plan of security countermeasures was built and implemented including the issue of propagation of viruses and malware into the hospital network (See Section III below).

Installing anti-virus software on a medical device is less effective than implementing other security countermeasures that mitigate more severe threats – ePHI leakage, software defects and USB access.

A novel benefit of our approach is derived by providing the analytical results as a standard threat model database, which can be used by medical device vendors and customers to model changes in risk profile as technology and operating environment evolve. The threat modelling software can be downloaded here.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this

SOX IT Compliance

A customer case study – SOX IT Compliance

We performed a Sarbanes-Oxley IT top down security assessment for a NASDAQ-traded advanced technology company. The objectives for the study were to evaluate the internal and external threats that impact the company’s information assets. Using the Business threat modeling (BTM) methodology, a practical threat analysis PTA threat model was constructed and a number of threat scenarios were analyzed. Data was collected using structured interviews and network surveillance (with a Fidelis XPS appliance). Assets were valuated by the CFO and the IT security operations and technologies were valuated by the CIO. The output of the study was a cost-effective, prioritized program of security controls.This program was presented and approved by the management board of the company- leading to an immediate cost savings of over $120,000/year in the information security budget.

The detailed threat model was provided to the client and is currently used to perform what-if analysis and track the data security implementation. 

Download the data security case study and download the data security report to the management.

Conclusions

  1. The bulk of the security budget is currently spent on sustaining network perimeter security and system availability. Not surprisingly, these countermeasures are not particularly effective in mitigating insider threats such as lost or stolen hardware and information leakage, which now dominate the company’s risk profile.

  2. In corporate IT Security operations: The two major data security systems that were purchased in 2007, Imperva and Fidelis XPS Extrusion Prevention System have not yet been fully implemented and do not provide the expected benefit. To be specific, Imperva needs to be able to produce real-time alerts on violations based on logical combinations of OS user, DB application and DB user. Fidelis needs to be deployed in the subsidiaries. Monitoring from both systems needs to become a daily operational tool for the security officer.

  3. In the Asia Pacific region: Loss of notebooks to the tune of 2-3 / quarter is a major vulnerability although content abuse of the corporate network is assessed as negligible due to cultural factors.

  4. In general: Publicly facing FTP servers must be monitored carefully for violations of the company acceptable usage policy. In the course of the risk assessment, we discovered strategic plans and proprietary source codes that were stored on publicly accessible FTP servers.

Tell your friends and colleagues about us. Thanks!
Share this

DLP for telecom service providers

A customer case study: Using DLP to protect customer data at a telecom service provider

Our first data loss prevention  (DLP) project was in 2005 with 013 Barak – now 013 Barak/Netvision. It followed on the heels of an extensive business vulnerability assessment and management level decision to protect customer data.   It’s significant that 013 Netvision were well prepared with their DLP system attacks like the Israeli trojan.

013 Barak Data Leakage case study

Tell your friends and colleagues about us. Thanks!
Share this

DLP in on-line trading

A customer case study  – DLP helped diamonds.com be more secure and more competitive.

We designed and implemented a large scale IT infrastructure modernization project that was tasked with improving availability, scalability and security of the online diamond trading networks at diamonds.com and diamonds.net. Network DLP appliances were deployed in the US and in EMEA at the company’s hosted server farms in order to help protect sensitive customer and commercial data.

Read the Customer solution case study

Tell your friends and colleagues about us. Thanks!
Share this

Digital content protection

A customer case study – Digital content protection for VOD on a TCP unicast network

One of our most interesting projects recently was a digital content protection and secure content distribution software development projects  in the field of IPTV and video on demand.

We were called in at a critical stage in project delivery to help manage the development and design the encryption for the digital content protection.

Read more about the VOD IPTV solution

Tell your friends and colleagues about us. Thanks!
Share this

Cloud security assessment

A customer case study – cloud security assessment

Faced with a steep bill for securing a new cloud application, a client asked us to help find a way to reduce their risk exposure at the lowest possible cost. By using the Business Threat Modeling methodology and PTA (Practical Threat Analysis) software, we were able to build a risk mitigation plan that mitigated 80% of the total risk exposure in dollars at half the original security budget proposed by the vendor.

Continue reading

Tell your friends and colleagues about us. Thanks!
Share this