Chief Technology Officer

Nuix North America

Stephen, based in Nuix’s US east coast office, has over 10 years of experience working with both public and private sector organizations to provide solutions for their data investigation and storage challenges.  These experiences have taken him from the boardroom to the raised floor of the data center to ensure that the appropriate solution is implemented.  In the process, Stephen has helped numerous financial institutions, from Goldman Sachs and Deutsche Bank to Liberty Mutual and Putnam to develop, design, and implement solutions to meet both their regulatory, business and compliance requirements.

Stephen’s hands on experience working with the technology, the IT and investigative staff, and having to report and manage expectations to client’s legal and electronic investigation teams have put him on the frontline in numerous e-mail discovery engagements.  His ability to understand the low-level technical detail and translate that into plain English for business users and legal professionals has allowed him to successfully bridge the gap, acting as a trusted advisor to technologists, attorneys, and business professionals.

In previous roles, Stephen was the Subject Matter Expert for Discovery and Archiving at CommVault Systems where he worked with both internal and external resources to ensure that CommVault was effectively meeting the needs and expectations of the discovery and archiving market. Prior to CommVault, Stephen spent seven years at EMC where he held a variety of positions from Consulting Systems Engineer for the Messaging Business unit to Consulting Product Manager for the EmailXtender product line.  During his time at EMC, he spent significant time working hand in hand with customers to build their process and use of the tools to effectively respond to electronic discovery requests.

Stephen is a frequent speaker in both the legal and IT communities regarding the challenges of e-mail archiving, electronic discovery and investigations, and data management.

Plaintext Telnet and FTP connections constitute a serious risk to the integrity of enterprise networks. Due to the challenging new legislations, stricter auditor requirements, and more sophisticated network attacks, security is no longer an option – it is a must.

Join us on with our SSH Webinar about “Securing File Transfers” and we will introduce how easily and cost-effectively you can implemement secure file transfers in your heterogenious network.

In this Webinar you will learn about:

•  Different file transfer techniques used by enterprise IT today
•  The key challenges and requirements related to security of automated file transfers
• Key benefits f SH tectia as your chose for secure file transfer solution

You will also be introduced to the latest number of the SSH Tectia solution, the new SSH Tectia ConnectSecure for enhanced file transfer capabilities for all SSH environments including OpenSSH. 

Date:   Thursday, 18th September 2008

Time:   4 PM Singapore

4 PM Malaysia

3 PM Thailand 

3 PM Indonesia

4 PM Philippines

*(Please check your time zone for the correct starting time in your region)

Register today for this informative seminar!

An amended version of a closely watched data breach bill that was vetoed by California Gov. Arnold Schwarzenegger last October is once again headed to his desk for approval.

The bill — known as the Consumer Data Protection Act, or AB 1656 (download PDF) — basically would require retailers that accept payment card transactions to take specific precautions for protecting cardholder data and disclose more details about data breaches to consumers affected by them. But an earlier provision that would have required retailers to reimburse financial institutions for the costs involved in replacing credit and debit cards compromised in breaches has been dropped.

The amended bill was approved by the California State Assembly by a 74-1 margin on Saturday, after passing muster in the state Senate by a 34-3 margin last Wednesday.

The California Credit Union League (CCUL), a trade association that is a key sponsor of the bill, welcomed its passage by the legislature. In a statement, Bill Cheney, the CCUL’s president and CEO, expressed his hope that Schwarzenegger would “acknowledge the solid vote of approval” from California’s lawmakers and quickly sign the measure. Cheney added that AB 1656 would help strengthen consumer confidence in payment card security while enforcing increased transparency at retailers that are hit by breaches.

Melissa Ameluxen, a lobbyist for the Rancho Cucamonga-based CCUL, said in an interview today that the removal of the clause requiring retailers to foot the bill for card replacements should go a long way toward countering opposition to the bill. “The governor’s office gave us an indication that removing that part of the bill would help us move closer” to getting it signed into law, she said.

In addition to that change, two smaller modifications have been made to the original bill that Schwarzenegger vetoed. One allows retailers to retain certain kinds of data needed to process recurring payments. The other removes a previous requirement that retailers specify the exact date on which a breach was thought to have occurred. Instead, the bill now mandates that they provide only a range of dates during which a breach might have taken place, Ameluxen said.

Analysts and the retail community have been closely following the progress of the bill, which is one of the first of its kind in the country and would put some strict new requirements on businesses. For instance, AB 1656 would prohibit retailers and other organizations that handle payment card transactions from storing certain types of cardholder data even if the information is encrypted. Prohibited data types include the full contents of the magnetic stripes on the back of cards, as well as PINs and both card and payment verification codes.

Companies also would be required to set formal data retention and disposal policies for limiting the amount of cardholder data they retain and the length of time is stored. And all credit and debit card data transmitted over public networks would need to be encrypted or otherwise rendered indecipherable.

On the notification side, businesses that suffer breaches would have to inform card-issuing banks about the kind of data that was compromised and provide a toll-free phone number or some other type of contact for answering breach-related questions from consumers.

The security controls built into AB 1656 are similar to some of the requirements that retailers are mandated to implement under the Payment Card Industry Data Security Standard, which was developed by the major credit card companies and is informally referred to as PCI.

Source: Computer World

The bank informed customers in May that 4.5 million customer account details, including names, addresses, dates of birth and Social Security numbers, had been compromised after two sets of tape backups went missing from a third-party courier.

However, it has now increased that figure to 12.5 million, possibly making this the biggest data breach of the year.

“It is simply outrageous that this mountain of information was not better protected, and it is equally outrageous that we are hearing about a possible six million additional individuals and businesses six months later,” said the Connecticut governor Jodi Rell.

“We fear a substantial number Connecticut residents are among this latest group. Had the hundreds of thousands of Connecticut residents affected been notified immediately that their data had been compromised, they could have taken steps to protect themselves.”

She added that she was considering levying financial penalties over the breach and instructing it to make financial restitution to customers. Her consumer protection commissioner Jerry Farrell Jr is investigating the case.

“Nothing in the data we were given in May and June by BNY Mellon indicated in any way that these additional six million individuals and businesses were involved,” said Farrell.

“This certainly raises serious additional questions about how secure personal identifying data is at BNY Mellon and widens the scope of our investigation.”

Bank of New York Mellon is the world’s largest custodial bank and one of the 10 largest asset managers. It is notifying customers about the breach, but says there is no evidence that the data has been abused.

The bank has set up a web page to keep people informed and is offering two years of free credit monitoring, US$25,000 worth of identity theft insurance, reimbursement for the cost of one placement and one removal of a credit freeze for each of the three national credit reporting bureaus to customers affected.

NEWTON, MA – August 27, 2008 - Exercise extreme caution when it comes to dismissing employees with knowledge of your IT systems – that’s the stark warning from privileged identity management specialist company Cyber-Ark Software. Its annual survey around “Trust, Security & Passwords” focused on 300 IT security professionals and revealed that 88 percent of IT administrators, if laid off tomorrow, would take valuable and sensitive company information with them. The target information includes the CEO’s passwords, the customer database, R & D plans, financial reports, M & A plans, and most importantly the company’s list of privileged passwords. Only 12 percent revealed that they would plan to leave empty handed.

The privileged password list, in particular, provides the keys to unlock access to every piece of information that’s on the network. Of the 88 percent that said they would take valuable information with them, one third of devious IT administrators would take the privilege password list which would give them access to all the other sensitive and valuable documents and information such as financial reports, accounts, and HR records.

“Most company directors are blissfully unaware of the administrative or privileged passwords that their IT staff has access to which allows them to see everything that is going on within the company. These privileged identities, which lie on hundreds of servers and applications, very rarely get changed as it’s often considered too much hassle. When people leave the organization, they can often still access the network using these passwords to acquire highly sensitive data” says Udi Mokady – president and CEO of Cyber-Ark. “Our advice is to secure these privileged passwords and identities, and routinely change and manage them so that if an employee’s contract is terminated, whether voluntary or not, they can’t maliciously wreak havoc inside the network or vindictively steal data for competitive or financial gain.”

Intellectual property and industrial espionage is a real problem
Interestingly, one third of companies revealed that they believe industrial espionage and data leakage is rife, with data being leaked out of their companies and going to their competitors or criminals, usually via powerful high gigabyte mobile devices such as USB sticks, iPods, Blackberry’s and laptops – or sent over email. A quarter of companies also admitted to suffering from internal sabotage and/or cases of IT security fraud happening in their workplace – which shows just how prevalent IT security breaches are within most companies.

Sloppy habits when exchanging Privileged and Sensitive Information
The survey shows that IT security is a very genuine problem for most companies, and additionally, those responsible for securing the systems are often very sloppy when it comes to basic “good housekeeping”. According to the survey IT administrators who are often responsible for security, don’t exchange or send information securely with 35 percent choosing to send sensitive or highly confidential information via email. Furthermore, 35 percent of those surveyed use couriers to transport sensitive data – a system only marginally safe when the information is backed up and encrypted. Astonishingly, four percent of the sample size actually uses the postal system to send sensitive information!

A third of the most powerful passwords are still being put on post-it notes!
In spite of the billions that are currently spent on security systems to make them safe and secure, it is very hard to instil good working practices even amongst the very people who are responsible for setting IT security standards in their own companies. One third of IT administrators surveyed admit to having written down privileged passwords on a post-it note.

A third of IT staff snoop at confidential data
The survey also found that one third of IT staff admitted to snooping around the network, looking at highly confidential information, such as salary details, M & A plans, people’s personal emails, board meeting minutes and other personal information that they were not privy to. They did this by using their privileged rights and administrative passwords to access information that is confidential or sensitive.

“You can install the best security systems in the world, but if your staff does not respect the information they are entrusted with, then the information will most definitely go astray – just as the findings of this survey have illustrated,” added Mokady. “That’s why we recommend companies secure their privileged identities and sensitive information in a digital vault -only giving individuals access to the information they actually need, when they need it while also keeping a log of who has accessed what and when.”

For more information about this survey or to interview Cyber-Ark on their findings contact Kim Baker at 978-474-1900 or email cyber-ark@pancomm.com

About Cyber-Ark
Cyber-Ark® Software is a leading provider of Privileged Identity Management (PIM) solutions for securing privileged user accounts and highly-sensitive information across the enterprise. Long recognized as an industry innovator for its patented Vaulting Technology®, Cyber-Ark’s digital vault products include: The Enterprise Password Vault® for the secure management of administrative, application and privileged user passwords; the Inter-Business Vault®, a secure infrastructure for cross-enterprise data exchange of highly-sensitive information, and the Sensitive Document Vault™ for secure storage and management of highly-sensitive documents. Cyber-Ark’s Vaulting platform has been tested by ICSA Labs, an independent division of Cybertrust and the security industry’s central authority for research, intelligence, and certification testing of security products. Cyber-Ark’s award-winning technology is deployed by more than 400 global customers, including 100 of the world’s largest banks and financial institutions. Headquartered in Newton, MA, Cyber-Ark has offices and authorized partners in North America, Europe and Asia Pacific. For more information, visit www.cyber-ark.com

Note: This survey was conducted at Infosecurity 2008- Europe’s largest IT security event

Source: Cyber Ark

Ryan Laus, associate network manager at CMU, says his team looked at solutions on and off for several years. “It was not a very big issue until Blaster and Nachi were released [August 2003] and networks everywhere were scrambling to try and get a handle on network security. Prior to this event, the quarantining of systems on campus was a manual process.”

As his team observed the networks of larger universities being crippled with these viruses, they quickly assembled a team of students armed with over 1,600 CDs containing all the latest Windows patches, a site licensed anti-virus application and spyware removal tools. That fall term they documented over 850 viruses infected systems. And, Laus says, these were just the really bad ones. “One associate network manager did nothing but enable and disable ports for over three months, and that didn’t count all the time spent by the other network managers and security administrators,” he says.

The team knew that this had to change and that started with system registration followed up with some form of system remediation. “We came across Bradford Network’s solution the following spring and it was just what we had been looking for,” says Laus.

Campus Manager requires each device to register before being allowed access to the network. This identity management function — which includes user owner information for each device, the ability to map the device and user to a physical location, and a log of the user’s and the device’s connection activity — provides the information necessary in isolating unwanted activity and adhering to regulations and policies. The solution allowed Laus’s team to very quickly associate a problem system with a specific user. What used to take them a few hours to do, they could now do in a matter of seconds.

“With the limited resources we have, it has allowed us to do a lot more with less. Because Campus Manager talks to all our residence hall switches, this gives us the ability to apply policies to users no matter where they connect.” For example, if he has to disable an infected machine and the user tries to move ports, Campus Manager will recognize this and take action on the client regardless of what port the user plugs into.

Joe Roth, network administrator, Binghamton University, agrees that it was the major outbreak of worms and exploits that really brought network security and end-user compliance to the forefront. It was time to begin to ensure that the machines brought into the network were clean and up to date before allowing them access to the network, he says.

“The basic thought process was that if we could bring them into the start of the semester clean and prepared to deal with a virus or worm outbreak, then maybe it would minimize the impact. Another benefit of the process was that our users were also receiving a certain amount of education in the endpoint security department. Having a user know what anti-virus software and patches are is crucial, and us checking for the presence of these types of things on their PC lets them know that it is important. It helps them take the initiative to keep their PC clean and up to date.”

Roth says that the Bradford Networks solution simplifies the idea of NAC on campus by providing a single point of interface for any web-based device, along with support for all three major operating systems and all major anti-virus vendors. In addition, he says the system remains vendor agnostic, so his team has no concerns about future support for any network equipment that they may deploy.

Granularity is the key
Jerry Skurla, vice president of marketing, Bradford Networks, Concord, N.H., says Campus Manager provides the granularity that a campus environment needs. The family of appliances was originally developed in 2002 and is now in its third generation of software.

“We help schools create a small website into which its users login via a VLAN. There’s a remediation process which verifies machine configuration. A dissolvable agent then does a check. Some schools require a permanent agent, which allows ongoing checks.”

The product’s distributed software architecture provides flexibility, he says. Bradford  Networks’ clients on college campuses can range anywhere from 100 students to 35,000.

“Campus Manager’s out-of-band capabilities protect existing infrastructure,” Skurla says. It is critical, he adds, that the solution works with equipment already on the network.

“One of the biggest reasons we chose Bradford was the fact that unlike Perfigo [now Cisco Clean Access], Bradford’s product was not an inline appliance,” says Laus. “Once a user was registered, the product essentially stepped out of the way and let the switches switch and the routers route. While we haven’t needed to do this, it is also something that can easily be turned off if problems start to occur without serious disruption to the users. I believe Cisco does make an out-of-band solution, but I don’t think it is as robust as Campus Manager or able to support as many vendors.”

Laus has high praise for Campus Manager’s Client Security Agent (CSA). “It has really cut down on the number of infected machines, and ensures that all machines that plug into the network meet a certain criteria.”

Campus Manager is also an integral part of many of the homegrown solutions that CMU has created, allowing, for example, the university to pull data directly from the Campus Manager database and tie it together with other data sources, such as SAP and SMS. “We present this data in our helpdesk portal, which is used by help desk operators, department techs and even end-users,” he says.

It is also an essential piece of the university’s network bandwidth quota system. “Our NBQS has allowed us to regulate internet bandwidth without shaping and application blocking. The end result of all of this is that we can offer the students 100 Mbps connections to their systems, not continually block peer-to-peer traffic, not have to worry about viruses spreading, and we have not received a copyright infringement complaint in well over three years. Without a system like Campus Manager as a core component, it would be difficult to do this.”

Josh Fedor (right), IT security project manager at Hofstra University, Hempstead, Long Island, adds that the student experience is enhanced through the use of the product as it gives them anti-virus and anti-spyware capabilities.

For the 13,000 students and over 1,200 faculty members spread out over its campus, the process of hooking up to the network is simple, says Fedor. When logging on, they must authenticate using their university ID. They then download a thin client that dissolves when it’s done scanning the registry for anti-virus, anti-spyware, firewalls, etc. The software then switches configurations on the machines, such as turning on the firewall and turning on Windows Updates.

“Student machines are very unpredictable. They’re using various operating systems and different devices. Campus Manager allows us to get to those machines and keep them up to date and protected.”

Campus Manager greatly improves the university’s security posture, he says. “It’s simple and straightforward. Everyone’s happy. It gives us a layered defense and control over the network.”

Source: SCMAgazine US

2 Full Days of Technical Training

During this two day training course, you will learn how to install, configure, administer and support Websense Web Security Suite software. Through instruction, iLabs (instructor led demos and lab exercises) and hands-on lab practice exercises, you will gain familiarity with the requirements and recommendations of Websense product deployment, installation and configuration, Websense product and component functionality (remote filtering, delegated and remote administration) and troubleshooting via internal and 3rd party diagnostic processes.

Topics Covered:

Topic 1: Course Introduction: Websense Overview and Software Architecture

Topic 2: Installation and Deployment Part 1

Topic 3: Websense Server Configuration

Topic 4: User Identification: Authentication and User Names

Topic 5: Working with Policies

Topic 6: Troubleshooting Part 1

Topic 7: Websense Reporting Tools

Topic 8: Remote Filtering

Topic 9: Deployment Part 2

Topic 10: Installation Part 2

Topic 11: Advanced Administration

Topic 12: Troubleshooting Part 2

[Optional Modules]

Topic 1a: Terminology, Network Essentials and Websense Software Basics

Topic 13a: Integrations and Websense Technology Partners

Topic 13b: Websense Security Labs

Lecturer:

Arun Chaudhury, Technical and Presales Consultant of Websense Inc, S.E. Asia.

Security consultant for 7 years prior joining Websense. He’s now a Certified Websense Systems Engineer (CWSE) and Certified Websense Instructor (CWI).

Get to know more about Quantiq and Websense and how we can help you grow your business with Websense.

Learn about our solution offerings and why we are the market leader in both Web Content Security (#1 market share as ranked by IDC) and Information Loss Prevention (top the charts as indicated by Gartner and Forrester Wave).

Be a Websense Partner today and embark on our Partner Incentive Programs.

Sorry Registration is Closed.

For most companies, it’s no secret. Whatever e-mails or messages you send on your work computer can be reviewed and scrutinized by the company. But, a recent survey from security company Cyber-Ark says one out of three information technology officials say they abuse passwords to look into things they don’t need to.

This touched a nerve with some people in Salt Lake City. One woman said, “I wouldn’t think that was right.” One man said, “I just don’t like the idea of people snooping unless there’s a cause to do so.” Another said, “Personal information should be kept to ourselves, I would hope.”

Some of the information they admit to snooping: personal e-mails, board meeting minutes and colleagues’ salary.

A Salt Lake student said, “I don’t make enough money yet for that to bother me, but I could see, in the future, it would bother me.” Another man, who was very bothered, said, “I’ve been fired from a job because I found out, by mistake, that somebody made more than me.”

Bateman IP Law Group President Rand Bateman says most states don’t require companies to even tell employees that they can look through any information that’s put on a work computer. You may think this is common knowledge, but he says it’s not as common as you might think.

“Surprisingly, people are surprised,” he said.

But, that’s not to say IT managers should look at every bit of information in the company. For example, if an IT guy gets his hands on personal health data, the company could get in legal trouble.

Bateman said, “If an IT guy gets in and finds out and employee has AIDS or a sexually transmitted disease or some mental health issue and releases that, it could really spark some liability on the part of the employer.”

As for any IT managers reading this, you’ll probably want to avoid looking up your co-workers salaries. For some companies, that’s not exactly open information.

“Other companies, including some law firms, have what they call ‘dark box salaries.’ In fact, I have friends who works at a firm where you can get fired for revealing what your own salary is,” he said.

Bateman says several companies have had their customers’ credit information taken from someone working from within who had access to that kind of data.

Source: KSL

For most companies, it’s no secret. Whatever e-mails or messages you send on your work computer can be reviewed and scrutinized by the company. But, a recent survey from security company Cyber-Ark says one out of three information technology officials say they abuse passwords to look into things they don’t need to.

This touched a nerve with some people in Salt Lake City. One woman said, “I wouldn’t think that was right.” One man said, “I just don’t like the idea of people snooping unless there’s a cause to do so.” Another said, “Personal information should be kept to ourselves, I would hope.”

Some of the information they admit to snooping: personal e-mails, board meeting minutes and colleagues’ salary.

A Salt Lake student said, “I don’t make enough money yet for that to bother me, but I could see, in the future, it would bother me.” Another man, who was very bothered, said, “I’ve been fired from a job because I found out, by mistake, that somebody made more than me.”

Bateman IP Law Group President Rand Bateman says most states don’t require companies to even tell employees that they can look through any information that’s put on a work computer. You may think this is common knowledge, but he says it’s not as common as you might think.

“Surprisingly, people are surprised,” he said.

But, that’s not to say IT managers should look at every bit of information in the company. For example, if an IT guy gets his hands on personal health data, the company could get in legal trouble.

Bateman said, “If an IT guy gets in and finds out and employee has AIDS or a sexually transmitted disease or some mental health issue and releases that, it could really spark some liability on the part of the employer.”

As for any IT managers reading this, you’ll probably want to avoid looking up your co-workers salaries. For some companies, that’s not exactly open information.

“Other companies, including some law firms, have what they call ‘dark box salaries.’ In fact, I have friends who works at a firm where you can get fired for revealing what your own salary is,” he said.

Bateman says several companies have had their customers’ credit information taken from someone working from within who had access to that kind of data.

Source: KSL