CRYPTOCard - News

HSC weds technology to cross-town CryptoCard

Fri, 02 May 2008 12:00:00 -0500

National Capital Scan Magazine, May 02, 2008 - Digital security provider CryptoCard and Harris Computer Services, Ottawa-based companies both, enter into a partnership that will see CryptoCard’s two-factor authentication technology married to HSC’s security solutions. With plans to enter the managed security services market, HSC selected CryptoCard’s technology to complement its own offerings, including SonicWall, TZ and Pro. “We’ve found that many companies need a more strategic approach to their security policies no matter what size,” says Ernie Sherman, president of HSC. “Our partnership with CryptoCard not only expands our security portfolio to include two-factor authentication, but it allows us to help customers protect their current investments and enhance their strategic network technology needs in the future.” CryptoCard’s positive identification technology uses one-time passwords to help organizations secure their networks by eliminating weak, “static” passwords, which are commonly forgotten, mismanaged or easily cracked.

Northern Ireland health body chooses Two-Factor authentication

Thu, 01 May 2008 12:00:00 -0500

ITPro - Europe, May 01, 2008 - The Northern Ireland Department for Health, Social Services and Public Safety (DHSSPS) chooses Cryptocard to safeguard remote access and system administrators.

CRYPTOCard and Harris team up to beef up security

Tue, 29 Apr 2008 12:00:00 -0500

Ottawa Business Journal, April 29, 2008 -

Digital security technology maker CRYPTOCard has been chosen as the exclusive two-factor authentication vendor for Harris Computer Services.

CRYPTOCard said it has entered a partnership agreement with Harris that will see CRYPTOCard's two-factor authentication security technology bundled with Harris's complementary products, such as the SonicWall TZ. Both are Ottawa companies.

"At the centre of current customer trends we've seen a layered approach to network infrastructure, which is an industry best practice. However, no matter how much they've invested, several SMBs (small and medium businesses) still do not have a good password policy in place, which leaves every single layer of their network exposed," said Harris president Ernie Sherman in a statement. "Our partnership with CRYPTOCard not only expands our security portfolio to include two-factor authentication, but it allows us to help customers protect their current investments and enhance their strategic network technology needs in the future."

Usability critical for good mobile security

Mon, 28 Apr 2008 12:00:00 -0500

Richard Bray - CIO Government Review, April 28, 2008 - Usability is critical for good mobile security. The consequences of a data breach can be far-reaching and complex, but in almost every case the cause is simple. An employee, the 'average user', has either taken a shortcut around the security procedures or lost a device with critical data in a public place, or both.

Randy Sutton of Ottawa's Elytra Enterprises asks, "How many laptops got lost this week? How many have been stolen? We don't hear a lot about it in Canada, particularly in the government, because nobody wants to report it and there's no legislation forcing you to report." Sutton keeps a list he calls 'theft a day' and it's a rare day when he can't add another breach somewhere in the world that's made the news.

"People can spend all the money they like on perimeter security and all the big boxes and so forth," Sutton says. "What's left over is that somebody wanders off with a laptop or one of those little flash drives and loses it."

His company is the point of contact for federal government buyers of a 'made in Canada' solution called SecureDoc from Mississauga, Ont.'s WinMagic that encrypts data automatically and invisibly, no matter where it is - on desktops, laptops and PDAs, on all the portable media like USB drives and sticks, as well as on DVDs and CDs.

"The basic idea is that if you lose the thing, your data is encrypted and nobody can get at it. It's that simple."

Another Canadian IT security company, Ottawa's CRYPTOCard, focuses on simplicity by replacing fixed passwords with token-generated, one-time-only logins. When a simple user name and password login isn't good enough, says CRYPTOCard senior vice-president Bill LaHam, outfits want something better.

"If you're looking at something better, how do you put in something that people can use? That's the big thing." Administrators can make the passwords as long or as short as they want, but all the complexity is hidden from the user.

"All it is, you push a button. There you go. There's your pass code. As a user, I don't have to remember anything, I'm not going to be debating security policy with an administrator. An administrator is not going to come to me and say 'every 60 days you have to change your password and by the way, you're logging into six systems so you have six passwords.'"

Both WinMagic and CRYPTOCard have seized the idea that usability is critical. As Randy Sutton says, "It has to be simple enough for people to use without thinking, and I mean without thinking. Just the same way you would use your BlackBerry or pick up the phone to make a call. It has to be like that."

When users are forced to follow a rigid process, particularly one they do not understand, it's understandable that without constant reinforcement and supervision, they will begin to cut corners.

Faster processors mean that IT security programs no longer carry a big overhead in decreased performance, so users no longer complain about slower speeds. The main factor now is ease of use both for users and administrators. Sutton says the most important factor is centralized management. "You have to use a console and you've got to be able to control the users," he says.

Federal clients like the Department of Justice and Statistics Canada with highly mobile workforces are adopting the solution because they are driven by the need for remote access, LaHam explains. "Because as soon as you've put remote access capability up, anybody in the world can bang away at that door."

LaHam admits that managing physical tokens in large organizations can be demanding. Distribution, training and management of tokens all add cost and complexity to the CRYPTOCard solution, but the solution also simplifies life when people move or change jobs - instead of resetting a multitude of passwords for networks, devices and applications, administrators can make one entry to the database.

Add up the cost of help desk support for other solutions, and LaHam says the one-time cost of token distribution can look much more reasonable.

He thinks one of the key features of CRYPTOcard is the reduced workload for administrators. "That's the key. You take a look at the workflow side of it and you go 'Man, if I can reduce that to near nothing, that's a good thing.'" Is the potential for reduced cost of ownership reflected in RFP's?

"It should be. They should be looking at mechanisms that offload the work, distribute the work or minimize the work," he says. "In a lot of cases, the cost of putting something like this in will be offset in the first year just if you added up the cost of your help desk."

"It always comes down to what's good from a security standpoint - what can you assimilate and what will your users tolerate, and how much are you willing to pay? It's finding the right balance between the three," he says.

CRYPTOCard Speaks About Possible VPN Threat from Bank of Ireland's Stolen Laptops

Wed, 23 Apr 2008 12:00:00 -0500

Bank of Ireland loses four unencrypted laptops

Tom Espiner - ZDNet.co.uk , April 23, 2008 -

The Bank of Ireland has lost four laptops containing sensitive customer details of approximately 10,000 people.

The laptops were not encrypted, according to a Bank of Ireland spokesperson. Customer details lost include bank accounts, names, addresses and medical details. The laptops only had standard username and password logins by way of security, according to the spokesperson.

Customers affected are those who took out or obtained a quote for a life-insurance policy from Bank of Ireland Life from branches in Drogheda; Dunleer; Bagnelstown; Court Place, Carlow; Stephen's Green; Tallaght; and Montrose last year, according to a statement on the Bank of Ireland website.

The four laptops were all stolen between June and October last year. Three were stolen from the boots of cars, said the spokesperson. The Bank of Ireland is only now starting to inform customers by letter as to whether they may have been affected.

According to the spokesperson, the thefts were reported to the Garda at the time but not to senior management.

"The issue arose in February of this year as part of routine compliance monitoring. That was when the issue came to light, at which time, a full investigation began; we had to do a full investigation [before informing customers]. We will be writing to customers in the next number of days," said the spokesperson.

Jason Hart, European chief executive of encryption company CryptoCard, told ZDNet.co.uk that, as well as customer details being compromised, the laptops themselves could hypothetically have been used in an attack through virtual private network (VPN) clients.

"You have unencrypted laptops being lost and they all have VPN clients into the business — that's a bigger risk," said Hart. "You can crack usernames and passwords easily, and usernames and passwords are [usually] the same to access other systems."

The Bank of Ireland spokesperson said there had been no unauthorised attempts to log into the bank's systems, and added that the bank had seen "no evidence of fraudulent activity" on any of the affected customers' accounts.

The spokesperson declined to comment as to whether the bank had changed its VPN clients as a result of the laptop losses but said that it was in the process of implementing encryption on all of its laptops, and that the encryption process would be completed "by the end of the week".

Ireland's data-protection commissioner, Billy Hawkes, has been informed, as well as other regulators, added the spokesperson.

Cryptocard aids mid-market assault

Mon, 14 Apr 2008 12:00:00 -0500

CRN Channel web

Bristol, UK, April 14, 2008 -

Two-factor authentication vendor Cryptocard has claimed its revamped managed service offering will unlock new opportunities for resellers to attack the mid-market.

The vendor has added an SMS token to its CRYPT-MAS managed authentication offering, allowing users to have their unique one-time-passwords delivered to their mobiles.

Neil Hollister, chief executive of Cryptocard, said: “This will treble the addressable market for our channel partners because there are a limited number of mid-market firms that are prepared to manage a consumer hardware estate.

“The SMS token allied with our managed service means all the firm has to do is set up a direct debit and we will do everything else.”

Gary Marsden, business development director at Cryptocard, said the vendor is aiming to sign up a handful of ISPs and MSSPs in the coming months.

“We are looking at more channels that want to go towards an annuity model and do not want to take the hit upfront anymore,” he said.

Constant vigilance keeps Stroud & Swindon secure

Mon, 14 Apr 2008 12:00:00 -0500

computerweekly.com

UK, April 14, 2008 -

Information security is part of life now for financial services organisations and you have to take it seriously. If the business is linked to any loss of sensitive data, it causes serious reputational damage and you can't afford for that to happen, especially in such a highly regulated industry," says Colin Campbell, IT services manager at

As a result the company, which employs about 430 staff, has both a security committee made up of senior management that develops strategy and takes responsibility for the issue, and a risk and compliance team that is independent of IT, but works alongside it in an advisory capacity.

Campbell's challenge is that Stroud & Swindon has to prove annually to the regulator, the Financial Services Authority (FSA, that it has reasonable security measures in place. It's a continuous process and Campbell is constantly reviewing the building society's security controls and policies, which are working documents. "We have a major review annually, but ad hoc changes also take place when they have to and people are advised thereafter," Campbell says;

The upshot of one such wide-ranging review last year was the recall of 90 per cent of the organisation's laptops. Due to the "massive publicity" around stolen laptops and data leakage, it was felt that the risks around mobile computing had to be explored in some depth.

Therefore, the risk and compliance team in conjunction with IT security staff spent several months identifying which personnel, including senior management, were using corporate laptops, before establishing whether the machines were fit-for-purpose in security terms.

Users were then asked to justify why they required their PCs. This resulted in the majority of the laptops being recycled and disposed of, with most of the remaining 60 staying in the hands of the mobile mortgage sales force.

In order to ensure that security risks were further minimised, however, Campbell decided that personnel should only be allowed to view corporate data rather than download it. Therefore, after being stripped of everything apart from the basic operating system, the machines are now effectively thin clients, in order to ensure that they contain no useful or historical information in the event of them being stolen, Campbell says.

Access to the corporate network for both the sales staff and people working from home, meanwhile, is also controlled using SSL-based virtual private networks and a managed authentication service provided by CryptoCard.

This means that when remote workers try to access the corporate network, they input both their user name and pin before using an assigned hardware token to generate a one-time password, which is likewise entered into the system.

"This allows us to allow them to use any PC with a broadband connection but in a very restricted and controlled way. So if people have an ad hoc requirement to access workplace systems, they can do it from anywhere but there are controls and governance around it," explains Campbell.

He liked the idea of using a managed service for a non-sensitive activity of this type, however, because it is was more cost-effective than employing an expensive security specialist in-house.

"We tend to outsource those elements of infrastructure services that requires specialist knowledge. This isn't the kind of thing you'd have to do day-in-day-out so any skills tend to be lost and the cost of employing key specialists in-house doesn't make sense any more," Campbell says.

One of the most important principles of security, however, he believes, is end user education. This means ensuring that personnel have an understanding of what they can and cannot do and what their corporate responsibilities are in terms of accessing and using data. This is crucial, says Campbell, because people are always the weakest link in the security chain.

"You can make a system as secure as you want, but if people take it offsite and misuse the data, then all the controls in the world won't work," Campbell says.

As a result, although the building society has formal security policies in place, Campbell says this is also simplified into a user guide to make it easier to comprehend. "By their very nature, [security policies are] not easy reading."

A recap of this user guide is undertaken once or twice a year to clarify any changes, but every member of staff is also contractually obliged to sit 10 tests of varying levels (depending on their role) each year to ensure that they understand current legalities.

The tests, which include an information security module, are devised and administered by the risk and compliance team. Campbell says these are used to demonstrate to the FSA that people's knowledge is being refreshed and kept up-to-date in order to meet statutory requirements.

While such demands may seem onerous to some, there have been spin-off benefits. "It's now a part of working life, but it does give IT people a good insight into the business and what their colleagues are doing. So it's made us more aware and gives us a more rounded view, which is the idea behind it all anyway," Campbell concludes.

http://www.computerweekly.com/Articles/2008/04/08/230183/constant-vigilanc...

Jason Hart speaks out on Computer Reseller News UK – the opportunities for resellers to drive two-factor authentication to the SMB market

Fri, 04 Apr 2008 12:00:00 -0500

CRN Channel Web

Ottawa, Ontario, April 04, 2008 -

Take two factors into consideration when selling

As a target market, they do not come more attractive than the extensive SME (Small to Medium Enterprise) community. Accounting for over 99 per cent of all UK organisations, and over 51 per cent of the UK’s estimated business turnover, as a collective the humble SME presents a goldmine of opportunity for resellers that is still going untapped.

To take advantage of this burgeoning SME market opportunity, the profitability and longevity of your business is dependent on getting as large a share as possible of each customer’s IT budget. In order to do this you need to identify and act on every cross-selling or up-selling opportunity. If a prospective customer is in the market for remote access solutions, which is increasingly the case with SMEs as they seek to maximise staff productivity and company resources, it stands to reason that they will need to control and secure this access too. With IT security it is notoriously difficult to make a case based on return on investment, instead you will need to approach it from a different angle, that of prevention being better than cure. And the SSL/VPN that you are likely to supply is not the be all and end all – it too has security flaws which present a great up-sell for you.

To read the full story click on the link below.

CRYPTOCard Adds SMS Token To Innovative 2FA Managed Authentication Service

Fri, 04 Apr 2008 12:00:00 -0500

NewsBlaze, Daily News

Ottawa, Ontario, April 04, 2008 -

CRYPTOCard Adds SMS Token To Innovative 2FA Managed Authentication Service

Stroud & Swindon Building Society Among First to Implement New SMS Functionality Within Existing CRYPTO-MAS Strategic Investment

CRYPTOCard, a leading developer of two-factor authentication (2FA) technology for multi-vendor environments, has today launched in the UK its new SMS Token as part of the CRYPTO-MAS Managed Authentication Service portfolio. The SMS token offers the flexibility of CRYPTOCard's existing two-factor authentication tokens - which are widely regarded as the most secure available - and additionally addresses the need for greater portability, affordability and simplicity, particularly among an enterprise's distributed workforce. Delivered as part of the CRYPTO-MAS Managed Authentication Service, it answers the market requirement for zero up-front investment and maximum ease of use.

Colin Campbell, IT Services Manager at Stroud and Swindon Building Society, is already using CRYPTO-MAS to underpin the organisation's 2FA strategy and sees the new SMS functionality presenting exciting possibilities, "We have been using the CRYPTOCard Managed Service for the past 12 months. Our users have total confidence in the system and find it easier than having to decide on, and regularly change, the traditional static password system we were using previously. We have just started using the new SMS token which answers our users' demands for a more portable and easier to use token offering, and promises tremendous additional operational efficiency advantages while maintaining all of the protection we've come to expect."

To read the full story click on the link below...

Pegasus Technologies adds resellers to partner program

Wed, 05 Mar 2008 12:00:00 -0500

eChannel Line: Daily Channel News
By: Vanessa Ho

Ottawa, Ontario, March 05, 2008 -

Pegasus Technologies adds resellers to partner program

Pegasus Technologies is a security solutions provider but in recent years has extended itself to the security services side and developed a partner program to help support it.

The partner program was developed to support and sell products from CRYPTOCard, a leading provider of two-factor authentication technology, and in particular its CRYPTOCard Managed Authentication Service (CRYPTO-MAS) solution.

The Pegasus Technologies Channel Program has been around for seven months and has six resellers, including the recently announced signing of Cool Cat Inc., a managed authentication service company that will provide CRYPTO-MAS to customers in the U.S., Canada, Virgin Islands, Brazil and Europe.

To read the full story click on the link below.