Federal Civilian Agencies’ Next Security Vulnerability

by Tara Condon 24. August 2015 09:19

By Tara Condon & Henry Gold

Recent data breaches at the Internal Revenue Service (IRS) and the Office of Personnel Management re-focused the technology community on security challenges facing U.S. government and federal civilian agencies. Many of these groups provide critical services that impact the everyday lives of Americans, including the Social Security Administration, Food Safety and Inspection Service, and the U.S. Postal Service. As such, a security incident’s impact would be pervasive.

One of the reasons why the security landscape is cumbersome to manage is the increasing number of network-connected devices. Today’s peripherals are now smart devices. All of these access points offer new avenues to access sensitive information. Specifically, printers and copiers offer a new point of vulnerability.

Security Risks of MFDs: 

Standalone printers and, later, combination printer/copiers, were largely output devices. A command was entered; the function was executed. The main security risk - leaving sensitive items on the printer tray – was mitigated by physical security. Many users were issued individual printers that were kept in locked offices. 

Document scanning changed the game. Multi-Function Devices (MFDs) were born.  What was once a peripheral was now an intelligent system with document memory and consistent access to the network. Also, with this additional functionality came a (justifiably) higher price tag. This meant that printer / copier / scanners became shared resources, typically kept in public areas, where personnel and visitors have unfettered access. 

Enabling PIV Card Authentication:

In recognition of the vulnerability of these access points, government regulations now require PIV card authentication (sometimes referred to as CAC – Common Access Card – access) on all network connected devices. Today, federal civilian agencies are struggling with how to meet this requirement. 

A number of major printer manufacturers now offer built-in PIV authentication on new devices. There is also a printer agnostic solution offered by API Technologies, called the Netgard®, that may be used on both new and existing MFDs and printers, including wide format printers.

Photo of Netgard® MFD courtesy of API Technologies

 

Regardless of which solution you choose for PIV authentication, here are two key features you should be aware of that enable you to comply with government security best practices:

  • Scan to Home: What this means is that the person doing the scanning may only place the document in a designated folder on the network. The person may then retrieve that document from the designated network location and use it for his/her intended purpose.  This feature ensures no confidential or sensitive materials can be sent in an uncontrolled fashion – for example: sending a scanned document to a personal email address via the printer.

  • Secure Print Release: MFDs are often stationed in easily accessible parts of the office. This means that sensitive printed material may sit out in the open for some time before an employee has the opportunity to retrieve it. When the Secure Print Release feature is enabled, the employee would walk to the printer and scan her PIV card. Then documents would be printed (“released”) when she is standing there to retrieve them. This security measure also has the added benefit of saving paper and toner, which saves operating cost. 

Protecting the information assets of federal civilian agencies is of vital importance. Securing access to network entry points is key to thwarting security threats. When reviewing their security best practices, federal civilian agencies are encouraged to remember that peripherals – such as MFDs – present vulnerability. PIV and/or CAC card enablement is necessary to secure these network entry points. The good news is that there are a number of government compliant, commercially available solutions to meet the need. 

 

About the Authors:

Tara Flynn Condon (@api_taracondon) is a published writer and Vice President of API Technologies Corp.

Henry Gold is a security expert and frequent panelist on security-related issues. He is General Manager of SSIA North America for API Technologies Corp.

Tags: , ,

Secure Systems & Information Assurance

Fall 2014 New Product Roundup

by Tara Condon 1. December 2014 08:00

Our product teams have been hard at work this fall. In case you missed it, here is a summary of new API Technologies products announced over the past few weeks:

Already known as leaders in EMI filtering and protection products, we have extended our product line to address Electromagnetic Pulse (EMP) threats. Our new line of Transient Energy Suppressant High Voltage HEMP Filters protects electronic equipment from potentially destructive energy transients due to surges, lightning, and electronic pulses (Press Release). 

We also announced the recent expansion of our Filtered Circular Connectors product line to Europe. Made in the UK, this line of filtered, MIL spec EMI connectors is an ideal choice for military, commercial aviation, and industrial applications.

Other products announced by our EIS product team include the new Semi-Rigid Coaxial Cables that offer excellent VSWR of less than 1.5:1 with frequencies ranging from 5 GHz to 50 GHz.


Along with a broad breadth of power management solutions – including the DC Solid State Power Controller - our Power team also offers innovative solutions products for military and homeland security. Our recently introduced Night Vision Test Set tests the quality of function of standard Gen II and Gen III night vision devices, including goggles, weapon sights, and drivers’ viewers. (Product Information)

Throughout this year, we have expanded our RF/Microwave and Microelectronics product line to include even more standard and customizable products, including synthesizers and amplifiers. As a complement, this fall we introduced a new, interactive RF / Microwave Online Design Tool. Called “The Configurator” for short, this web and mobile accessible tool lets engineers easily modify standard products to meet their unique design requirements. 

Radiation Hardened Voltage Regulators also joined our expanding line of rad hard power management products for space and satellites. The APPREG2 line of voltage regulators features a specialized enable function, which conserves power by allowing users to selectively power up / power down certain sections of their system electronics.

Just last week we announced the SST Secure Venue Tablet, a mobile computing solution for top secret data protection. Designed by our SST™ Product Team in collaboration with Dell and ViaSat and partners Microsoft and Intel, the product offers a discreet and powerful computing option for NATO countries. (A write-up in Computer Business Review sums it up quite nicely. You can also read the press release for more details.)

Also, our EMCON® Product Team recently rolled out the EMCON TEMPEST Level 1 Lexmark CX510, a multi-function printer (MFP) / multi-function device (MFD) solution for sensitive data environments. 

To explore these solutions or connect with a member of our design/engineering team, visit http://www.apitech.com

Tags: ,

API Technologies News

Can Certain Third Party Data Hacks be Prevented?

by Tara Condon 14. October 2014 13:03

By: Tara Condon & Henry Gold

 

Last fall, John Gainor, President and Chief Executive Officer of DQ, posted a memo for Dairy Queen and Orange Julius customers regarding a recent data hack. At its centerpiece, was the revelation that a third party vendor compromised account credentials and gained access to customer data.  DQ should be applauded for its thorough investigation following the attack and its forthright communication to customers regarding the same. However, the question remains for CISOs everywhere: Can this type of hack be prevented?

 

Third parties regularly access networks for legitimate reasons.

Companies regularly allow third party access to internal systems. Common reasons for enabling this access include systems administration and programming. Increasingly more common is the granting access of to information technology and communication service providers who troubleshoot, fix, and maintain computers, web sites, networking resources, and voice systems. Often, these third parties require administrator-level access to complete their work. Many times, access to these systems are not secured or well implemented using simple password authentication which is easily breached.

 


But, companies often have little control over third party activity on the network.

Companies typically control the front-end of vendor access with passwords or more robust security measures, such as software tokens or PKI based authentication (two-factor). However, once the third party is on the network, they typically have unmonitored, and often unfettered access, to a variety of systems. Here is where the risk of data theft or system breach is significantly increased. Even if the company ends its relationship with a third party, this risk is often undiminished as backdoors can be opened to a variety of network resources.

 

Companies spend a good deal of time and money to vet and hire employees. One hopes their third party vendors do the same, but that is not always the case. Companies may never meet or even see the wide network of third party employees who regularly work on their system. As such, gauging risk becomes nearly impossible.

 

A system that offers control and visibility is good for companies and third parties.

The ideal system provides controlled third party access along with visibility and monitoring. The good news is that these systems are available today. A company should be able to define and control who is on the network, what they may access, and what they are permitted to do. The system would then provide visibility into activities on the network and alert company representatives in the case of suspicious activity.

 

One would think that third parties bristle about added controls. However, many third parties have wholeheartedly embraced the concept. Having a third party access system in place makes their jobs easier: These third parties can focus on service delivery instead of concerning themselves with network access. Furthermore, the added visibility lets third parties demonstrate – in real time – the value they provide.

 

For more information on this and other security-related topics, follow our Secure Systems & Information Assurance (SSIA) team on LinkedIn.

 

About the Authors:

Tara Flynn Condon (@api_taracondon) is a published writer and Vice President of API Technologies Corp.

Henry Gold is an expert and frequent speaker on security topics and General Manager of SSIA North America for API Technologies Corp. 

Tags: , ,

Secure Systems & Information Assurance

Retaining “Dominance in Electromagnetic Spectrum”

by Tara Condon 15. September 2014 16:09

I recently read Sydney J. Freedberg’s great piece in Breaking Defense discussing Alan Shaffer’s comments about loss of “dominance in electromagnetic spectrum.” There has also been much discussion about it in the Association of Old Crows (AOC) community, which will host its 2014 symposium and conference in D.C. early next month.

Chief among Mr. Shaffer’s concerns is a perceived loss of technical superiority. His concerns are well founded. Communication is omnipresent. Our reliance on communication technology – both within the defense and civilian spheres – continues to increase. Enemies, and even allies, are potentially outpacing us with more sophisticated, far less expensive solutions. The introduction of these disruptive technologies is a constant threat.

Mr. Shaffer advocates for the development of new and cost-effective technologies to combat enemy threats. Given the necessity of these solutions for protection and competitive advantage, it is difficult not to agree with his assessment. 

 

Providers of electromagnetic spectrum solutions work in a complex and ever-changing environment. Urban warfare has changed the EW (electronic warfare) landscape. Tighter system integration has added complexity. The increased role of electromagnetic spectrum solutions for cyber security protection and intelligence gathering has added a new dimension, as has the increased push for affordability. Furthermore, all of these technologies must work reliably and harmoniously within a crowded spectrum, with efficient use of power, in a compact space, in some of the world’s harshest environments. This is certainly a challenge. But, Americans do love a challenge

API Technologies has a unique perspective on electromagnetic spectrum solutions, given our footprint across RF/microwave, EMI, and security technologies, as well as our geographic presence across a number of allied countries. We are on the front lines of Electromagnetic Spectrum Operations (EMSO) solution development. I am pleased to say that even despite a difficult budget environment, innovation continues.

While progress is being made every day, our work is not done. What Mr. Shaffer’s comments certainly brought to light is the pressing need for greater focus on this increasingly critical piece of our defense strategy. It is my hope that others within the defense and government community have taken note. 

Tara Flynn Condon (@api_taracondon) is a published writer and Vice President of API Technologies Corp.

Tags:

My MTT-S 2014 International Microwave Symposium (IMS) Highlights

by Tara Condon 26. May 2014 13:19

Now that IMS 2014 is only a few days away, the team is rushing to put the finishing touches on an event that has been months in the making.  As a leader in RF/microwave and microelectronics technology, IMS and October’s European Microwave Week are major events for us – our Super Bowls, if you will. It is at these events, and in the time in between, that we will launch many of our new products.

My first experience as both attendee and exhibitor was IMS 2012 in Montreal, ON. For API Technologies, it was a banner year, as it marked the first time all of our RF/microwave product lines would be shown together, in a single location. Historically speaking, customers had known us for our respected, legacy brands including Spectrum Microwave, CMT Filters, and C-MAC Aerospace (formerly Cobham MAL). It was at this event we first got to show the full breadth of API Technologies’ products to customers, journalists, and our industry peers. 

Today things are a bit different, but no less exciting. Since that time, the API Technologies product line has evolved and expanded to include system-level ready solutions, subsystems, and advanced modules, including our Active Antenna Array Unit (AAAU) for AESA radar, GaN based power amplifiers, and Integrated Microwave Assemblies (IMA), high temperature electronics,  and optical data bus products. We have also added new applications and expanded the use of our technology in commercial aviation, commercial wireless, satellites, and industrial products, which introduced a whole new group of customers to our company and our capabilities.

All of this brings me to this year’s event. So, what am I looking forward to at IMS 2014 in Tampa? Here’s my personal highlight reel:

  • Technology Exchanges:  I won’t give you any spoilers, but… we will be rolling out several new products at IMS. (For the latest, I recommend Following API Technologies on LinkedIn or Twitter.) Our engineers have done outstanding work and I love watching these team members engage with the design engineers who visit our booth. Ultimately our products are being used to drive the success of their projects, so it is great to see these technology exchanges taking place in real time. 
  • Meeting with Our Reps and Distributors: IMS offers us the opportunity to engage with our (outstanding!) sales representatives and distributors and train them on our new products. They are a dynamic group of professionals and look forward to hearing their feedback.
  • Interesting Events: We will have a front row seat to the inaugural episode of Wireless Design & Development’s “WDD Live”, which will be filmed in the API Technologies booth. (The topic? Connected cars!). Also, we will be defending our title at the Best of RF & Microwave awards. Last year API Technologies took home the award for Best Custom Solutions.
  • Social Interaction: Activity at IMS isn’t limited to the great technical sessions or trade show floor; a lot of the interaction takes place on Twitter. @apitechnologies has been a very engaged participant in years’ past and I expect this year will be no different. 

There is much more to say, but there is still so much more to do. I will leave you with this:

See you at IMS 2014!

Tags: , ,

RF/Microwave & Microelectronics | Trade Shows

In Celebration of 1000 API Tweets!

by Tara Condon 1. November 2013 10:15

It began with a tiny chirp.
 
Or, more accurately: Tweet.
 
API Technologies entered the social universe on February 10, 2010 when the company launched its first Tweet. One day this week: We’ll be making our 1,000th.
 
Much has changed since that day. The company has grown into a leading provider of high-reliability products for commercial, industrial, and defense customers worldwide. And, our social reach has evolved and expanded along with it, including an active presence on LinkedIn, Facebook, Google+, YouTube, and this very blog.
 
The nature of the things we make and do demand that API Technologies be a force behind the scenes. While our highly engineered solutions keep planes in the air, soldiers protected, critical systems running, medical devices functioning, satellites transmitting, and people connected, we’re rarely the star of the show. We prefer our customers take center stage.
 
However, our social presence gives us the opportunity to step out of the engineering lab and on to your mobile phones and laptops. It is great to share some of the exciting stuff we’re working on and learn more about you in the process.

Thank you for the conversations. Thank you for inviting API Technologies to be part of your every day.
 
@api_taracondon (Tara Flynn Condon)
&
@api_jaymie (Jaymie Murray, also Lead Writer for @apitechnologies)
@melfisher_api (Mel Fisher)

Tags: ,

API Technologies News

Month List

Tag cloud