Blog – MFT Nation

Reporting: Valuable MFT Processes Which Are Commonly Overlooked

Most data security professionals would say the most critical aspects of a managed file transfer (MFT) solution are reliability and uptime, high levels of security, and data flows that are speedy and efficient. However, I believe that reporting functionality—i.e., giving visibility into data flows, files, and other aspects of the system–are of equal importance. In this blog, we will take a brief look at this under-valued functionality using bTrade’s TDXchange as a representative MFT example.

TDXchange contains a thorough and extensive set of reporting tools which cover virtually every aspect of the application. These capabilities extend beyond what other swiss_armyMFT solutions offer, which typically provide only basic reports, if any at all. The various types of reports we provide are all conveniently located within the dashboard menu item and broken out into seven sub-menu items.

Additionally, these reports are not limited to a visual representation within the graphical interface of the application. Many reports may be exported to comma-separated files, Microsoft Excel, as well as Adobe PDF formats. The data may be exported and viewed in text format or as graphical representations such as pie charts and/or bar graphs. This makes it much easier to get the data where you want it, and how you want it, in as few steps as possible. Below is a brief outline of each report.

Messages – This dashboard displays metrics on the number of successful, failed, pending and total messages. These metrics are further summarized both by protocol (e.g. AS2, SFTP, SSH, etc.) and the specific adapter (e.g. Directory Monitor, AS2 Server 1, SFTP Server 3, etc.). The report is generated for the timeframe specified.

Transactions – This dashboard displays a graphical representation (bar graph or pie chart) of the messages count for the given timeframe. The graphical representation may be separated by days, weeks, months, or years.

Participants – This dashboard displays metrics on the number of inbound and outbound messages for each participant in a given timeframe. This is further summarized by successful, failed, or pending messages, if the file was inbound, outbound, and total count, as well as which protocol was used for each.

Mailboxes – This dashboard displays metrics on the number of mailbox messages received or sent for each participant and their mailbox(es). It is further summarized by the Participant Name, Mailbox Name, In/Out, Pending, Total Size, Last Logged In, and Status.

Certificates – This dashboard displays certificates which will be expiring within a given timeframe. It is further summarized by the Participant, Certificate Name, Type, Created Date, Expiration Date, Serial Number, Issuer, and Details.

Services – This dashboard displays the status of all services (e.g. FTP, SFTP, AS2, etc) that have been created. Each service may also be started or stopped directly from this dashboard. You can see the number of connected users for each service and may view the detailed logs for each as well.

Connections – This dashboard displays the details on the number of connections to other systems.

If you would like to see screenshots of various types of reports described above which are outlined in the TDXchange User Guide, or would like to see a live demo of this functionality, please contact us any time.

When is Encryption Not Encryption? When it’s Not.

MFT Nation has written previously about whether the Health Insurance Portability and Accountability Act (“HIPAA”) requires the use of encryption. In that post, we noted that HIPAA requires use of data security measures, including encryption, whenever it’s “reasonable and appropriate” to do so, and suggested that very few situations exist where it would not be reasonable and appropriate to use encryption as a data security measure. The subject of this post is an FTC case in which regulators flesh out further details about reasonable and appropriate data security measures, including what level of encryption will suffice to pass muster with the FTC and under HIPAA.

FTC vs. Henry Schein Practice Solutions, Inc.

The FTC initiated a proceeding against a company that develops and sells dental practice management software alleging that the company made knowingly false statements that its software provides industry-standard encryption that meets the security requirements of HIPAA. The FTC offered the following compelling evidence showing that the company knew it was making false statements about the level of encryption in its software:

  • In 2010, the vendor who helped develop the software advised that it used a proprietary algorithm that had not been tested publicly and was less secure and more vulnerable than widely-used, industry-standard encryption algorithms, such as Advanced Encryption Standard (“AES”) encryption.
  • In addition, the company knew that regulators have recommended that healthcare providers follow guidance from the National Institute of Standards and Technology (“NIST”) to help them meet their regulatory obligations, and NIST guidance recommends AES encryption.
  • On June 10, 2013, the United States Computer Emergency Readiness Team (“US-CERT”) issued a Vulnerability Note describing the form of data protection used in the company’s software as a “weak obfuscation algorithm.”
  • On June 16, 2013, NIST published a corresponding vulnerability alert stating that the vendor had agreed to re-brand the data protection as “Data Camouflage” so it would not be confused with standard encryption algorithms, such as AES encryption.
  • Despite receiving notice of the US-CERT Vulnerability Note and the vendor’s decision to re-brand in June 2013, the company continued to disseminate marketing materials stating that its software “encrypts” patient data and offers “encryption.”

Lessons Learned

To secure data, whether you are storing it or transmitting it internally/externally, follow NIST’s guidance and ensure that you have the capability to encrypt the data using the Advanced Encryption Standard.

Although the FTC has targeted only a handful of data security cases involving an entity that is subject to HIPAA, the FTC appears to be applying tougher standards than HIPAA’s requirements (e.g., requiring a specific type of encryption than what HHS historically has interpreted HIPAA as requiring).

For the first time ever in a data security case, the consent order includes a financial payment of $250,000, and the FTC settlement does not preclude a HIPAA action by HHS or by one or more of the states. So perform periodic risk assessments of your data security infrastructure to ensure that there are no security/compliance holes.

If you want to learn more about HIPAA compliance, or need a solution that has NIST-recommended AES encryption, please contact us at If you want to keep updated on developments in the world of secure file transfer and data security, follow us on Twitter, Facebook, LinkedIn, Google+, and our blog MFT Nation.

bTrade Case Study

FTC vs. Wyndham Epilogue: Settling for Less

MFT Nation promised to provide updates on developments in the FTC v. Wyndham Worldwide Corp. data security case.  True to our word, we want to let you know the case has settled.  You may recall that MFT Nation described the FTC’s complaint as a “case study for what not-to-do in the rapidly changing world of data security,” because Wyndham allegedly did not make use of “reasonable” data security measures such as encryption and firewalls.

We decided to follow the case hoping that the parties’ divergent positions would produce a litigation process conducive to further defining what constitutes “reasonable” data security standards.  For example, the FTC’s complaint details a lengthy list of alleged “security insufficiencies” that allowed hackers to gain access to internal networks multiple times over an 18-month period, yet Wyndham stated publicly that it chose to fight the lawsuit because of its “strong belief” that it had deployed reasonable data security measures.  Whereas the FTC alleged Wyndham’s lax data security practices allowed hackers to effect $10.6 million in fraudulent credit card transactions, Wyndham still maintains that it “has not received any indication that any hotel customers experienced financial loss as a result of these attacks.”

Given the settlement, we will not have the benefit of the litigation process to determine where the truth lies.  Wyndham issued a statement saying the settlement “sets a standard for what the government considers reasonable data security of payment card information.”  I wouldn’t go that far, but let’s take a look at the settlement terms to see if they provide any guidance relating to data security practices.

Under the settlement, Wyndham is required to implement a “comprehensive information security program” and thereafter “maintain” it for a period of 20 years.  The settlement document lists the required “administrative, technical, and physical safeguards” of the program.  Basically, it requires Wyndham to identify “material internal and external risks,” implement “reasonable safeguards to control the risk,” and staff the program with competent employees/contractors.  There is nothing new or earth-shaking about that.

In addition, Wyndham must retain an independent auditor to perform annual audits under the Payment Card Industry Data Security Standard (PCI-DSS), a series of data security protocols for organizations that handle major credit cards.  Again, there is nothing new or earth-shaking about ensuring that an entity handling credit card transactions complies with industry standard data security protocols.

The FTC said the settlement was noteworthy because it requires Wyndham to adhere to standards “exceeding” those of the PCI-DSS, specifically including a requirement for Wyndham to protect the perimeter of its networks by using a firewall to create a barrier between its own servers and those of franchisees.  The lack of a firewall between franchisees’ servers and Wyndham’s own servers was a “critical gap that left the door open to hackers on three separate occasions,” according to a post-settlement statement from the FTC.

The FTC raises an important point about perimeter security.  Some folks have suggested that perimeter security is unnecessary as long as the data is protected end-to-end using encryption—regardless of which channels it goes through or its eventual destination.  The reasoning behind this so-called data security approach is that the encrypted data can be accessed only by the intended party and no one else.  But this line of reasoning has a lot of holes.  For example, encryption becomes useless once a network intrusion has occurred and cybercriminals operate with stolen valid user credentials.

Encryption is an essential component of any good data security infrastructure, but it is not, and cannot be the only piece.  All good data security infrastructures deploy a layered approach which includes firewalls and encryption, among other things.  A firewall is essential where there is any external connectivity, either to other networks or to the internet.  It is important that firewalls are properly configured, as they are a key weapon in combating unauthorized access attempts.

The FTC imposed no monetary penalties against Wyndham, but explained that it lacks authority in most data security cases to get civil penalties, although the agency is seeking that authority from Congress.

If you have questions about this case or want to discuss your data security practices with bTrade, send a confidential email to



In the Data Security Game, It Can Be One Strike and You’re Out

bTrade previously published a data security case study about how a financial services company avoided the wrath of FTC investigators by reacting quickly to correct an error in its IT system that caused a data breach, and because the company had established and implemented “comprehensive” data security policies.  Today, MFT Nation wants to share the details of a couple regulatory proceedings where healthcare entities acted quickly following a data breach, but got hit with hefty fines because they had neither established nor implemented any data security practices.

A Teaching Hospital Gets Schooled by OCR

Lahey Hospital and Medical Center, a nonprofit teaching hospital affiliated with Tufts Medical School, agreed to pay an $850,000 fine after an investigation by U.S. Department of Health and Human Services, Office for Civil Rights, for potential HIPAA violations.  (One of OCR’s mandates is to “protect the privacy and security of health information in accordance with applicable law”).  It seems the hospital drew the ire of OCR due to its lax data security practices.

The proceeding began when the hospital notified OCR of the theft of a laptop that contained the protected health information of 599 patients.  The subsequent OCR investigation uncovered “widespread non-compliance with the HIPAA rules,” including the “failure to conduct a thorough risk analysis of all of its ePHI,” as well as the “failure to implement and maintain policies and procedures regarding the safeguarding of ePHI.”
Read more about the proceeding on the OCR website.

An Insurance Holding Company is Forced to Pay a High Premium for Lax Data Security

Triple-S Management Corporation, a Puerto Rican based insurance holding company, agreed to pay a $3.5 million fine as part of the settlement of an OCR investigation into potential violations of the HIPAA’s Privacy and Security rules.  The settlement is the second largest financial penalty ever issued as part of a HIPAA resolution agreement.

The enforcement action arose after HHS received multiple breach notifications from Triple-S regarding unsecured protected health information.  HHS then initiated investigations that indicated “widespread non-compliance” throughout the various subsidiaries of the company. OCR found that Triple-S failed to comply with some of the most basic HIPAA Privacy and Security rules, such as entering into proper business associate agreements, adhering to the minimum necessary requirement, and conducting a HIPAA Security Rule risk analysis.

Following announcement of the settlement, OCR Director Jocelyn Samuels had this to say in a prepared statement: “This case sends an important message for HIPAA Covered Entities not only about compliance with the requirements of the Security Rule, including risk analysis, but compliance with the requirements of the Privacy Rule, including those addressing business associate agreements and the minimum necessary use of protected health information.”

Read more about the proceeding on the OCR website.

For more information about data security news, tips and trends, follow bTrade on Twitter, @bTradeLLC.


Cyber Security: The Next Level

Financial Sector Regulators Expanding Scope of Cyber Security Audits

bTrade has written before about cyber security risk assessments.  We also covered the topic on our Twitter feed (@bTradeLLC) during National Cyber Security Awareness Month (#CyberAware).  We would be remiss if we didn’t let MFT Nation readers know about a New York agency in the financial sector that is actively pushing for new regulations governing a variety of cyber security topics, including risk assessment.

To “promote greater cyber security across the financial services industry,” the New York State Department of Financial Services (NYDFS) announced late last year that it would be “expanding” its IT audits to “focus more attention on cyber security.”  The expanded audit scope includes an examination of a broad array of relevant cyber security items, including the qualifications and management of an entity’s employees and third party vendors who are performing cyber security functions, steps taken to protect against intrusion, and cyber security insurance coverage.

NYDFS also advised that it would not even schedule a cyber security audit until a company has completed a “comprehensive risk assessment.”  To aid in the assessment, each institution is required to submit a 16-part, detailed report describing its information security processes, including the systems in place to safeguard information, patch management programs, and “vetting, selecting, and monitoring third-party service providers.”

Earlier this month, the NYDFS published a letter that it addressed to a group of financial sector agencies/associations at both the federal and state level.  After offering an opinion that cyber security is “among the most critical issues facing the financial world today,” NYDFS describes the results of its cyber security audits, as well as other steps it has taken to “highlight and identify existing and emerging cyber security risks at banks and insurance companies.”  NYDFS also discusses several “broad conclusions and concerns” that emerged from the risk assessments.

It would be worth your time to review the entirety of the NYDFS letter because the MFT Nation staff have the feeling that NYDFS’s audit/risk assessment processes will likely spread to other states.  In fact, NYDFS made such a recommendation in its letter:  “The Department believes that it would be beneficial to coordinate its efforts with relevant state and federal agencies to develop a comprehensive cyber security framework that addresses the most critical issues.”

If you have any questions about this post or the cyber security risk assessment process, please send a confidential email to

There’s Strength in Numbers When Devising a Data Security Strategy

I came across a Corporate Counsel article with a title of “How to Secure Data from Hackers.”  Data security is a topic near and dear to hearts of all bTraders and MFT Nation readers, so we decided to give it a read.  The gist of the article is that corporate counsel should consider “new” data security solutions such as “encrypting your data at the data level,” which according to the author would render perimeter and internal data security solutions “unnecessary.”  We discussed this among MFT Nation staffers and below are our thoughts.

Do Not Rely on a Single Security Device; Use a Layered Approach Consisting Of A Variety of Different Methods

MFT Nation staffers voiced unanimous disapproval of any approach that relies on just one security device, and we believe most IT professionals and regulators would agree.  In fact, most would recommend a layered approach for a data security strategy.  For example, the Federal Communications Commission (FCC) issued a Cyber Security Planning Guide which contains a section captioned “Create Layers of Security,” and in it the FCC says:

Protecting data, like any other security challenge, is about creating layers of protection.  The idea of layering security is simple: You cannot and should not rely on just one security mechanism – such as a password – to protect something sensitive.  If that security mechanism fails, you have nothing left to protect you.

Thus, the best data security strategy involves several different security methods deployed in a layered manner.  A layered approach reduces the likelihood that an attack will succeed by forcing the attacker to penetrate multiple security measures deployed at different layers of the network.

Do Not Ignore Perimeter Defenses and Other Internal Security Methods, Because You Need to Monitor Your Data Flows As Well As Who’s Trying To Get In And Out of Your Network

MFT Nation staffers tried but could not think of any situation that would render “firewalls, DLPs and other perimeter and internal security solutions unnecessary,” as the Corporate Counsel article suggests.  Without such tools, an organization would be blind to vulnerabilities on its network and could not monitor its data flows or who’s trying to get into and out of the network.  In fact, regulators have sanctioned companies for failing to deploy and/or properly use network monitoring tools, reasoning that such tools could have eliminated or reduced the risk of a data compromise.

Thus, network monitoring tools are a necessary component of a layered approach to data security.  bTrade’s TDXchange has functionality that would help in that regard, including end-to-end message tracking, reporting, and real-time alerts.  It has fully operational monitoring features in the GUI and a set of dashboards that enable real-time monitoring of file transfers, both textually and graphically.  Also, dashboards permit users to track key data (messages, transactions, participants, mailboxes, certificates, services, connections, etc.).

Encryption is an Essential Security Tool, but Be Aware That Not All Encryption is Created Equal

In its Cyber Security Planning Guide, the FCC recommends use of encryption as an “essential data protection technology.”  MFT Nation staffers wholeheartedly agree with the FCC, but we disagree with the assertion in the Corporate Counsel article that encryption is a “new” solution.  As the FCC said in its Cyber Security Planning Guide: “Encryption has been used to protect sensitive data and communications for decades.”

MFT Nation staffers also want to warn readers that not all encryption is alike.  For example, companies have incurred the wrath of regulators for “using only an insecure form of alphabetic substitution that is not consistent with, and less protective than, industry-standard encryption.”  Even strong methods of encryption won’t protect your data if it isn’t configured properly, as one company learned when regulators challenged its encryption methods.

We should also point out the following warning noted in boldface in the FCC’s Cyber Security Planning Guide:  “Because not all levels of encryption are created equal, businesses should consider using a data encryption method that is FIPS-certified (Federal Information Processing Standard), which means it has been certified for compliance with federal government security protocols.”  bTrade customers have the comfort of knowing that the encryption modules used in bTrade’s software solutions are FIPS-certified.

Data Security is a Journey, Not a Destination

That is the title of an earlier MFT Nation piece.  We repeat it here to emphasize that achieving a secure IT environment is not a “one and done” proposition.  Data security is a dynamic process which requires strategies that must evolve in the face of changing risks.  As such, the best approach for detecting and preventing unauthorized access to sensitive information is by deploying multiple data security mechanisms in a layered manner.

Data Security Tip: Sometimes It’s What You Don’t Do That Makes a Difference

This is the last in a series of data security case studies offered by bTrade in support of National Cyber Security Awareness Month (NCSAM).  As mentioned previously, bTrade is examining documents from public cases/proceedings initiated by regulators alleging bad data security practices, with the hope that lessons can be learned of what “not-to-do” when it comes to data security.  This post will examine not one, but three separate cases involving two private companies from different industries as well as a government entity that was the subject of what some call the “most devastating cyber attack in our nation’s history.”

HIPAA Settlement Underscores the Vulnerability of Unsupported, Out-of-Date Software

An investigation was opened by Health and Human Services, Office for Civil Rights (OCR), after Anchorage Community Mental Health Services (ACMHS), a nonprofit mental-health care provider, gave notice of a breach involving malware that compromised unsecured electronic protected health information (ePHI) affecting 2,743 individuals.  OCR’s investigation revealed that ACMHS failed to: (1) conduct “accurate and thorough” risk assessments; (2) implement policies and procedures to safeguard its e-PHI; and (3) implement “technical security measures to guard against unauthorized access to e-PHI” such as installing firewalls and ensuring that “information technology resources were both supported and regularly updated with available patches.”

ACMHS agreed to settle potential violations of HIPAA’s Security Rule by paying $150,000 and adopting a corrective action plan to correct deficiencies in its HIPAA compliance program. The corrective action plan requires ACMHS to report on the state of its compliance to OCR for a two-year period.

What is the lesson learned from this data security case study?  Although multiple violations were alleged, OCR’s public statements focused on just one of ACMHS’s data security problems–running unsupported, out-of-date software.  For example, in a public bulletin issued after the settlement, OCR said the data security breach was “the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software.”  OCR Director Jocelyn Samuels echoed these same sentiments:

Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis.  This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.

SEC Settlement Underscores the Need to Adopt Written Policies and Procedures to Safeguard Customer Information

The Securities and Exchange Commission (SEC) censured and fined a St. Louis-based investment advisor, R.T. Jones Capital Equities Management, for not having required data security policies and procedures in place.  According to the SEC’s order, R.T Jones stored sensitive personally identifiable information (PII) of clients and others on its third party-hosted Web server.  The server was attacked by an unknown hacker who gained access and copy rights to the data on the server rendering the PII vulnerable to theft.

Without admitting or denying the SEC’s findings, R.T. Jones agreed to pay a $75,000 penalty to settle charges that it violated the “safeguards rule” because it “failed entirely” to adopt written policies and procedures reasonably designed to safeguard customer information.  For example, the SEC alleged that R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server or maintain a response plan for cybersecurity incidents.

What is the lesson learned from this data security case study?  In a prepared statement, Marshall Sprung, co-chief of the SEC Enforcement Division’s Asset Management Unit, provided the lesson:

As we see an increasing barrage of cyberattacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients.  Firms must adopt written policies to protect their clients’ private information, and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.

OPM Lawsuit Underscores the Need, in Certain Situations, to Shut Down and Start Over

An FAA employee recently filed a federal court class action lawsuit arising out of multiple cyber-breaches of systems at the U.S. Office of Personnel Management (OPM).  OPM provides investigative products and services for over 100 federal agencies to use as a basis for suitability and security clearance determinations.  According to the lawsuit, hackers compromised the security of at least 21.5 million individuals and top lawmakers described the breach as the “most devastating cyber attack in our nation’s history.”

What do plaintiffs allege that OPM did wrong?  Plenty, according to OPM’s Office of Inspector General (“OIG”), the agency required under federal law to conduct annual audits of OPM’s cyber security program and practices.  OIG identified “material weaknesses” as far back as 2007 that OPM not only failed to cure, but in many areas OPM’s performance actually got worse.  According to a 2014 OIG report, the “drastic increase in the number of [software] systems operating without valid authorization is alarming and represents a systemic issue of inadequate planning by the OPM offices to authorize the [software] systems they own.”  As a result, the OIG concluded that OPM’s software systems were so vulnerable that OPM should consider “shutting [them] down.”

What is the lesson learned from this data security case study?  Although this saga has not yet played out since the lawsuit was only recently filed, we now know that certain data security systems can be so bad that the best solution is to “shut them down” and start over.  At this point, it appears OPM’s problems result from the horrible operations of a government agency and its incompetent staff, rather than with technology or policies/procedures.

So stay tuned on this one because we guarantee it will produce lessons of what not-to-do when it comes to data security.  bTrade’s MFT Nation will keep you updated on events as and when they occur.

Those Who Fail to Learn from [Data Security] History are Doomed to Repeat It

We title this post using Sir Winston Churchill’s famous quote (with a bit of modification) because it reinforces a valuable data security lesson for purposes of National Cyber Security Awareness Month.  Churchill’s quote reminds us that while we must always be forward-looking in all aspects of our business, it is also essential that we pause periodically to think critically about our history so as to avoid repeating mistakes of the past.

The Best Data Security Systems are Built on a Foundation of Policies Based on Trust

At a recent data security conference, FBI Agent Tim Wallach made a comment highly relevant for those MFT Nation readers concerned about knowing and understanding their data security history.  He said:  “Cyber is based on a system of trust and hackers are exploiting that trust in any way they can.”  The evolving data security landscape has changed many things, but it has not changed the fundamental truth that data security is all about trust.  The days of using “fear, uncertainty and doubt” as a means of promoting data security within an organization are long gone.  In our experience, effective data security comes from policies that build trust, and building trust necessarily begins with risk assessment, as explained in more detail below.

Risk Assessment is a Critical Component of an Effective Data Security Program

Through a process of risk assessment, IT professionals identify threats and vulnerabilities on their networks, and weigh the risks they present to the confidentiality, integrity, and availability of information on the network.  Without adequate risk assessment, an organization is blind to vulnerabilities intruders or insiders could exploit to obtain unauthorized access to sensitive information on its network, even for vulnerabilities it could have easily eliminated. Knowing a network’s vulnerabilities and the prospect of harm they present is essential for deciding which security measures are reasonable for the network.  Thus, performing a risk assessment acts as the foundation for an effective data security program.

Many Public and Private Resources Exist to Help Conduct a Useful Risk Assessment

Frameworks to identify, assess, and mitigate risk are available at no charge from various sources, such as the National Institute of Science and Technology (“NIST”) and the Centers for Medicare and Medicaid Services (“CMS”).  Private entities, such as the System Administration, Networking, and Security Institute (“SANS”), also provide IT practitioners with risk assessment information and training.  These free frameworks set out concepts organizations can adapt as needed to identify and prioritize vulnerabilities taking account of their circumstances, such as their network structures and the types and amounts of harm that would result if there were a breach.

For example, NIST Special Publication 800-30 contains a nine-step process, beginning with cataloging network resources (including hardware, software, information, and connections) to define the scope of risk assessment, moving through vulnerability identification and cost-benefit analyses of measures that could mitigate the risk of a vulnerability, and ending with security measure recommendations and a written record of the process.  These primary steps include methods and tools that could be used to perform them.  CMS used the NIST concepts to provide a similar framework for analyzing and managing vulnerabilities for entities subject to HIPAA and the Security Rule.

Many Public and Private Resources Exist for Determining Known or Reasonably Foreseeable Vulnerabilities

A wealth of information exists for identifying known vulnerabilities.  Sources include alerts from software vendors and security companies, and software vulnerability databases compiled by private and government entities.  These databases include the Common Vulnerabilities and Exposures (“CVE”), the Common Vulnerability Scoring System (“CVSS”), the US Computer Emergency Response Team (“US Cert”), and NIST’s National Vulnerability Database (“NVD”).  The CVE assigns to each known vulnerability a unique numerical identifier that is used to catalog and retrieve information about the vulnerability, including remediation measures in many instances.  The CVSS facilitates prioritizing vulnerabilities by calculating a numerical impact severity score between 0 and 10 for each vulnerability, taking into account factors such as how easy or hard it is to exploit the vulnerability and the resulting impact on confidentiality, integrity, and availability.  US CERT provides free technical assistance to networks and notifications of current and potential security threats.  The NVD is the U.S. government’s free one-stop-shopping software vulnerability management database, and includes the CVE dictionary, CVSS severity ratings, and additional analysis and information about known vulnerabilities.

bTrade can Help

A data security strategy must be tailored to meet an organization’s unique set of needs and requirements, but conducting a periodic risk assessment can form the foundation for a truly effective data security program.  To learn more about the information in this post, or to discuss the topic with bTrade’s data security experts, send a confidential email to