What types of issues do I need to be aware of to keep my CERVIS account and organizational data secure?
Online Security Threats
Users of online services, such as CERVIS, are potential targets for attempts to steal login credentials and other sensitive information. These threats include scam emails (phishing and malware) and phone calls attempting to gather information that can be used to gain unauthorized access or privileged knowledge.
NEVER GIVE YOUR CERVIS ACCOUNT PASSWORD TO ANYONE FOR ANY REASON VIA PHONE, EMAIL OR IN PERSON. CERVIS CUSTOMER SUPPORT WILL NEVER ASK FOR YOUR PASSWORD.
Wireless Connection Sniffing and Hijacking
CERVIS provides SSL TLS encryption (“https”) for login and communications between the CERVIS application and the end user’s web browser. This means that even when you login to CERVIS over an unsecured wireless network, your login credentials and organization data are protected from hijacking by such tools as Firesheep.
NEVER CONTINUE WITH THE LOGIN PROCESS IF YOU RECEIVE A BROWSER SECURITY WARNING TELLING YOU THAT THERE IS AN INVALID SECURITY CERTIFICATE...ESPECIALLY IF YOU ARE CONNECTED TO AN UNTRUSTED WIRELESS NETWORK.
- CERVIS houses and operates all operational servers that store or process customer data in redundant SOC 2 (Type II) data centers in Dallas TX, Seattle, WA, San Jose, CA and Washington DC.
- Data centers are located in facilities with controlled access and 24-hour security
- No server room doors are public-facing
- Server rooms are staffed 24/7
- Un-marked entry and exit doors
- Digital security video surveillance
- Biometric security systems
- Server room access strictly limited to datacenter employees and escorted contractors or visitors
- Barcode-only identification on hardware; no customer markings of any type on the servers themselves
- Fire detection and suppression systems, including dry pipe, fire extinguishers, smoke and fire alarms.
- Backup power, including UPS and Generators
- Power Distribution Units (PDU) and electrical panels
- Heating and cooling (HVAC) mechanisms exist, such as CRAC units, and chillers, to monitor and control temperature and humidity
- Data centers are maintained with adequate lighting and are free of clutter.
- All systems are protected behind network firewalls that limit both inbound and outbound traffic to the minimum needed access for system operation.
- All systems are protected and monitored by network layer Intrusion Prevention Systems.
- All system-to-system back-end traffic is encrypted and transmitted within private VLANs
- All customer data is protected behind Database firewalls
- All customer data is encrypted while at rest using 256bit AES encryption on both operational systems and in backup storage.
- Customer selected "Sensitive Data" is encrypted with an additional layer of 256bit AES encryption within the database
- All customer data is encrypted while in motion via 128bit SSL encryption.
- All systems are protected and monitored by host layer Intrusion Prevention Systems.
- All systems are protected behind host layer firewalls that limit both inbound and outbound traffic to the minimum needed access for system operation.
- All systems are protected with Anti-Virus and Anti-Malware software which is updated daily
- All operating system, application server, database server, and web server patches and system updates are applied as quickly as possible depending on the severity of vulnerability being addressed.
- External network and application level vulnerability tests are conducted daily by an external 3rd party.
- Internal System level vulnerability assessments are conducted monthly.
- Automated web application security assessments are conducted by a third party against CERVIS daily.
- Manual web application security assessments are conducted twice yearly.
- All customer data remains the sole property of the customer and CERVIS does not use customer data for any purposes other than providing service to the customer
- All CERVIS employee access to customer data is logged and audited
- Password complexity and duration are completely customizable within the CERVIS application
- Customer can implement IP address restrictions for access to admin functions
- System includes bot detection and anti-bot functionality
- All data centers provide redundant electrical power, equipment cooling systems and backbone internet connectivity.
- CERVIS databases are stored on redundant drives configured within state-of-the-art dedicated servers.
- All customer data is encrypted, backed up, and stored at a secure offsite location two times per day.
- CERVIS databases are configured with mirror replication so all information in the database is copied (instantly and securely), up to the last committed transaction, to one of our fail-over data centers.
- In the unlikely event that we experience the loss of our primary data center, CERVIS will instantly fail-over to a secondary data center and continue to remain fully operational.
Along with security precautions, CERVIS offers a suite of security features that our customers can configure to their needs, see the following support knowledge base article for more information: http://support.cervistech.com/entries/358523#security
Phishing and Malware
Don’t become a victim of "phishing," in which Internet criminals set up a Web site that mimics a legitimate site, such as the CERVIS login page. By following the tips below, you can avoid becoming a victim of such a scam:
- Always look for the "lock" icon in the bottom-right corner of your browser (see images below).
- Be suspicious of emails that include links to the CERVIS login page. Don't click on such links—instead, always log in to CERVIS by using the link provided upon account activation or from your organization's web page.
Spot suspicious emails
Phishing emails try to trick you into revealing information, often by asking you to “verify” or “update” information. Such emails may use the logos of the companies or government agencies they are impersonating to look legitimate.
One clue is that such messages often contain poor spelling and grammar. However, as scam artists become more sophisticated, their approaches are becoming more varied and their messages are getting better. Another clue to look out for is links that don’t match the URLs of the companies they claim to come from.
The example below shows some common phishing tactics, but expect anything … as users catch on to one approach, Internet criminals come up with new ones.
Malicious software attacks also come via email, using many of the same tactics as phishing. These emails include links or attachments that install malicious code—such as programs that capture keystrokes—on your computer. As users have become wary of attachments with .exe or unknown extensions, Internet criminals are now using attachments with seemingly innocuous .doc or .pdf extensions. And most users still readily click on links.
Beware of unusual links.
Watch out for links that contain URLs that look similar to real ones; for example “cervustech.com” or “update-cervis.com”.
|Even if a link looks OK, make sure by entering the company’s URL in the in the address bar yourself. Phishers can make links look like they go to one place while taking you to another site.|
Suspicious phone calls
Several customers have reported receiving phone calls from persons who misrepresent themselves as employees or agents of CERVIS. Some of these callers are attempting to steal your CERVIS credentials—an illegal practice known as “social engineering.”
Here’s how it typically works:
- A caller identifies organizations that use CERVIS by searching public job postings, etc.
- The caller contacts the customer’s main switchboard and asks for the person responsible for CERVIS or the CERVIS administrator. The caller may claim to offer a “new version of CERVIS.”
- The caller asks for login credentials to “install improvements” or perform other activities in the customer’s org.
What you need to do:
- Remind your users that CERVIS employees will not ask for usernames or passwords.
- If one of your users betrays his or her login credentials, you should reset that person’s password immediately and alert us: firstname.lastname@example.org
- If a caller identifies him or herself as a CERVIS employee and you do not recognize his or her name, ask for a call-back number and email address.