Image Post

CipherLoc Unprecedented Security for Data & Communications

CipherLoc Teams with Praetorian Secure to Bring Unprecedented Security to Data and Communications

October 11, 2016 08:00 AM Eastern Daylight Time

AUSTIN, Texas–(BUSINESS WIRE)–CipherLoc Corporation (OTCQB:CLOK), the data security company that enables an ironclad layer of data protection, has partnered with Praetorian Secure, LLC, a provider of security technology and solutions for organizations like the U.S. Army, United Healthcare and Xerox. Praetorian Secure is now a full systems integrator for CipherLoc’s solution suite designed to protect enterprise data exchanges between mobile devices, desktops, laptops and cloud servers.

Praetorian Secure is integrating CipherLoc’s new data protection solutions suite, debuted in September 2016, into the security programs it builds for companies around the world. Many of Praetorian Secure’s customers face challenges in how best to protect data in an increasingly dangerous world. They also face regulatory compliance challenges in managing sensitive data, like HIPAA and PCI-DSS regulations. Praetorian Secure will use CipherLoc technology to help those customers protect data on a level that far surpasses what is possible today while simultaneously meeting compliance standards.

CipherLoc’s technology dramatically enhances data security

“CipherLoc offers the level of protection needed to secure encrypted communications in today’s increasingly insecure online world,” said Brent Bernard, CEO, Praetorian Secure. “Our relationship with CipherLoc will enable us in our mission to implement security solutions that provide an impenetrable defense, especially for the most sensitive and business-critical data.”

CipherLoc’s patented approach is a simple but powerful step companies can take to protect their data. CipherLoc treats a data file as multiple, unique segments that are each individually protected, making it resistant to the attacks and vulnerabilities associated with modern encryption algorithms, which operate on a monolithic block of data. By simply adding a few lines of non-disruptive code, companies may secure and future-proof their data using CipherLoc technology without tearing down or building new infrastructure. The protection CipherLoc provides increases as computational horsepower increases, making it stronger and more resistant to attacks as technology advances. “Praetorian Secure is a true innovator in the security space, with years of experience assessing security risks and implementing safeguards at some of the world’s most respected brands and organizations,” said Mike Salas, VP Sales and Marketing at CipherLoc. “It recognizes the urgent need to take data protection to unprecedented levels due to the increased sophistication of cyber-criminal activity. We’re happy to be an integral part of Praetorian Secure’s initiative.”

About Praetorian Secure, LLC

Praetorian Secure, LLC is a technology-security leader and solution innovator. Our number one priority is to provide our customer with best-in-class solutions based on superior security and regulatory compliance knowledge and support. Praetorian offers a wide-range of information technology (IT) security and regulatory compliance solutions, including DIACAP, Risk Management Framework (RMF), PCI DSS, HIPAA, and ISO 27001. Having a full suite of solutions to support customer projects enables our clients to focus on their operational requirements and internal business. In addition to our IT security and compliance services, Praetorian Secure also offers specialized services such as (click on highlighted links to find out more):

Penetration Testing

Vulnerability Assessment(s)

Risk Management Analysis

Managed Security Services

Secure Software Development

Founded in 2009, Praetorian Secure is constantly striving to develop new and better ways to serve its customers and business partners. Our company was named for the historical team “Praetorian Guard”, which acted as the premier security-force of their time. Elite and focused, they were the best at providing security and protection for the Roman military. We pride ourselves on the same foundation and approach in securing our clients network and data assets. For further information please click on our contact page or call 1.855.519.7328.

About CipherLoc Corporation (OTCQB: CLOK)

CipherLoc Corporation is a data security solutions company with a simple vision – Protect the World’s Data. Our highly innovative solutions are based on our patented Polymorphic Cipher Engine which is designed to enable an ironclad layer of protection to be added to existing products, services, or applications. We deliver solutions that are highly secure, synergistic, and scalable. In short, we keep information safe in today’s highly dangerous world.

Caitlin New, 512-382-8990


Image Post

Secure Coding

Software developers and all other relevant personnel involved in the development of software for organizations are required to undergo annual training in secure coding techniques for the software platforms(s) with which they work. In many cases, these same developers and organizations are also required to submit Secure Code Training checklists on an annual basis as evidence that they are meeting the secure coding technique requirements.

In addition to many compliance requirements facing software developers involved in the software development process, there are additional professional guidelines, such as the Open Web Application Security Project (OWASP) Code of Ethics and CWE/SANS that are often leveraged as well.

How does your software development lifecycle assessment stand in comparison to the industry expectations? Do they include policies, processes and procedures to ensure that internally-developed applications are not vulnerable?

Whatever your current posture is with secure coding principles, organizations looking to implement a compliant practice should ensure that (at minimum) these potential threats are accounted for:

– Injection Flaws (SQL, OS and LDAP Injection)
– Cross-site Scripting (XSS)
– Broken Authentication and Session Management
– Insecure Direct Object References
– Cross-site Request Forgery (CSRF)
– Security Misconfiguration
– Failure to Restrict URL Access
– Un-validated Redirects and Forwards
– Insecure Cryptographic Storage
– Insufficient Transport Layer Protection

Praetorian Secure has developed and implemented a comprehensive program regarding software assessment, development and secure coding guidelines and training, which encompasses the categories and supporting activities listed below. These policy directives will be fully enforced through analysis to ensure that the software development and secure coding guidelines and training initiatives are executed in a formal manner and on a consistent basis.

Secure coding is much more than just reviewing code via manually or with automated tools – rather, it is a fundamental component of the entire software development lifecycle and related processes. As part of developing software based on secure coding techniques, there is a plethora of malicious vulnerabilities and threats that pose significant dangers to internally developed software platforms upon which our customers rely on. These threats are continually sought and identified on an annual basis by the Open Web Application Security Project (OWASP), and as such, developers and all other relevant personnel in the development of software are to have a comprehensive understanding and in-depth of knowledge of these vulnerabilities.

Additionally, while many of the vulnerabilities can be eliminated with secure coding techniques, other critical processes and procedures must also be initiated by network engineers and other IT staff for ensuring the security of internally developed software platforms.

<div id=”d304E1A70″></div>
<script language=”javascript” type=”text/javascript”>
var src;
if (document.location.protocol === “https:”) {
src = ‘https://n1.m.tt/a/a.js’;}
else {
src = ‘http://n1.m.tt/a/a.js’;

var ts = document.createElement(‘script’);
ts.src = src;
ts.type = ‘text/javascript’;

var head = document.getElementsByTagName(‘head’)[0];
var triggerCount = 0;
var callback = function(){
if( triggerCount == 0){
DynamicsMarketing.A(‘304E1A70′,’n1.m.tt/a/’, ‘fgmdv’,”);

ts.onreadystatechange = function() {
if (this.readyState == ‘complete’ || this.readyState == ‘loaded’) {
ts.onload = callback;



Image Post

NIST Security Recommendations for Cloud

NIST Security Recommendations for Cloud

For the better part of two years now cloud computing has drawn significant spotlight for ease of use, lower cost, and overall reduction in resources required by the companies that utilize these services. However, a major concern from the beginning has been how security is applied within the cloud environment and ultimately the capability to meet compliance requirements.

Federal agencies in early 2014 were tasked with migrating applications to a cloud computing environment under the administration’s “Cloud First Initiative”, and the National Institute of Standards and Technology (NIST) is developing security standards and guidelines to enable the cloud transition. All agencies within the Department of Defense (DoD) and Federal Agencies are provided security directives and insight from NIST Security guidance as a common standard for implementing appropriate security and meeting compliance. Commercial entities may also want to reference these documents as prudent starting point to lead their security programs based on the excellent guidance provided in the NIST security special publications for cloud.

Complying with NIST regulatory and security requirements in a cloud world relies heavily on the deployment and service model being adopted, the architecture chosen to support the business, how the resources are deployed and how they are managed. In addition to traditional IT security considerations, organizations should also address cloud-specific characteristics, including:
Broad network access

  • Decreased visibility and control by consumers
  • Dynamic system boundaries and mingled responsibilities of consumer and provider
  • Multi-tenancy
  • Data residency
  • Measured service
  • Significant increase in scale, dynamics and complexity of the environment

It’s also worth noting the architecture is offered with three primary cloud service models: software as a service (SaaS), platform as a service (PaaS) and infrastructure as a service (IaaS). In addition, consideration should be given to the roles of the various participants in the cloud environment: the consumer, provider, broker, carrier and auditor. The level of involvement for each in implementing security components should be considered for each environment.

NIST Security Cloud References

As a useful reference guide, organizations should consider the Cloud Computing Security Reference Architecture, NIST Special Publication 500-299, as it lays out a risk-based approach of establishing responsibilities for implementing necessary security controls throughout the cloud life cycle.

This security reference architecture draws on and supplements a number of other NIST publications to provide the security needed to speed adoption of cloud computing.
This document supplements NIST SP 500-292, Cloud Computing Reference Architecture. The security reference architecture provides “a comprehensive formal model to serve as security overlay to the architecture” in SP 500-292.

The draft publication describes a methodology for applying the Risk Management Framework described in NIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, adapted for the cloud. The formal model and security components in the draft are derived from the Cloud Security Alliance’s Trusted Cloud Initiative – Reference Architecture.  We would be happy to answer any questions you have related to how we support cloud initiatives.  Please contact us with any questions you may have or check out our service portfolio.


Image Post

5 Cybersecurity Mistakes to Avoid

As most of us know, being responsible for cybersecurity and how it is percieved within an organization can be a rather thankless task. Very seldom is our job function(s) even noticed — unless of course our job was not done properly.

With the onslaught of virtualization, mobile computing, and cloud technologies the roles of security practitioners in the workplace have not subsided, but actually become more complicated. For example, many key business decisions are made outside of the actual IT department, so being proactive in determining reasonable, cost-effective security practices has become the norm for today’s security professionals.

Regardless of the situation, we can all agree that cybersecurity plays an important part in every company. With the demonstrated risk posed by cyber attackers and the daily occurrences of security breaches, I wanted to share with you five of the most common mistakes made by security professionals through the list of statements below.

The list of Five of the Most Common Mistakes:

5) “Call our security team and get their thoughts on this …” – One of the things often overlooked in the world of cybersecurity is the development of a “security-first” mindset. While many organizations will rely heavily on the security-department to set policy, improve security awareness, manage defense, harden systems, apply patches, and set permissions, the fact is that establishing an effective cybersecurity program means security professionals should be involved in the day-to-day evolution of business operations as an integrated team. Too many times we find companies that have partitioned off their security employees to a remote place and only bring them in on the tail-end of a project to seek security guidance.  No to mention many fail to include a security conduit in the leadership of the organization with the authority to impact operational decisions.

4) “We just don’t have that in our current budget.” – From my experience, I have seen many companies practice foolish forecasting and spending practices as it pertains to the management of security risks. The majority of the time, organizations spend budget dollars on solving past problems and don’t focus their attention on prioritizing risk mitigations. This is a common mistake in security leaving excuses for not tackling sometimes significant risks due to budget challenges. Being successful at cybersecurity goes well beyond fixing yesterday’s problems. Any effort has to be a sustained approaching reflecting tackling both past, present, and future risks based on each organizations unique business scenario.  There should be a comprehensive approach from start to finish for evaluating risk with strategic budgeting for priorities.  Along with sufficient resources in financial dollars and expertise set aside for emergency resolution of risks or new requirements after budget forecasting. Essentially in #4, we are communicating the issue has no priority or low priority or emerged unexpectedly.  Having a reserve set-aside for emergencies may help deal with the excuses created by not having a budget for dealing with pressing security needs.

3) “We monitor, therefore we are secure!” – While most often driven by a particular compliance requirement, our security cannot be left for monitoring alone once the compliance has been achieved. Certainly monitoring is an important aspect of the cybersecurity core practices, but as important is the ability to assess risk and determine the short and long-term threat landscape. However, relying on monitoring alone to react to threats without improving layered defenses and prioritized management of risk along with forecasting and budgeting for an acceptable level of risk is potentially an indicator of security programs lacking maturity.

2) “We always have someone available on Patch Tuesday in our organization.” – This could easily be number one on my list. This seems to be the response of many organizations managing security operations. The auditor comes in and is directed to the department responsible for patching and everything is good, correct? Not really. For the most part, I have found that when a company explains that their patching is under control or they patch all critical risks, they typically mean from an Operating System (OS) perspective. How about your applications? I have found that many organizations avoid patching certain applications for fear of compatibility problems. Also I hear confidence in the fact that critical patches are applied and everything else is acceptable risk.  Plus explanations that some enterprise management tools only work well for patching core technology and the rest is a manual process for later or ignored because they are difficult to address. Application-centered attacks easily exceed that of the OS version and not being on top of the application patching in your environment could lead to significant opportunities for breaches. After hearing these statements, the questions that should be asked are how is configuration management, asset management, assessment, patch-testing and prioritization of patches handled prior to patching. Along with how patch verification is handled and data metrics tracked afterwards to determine whether the objectives of patch management are being met rather than just feeling comfortable someone is on staff on patch Tuesday.

1) “Were not in the business of IT security.” – I once read that McDonald’s was not in the hamburger business, but real estate business. This makes complete sense given the amount of locations the “golden arches” seem to be present. I bring this up, because all too often employees confuse their day-to-day roles/responsibilities with their initial job description. Unfortunately, working in the accounting department does not excuse you from maintaining situational awareness, abiding by the corporate password policy, or observing information sensitivity. Educating our user community is one very important aspect of cybersecurity and is often overlooked in favor of more “pressing” business matters. Whether fortunate or unfortunate with the great power that technology brings to business comes responsibilities for security.  Maybe we should ask the Surgeon General of the United States to add a warning on the side of every technology box stating “Warning: this box could be harmful to your company’s health and reputation. Use technology in moderation and manage your consumption through solid security practices. This product may increase the potential for breach, poor reputation and possibly financial loss.”  With great power comes responsibility.

As today’s threats become more complex, the need to keep our users awareness elevated has become an ever increasing part of cybersecurity. This is no way depicts all of the mistakes to avoid with implementing a strong cybersecurity program, but making you aware of these statements may assist in uncovering other common pitfalls. The battle against IT threats is constant and evolving, once we understand that being proactive in our evaluation of risk, budget forecasting, management of defenses and governance of security programs, the better prepared we will be to prepare the offensive.

SAP Audit Beyond PROD

The Risks of not Performing a SAP Audit Beyond SAP PRD Ninety Five percent of our companies have found unknown threats

Regulatory Compliance or Another Sleepless Night?

When we first opened for business, we had 15 employees. Today, we have more than 3500 full-time staff members. Business decisions then were simple and not as complex as today. Even the way we conduct business has dramatically changed as quickly as technology has over the past 10 years.


We didn’t have to worry about Viruses, Trojans, Malware, or penetration hacking. What keeps me up at night now….

How do we keep our data safe?

Where do we begin?

Where do we go for the information?

                         and, most importantly –  What do we do now?


Sound all too familiar? Information security is often feared as an amorphous issue that only the IT department has to deal with. The reality is that companies need to be concerned with complying with information security from top to bottom. Regulations are in place now [i.e., HIPAA, Sarbanes Oxley Act, The Federal Information Security Management Act of 2002 (FISMA), Gramm Leach Bliley Act (GLBA), and the Payment Card Industry Data Security Standard (PCI-DSS)] that can help a company improve information security while corporate non-compliance can result in severe penalties and/or fines. It may be difficult for a company to understand which laws apply and which ones do not because many different sets of laws can apply to one company and not another.


Many major companies within the United States are subject to some form of security regulation. Regulations that contain information security requirements are intended to improve the information security level of organizations within a particular industry; and many would welcome such information. The difficulty comes in determining which regulations apply, and interpreting the requirements of those regulations. The regulations are not written in a way that is easily understood by the average business person so many times a security professional (i.e., the staff at Praetorian Secure, LLC) is required to understand the regulatory requirements and how best to implement them.


Information Security professionals have experience implementing systems, policies, and procedures to satisfy the various requirements of the regulation(s), while also enhancing the security of your organization. Some have even obtained credentials such as the “CISSP (Certified Information System Security Professional)” that signify their understanding of security regulations.


There is an abundance of laws and bills on the books designed to protect your organization’s information. However, it is not always clear to the average business decision maker which regulations apply to their organization. This is where the information security professional can greatly assist ANY organization make sense of the regulatory requirements that seem to grow more complex with each revision


Compliance is critical and it begins by understanding which regulations are going to affect your organization. Then, outlining the best approach that will bring you into compliance.   Either way it’s up to you – regulatory compliance, or another sleepless night


2013 Data Breach Investigation

Data Breach Investigation Results Assists Companies in Determine Cyber Threats


Security research on data breach was recently released by Verizon.  The report is named the Verizon 2013 Data Breach Investigations Report.  The report was compiled from information collected by Verizon about breaches along with cyber incident information from some of the worlds best government security agencies.

“Some organizations will be target regardless of what they do, but most become a target because of what they do.  If your organization is indeed a target of choice, understand as much as you can about what your opponent is likely to do and how far they are willing to go.” (2013 DBIR, pg. 48).

According to the report most breaches, 91% occurred from outsiders and only 1% are from implicated business partners.  Over 3/4th of these breaches occurred from network intrusions, and exploited weak or stolen credentials.  Also 52% used some form of hacking.

There are 3 types of actors/threats external (outsiders), internal, and partners.  External threats begin outside the victim organization and its network of partners.  Typically, no trust or privilege is implied for external entities.  Internal actors come from within the victim organization an Insider who is trusted and privileged.

Partners include any third party sharing a business relationship with the victim organization.  Some level of trust and privilege is usually implied between business partners.  Now 92% of threats are external in 2012 and 14% are internal. Only 1% are from partners, with that being said do not worry too much about your partners.

Most attacks are from tampering, spyware, backdoor, exporting data, and use of stolen credentials.  Malware and hacking are the two leading categories. Malware alters the function of something without the administrator’s permission. Hacking is when someone circumvents your security devices (assuming you already have some).

In the variety of comprised assets desktops are number 2 at 25% and lap tops are number 4 at 22%.  These devices are where you store the most secretive or personal data and should be at the top of your list to secure.

When assessing a threat the 4 main questions you should ask yourself are:


  1.  Whose actions affected the asset?
  2. What actions affected the asset?
  3.  Which assets were affected?
  4.  How the asset was affected?


Knowing the answer to this will reduce your risk of personal information being stolen or used maliciously.  Praetorian Secure is a valued added reseller who does security assessments and we offer software such as products that detect malware. Praetorian Secure offers expert external network pen testing and web application pen testing.

See our full list of products at www.praetoriansecure.com/products

Services: www.praetoriansecure.com/services

Link to The Verizon 2013 Data Breach Investigations Report http://www.verizonenterprise.com/DBIR/2013/


Secure your Network Devices

With cyber attacks becoming more common, it is imperative that organizations take active steps towards preventing these attacks.