We have just over two weeks until the new regulations on the protection of personal data enter into force. Adopted by the European Parliament in April 2016, the General Data Protection Regulation, known as the General Data Protection Regulation (GDPR), will come into force on May 25, 2018.
Lawyers actively support their clients in adjusting formal requirements to the new regulations. However, the preparation of appropriate templates of information clauses, questions for consents to the processing of personal data and contracts for entrusting or sharing data is not everything. It is important to adapt the technical infrastructure to the new realities along with formal and legal activities. And here a question often arises that lawyers are not able to answer: "what requirements must the IT infrastructure meet to be considered compliant with the provisions of the GDPR"? This problem stems from the fact that, unlike the "old" Act on Personal Data Protection, the new regulations do not indicate specific technical requirements. In the entire Regulation, there are only general conditions relating to the safety of infrastructure. So how do you adapt to them? We will try to help you find the answer to this question.

So what are these general requirements? Article 32 of the GDPR, which specifies that the personal data administrator implements appropriate technical measures to ensure a level of security corresponding to the risk, is the most relevant to this topic. It asks, inter alia, attention to solutions such as:

• Personal data encryption
• The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
• The ability to quickly restore the availability and access to personal data in the event of a physical or technical incident
• Regularly testing, measuring and evaluating the effectiveness of technical measures to ensure the security of processing

Continue ...

As you probably already know, on May 25, 2018. new provisions on the protection of personal data enter into force - the so-called GDPR. One of the novelties defined in the regulation is the right of persons whose data we process to "be forgotten". They are defined in article 17 of the GDPR, the content of which is as follows:

Art.17

Right to erasure ("right to be forgotten")
1.The data subject has the right to request the administrator to delete his personal data without undue delay, and the administrator is obliged to delete personal data without undue delay, if one of the following circumstances occurs:
a) personal data are no longer necessary for the purposes for which they were collected or otherwise processed;
b) the data subject has withdrawn consent on which the processing is based in accordance with art. 6 sec. 1 lit. a) or Art. 9 sec. 2 lit. a), and there is no other legal basis for the processing;
c) the data subject objects to the processing pursuant to Art. 21 paragraph 1 against processing and there are no overriding legitimate grounds for processing or the data subject objects to the processing pursuant to art. 21 paragraph 2 against processing;
d) the personal data have been processed unlawfully;
e) personal data must be removed in order to comply with the legal obligation provided for in the Union law or the law of the Member State to which the controller is subject;
f) the personal data have been collected in relation to the offering of information society services referred to in art. 8 sec. 1.

However, the client's request, which seems to be easy to fulfill, raises some doubts. Backup system administrators pay attention to the fact that deleting a single record of personal data from an archival copy, which is stored on an external medium, sometimes in an external location and Continue ...

Systems implemented to protect IT infrastructure, like any other, may be vulnerable to various types of threats. There are many known cases of threats related to, for example, anti-virus software. We can cite here, for example, the recent critical errors of the RCE class (remote code execution) in the Windows Defender service. In 2017 alone, 6 vulnerabilities were identified, estimated at 9.3 on the 10 point CVE scale.

The same is the case with devices such as firewall, UTM, NG firewall. We can quote some of the louder mishaps a hole in the Cisco ASA IPsec service (versions 7.2-9.5). A buffer overflow vulnerability rated at 10 on the CVE scale could lead to remote code execution.

The end of last year is, in turn, an equally critical flaw in Palo Alto Networks products. PAN-OS versions 6.1.18, 7.0.18, 7.1.13, 8.0.5 and earlier turned out to be vulnerable to remote code execution as root without the need for authentication. Two were also identified in 2017 other critical vulnerabilities in PAN-OS systems.

Considering the above information, it is worth taking care of regular updates of your security systems. Below we present a tutorial on how to configure Palo Alto Networks PAN-OS updates.

On October 11-13, 2017, the Primavera Conference & Spa hotel in Jastrzębia Góra takes place II IT Security Forum in Administration. There is a nationwide conference addressed to people responsible for cybersecurity in the public sector.

The topics of the Forum include both organizational and technical issues related to protection against external and internal threats. During the meeting, topics such as:

• obligations of public entities towards the President of the Data Protection Office under the new Data Protection Act,
• preparation of data protection documentation in accordance with the requirements of the GDPR,
• IT systems vulnerability testing,
• civil liability of administrators under the GDPR,
• risk analysis as the basis for the implementation of data protection: methods, scope, practice.

At its stand as part of the Forum, our company will present:

• implementation of network protection solutions based on PaloAlto firewalls and user station protection system using TRAPS software,
• security and GDPR compliance audits,
• NetApp arrays as an efficient platform supporting applications and guaranteeing data availability,
• our proprietary "Plug-In backup" solution built on the basis of Veeam products (data protection in 5 minutes, monthly billing according to the number of virtual machines).

Our participation in the Forum will be complemented by 2 webinars organized after the end of the event:

• PaloAlto next generation firewalls and TRAPS workstation protection - 20 October 2017, 11.00 a.m.,
• IT security in the context of GDPR - 27 October 2017, 11.00 a.m.

A dozen or so days ago it ended VI Wielkopolski Convention of IT specialists and XXX Club of Local Government IT. Our company once again participated in this event as a Partner and exhibitor.

At the UpGreat stand, we presented our IT security services:

• implementation of network protection solutions based on PaloAlto firewalls and user station protection system using TRAPS software,
• security and GDPR compliance audits,
• NetApp arrays as an efficient platform supporting applications and guaranteeing data availability,
• our proprietary "Plug-In backup" solution built on the basis of Veeam products (data protection in 5 minutes, monthly billing according to the number of virtual machines).

The presentations and information materials shown during the seminar can be downloaded from our website:

• presentation about UpGreat
• presentation about PaloAlto next generation firewalls and TRAPS workstation protection
• presentation about NetApp matrices as a proposal for local governments
• presentation about IT security in the context of GDPR
• a short film showing breaking into a WLAN - WEP network
• a short video showing breaking into a WLAN - WPA

Additional downloads:

• overview of PaloAlto firewall parameters
• PaloAlto Threat Prevention - comprehensive network protection against exploits and malware
• compliance of PaloAlto firewalls with the requirements of the GDPR
• WildFire service - protection against targeted and unknown malware
• TRAPS - advanced protection for workstations
• PaloAlto AUTOFOCUS service - enhancing protection against threats
• NetApp E2800 matrix - specification
• Veeam Backup & Replication - product description
• SOC service provided by UpGreat
• security audits performed by UpGreat

We would like to thank all the people who visited our stand and listened to our presentations. Of course, feel free to contact us!

We are after the technological meeting "Tasty morsels in the HPE menu", which took place on September 19, 2017 at the Concordia Design conference center in Poznań. During the meeting, some interesting HPE technologies were discussed:

• HPE VM Explorer and HPE StoreOnce - an alternative to expensive backup solutions. HPE VM Explorer is an inexpensive software for data protection in virtual environments (the list price of the Professional version for 4 processors with annual support is PLN 3,417.00 net). According to Gartner, HPE StoreOnce is the leader of deduplication solutions next to EMC DataDomain. HPE StoreOnce is a virtual or hardware appliance with a capacity from 5.5TB to 1.7PB - the nominal deduplication ratio is 20: 1.
• HPE StoreVirtual 3200 - enables the construction of multisite stretched cluster (network RAID). The HPE StoreVirtual 3200 array can be used independently as mass storage or as a network RAID in a configuration extended to two nodes.
• HPE Synergy 1200 - a new platform for blade servers enabling the construction of composable platforms for applications. The HPE Synergy 12000 is the successor to the blade computers (c7000 chassis).
• HPE Moonshot - a system enabling the construction of solutions with a large number of servers - high packaging, many hardware platforms and a very low expansion cost. Possible applications of HPE Moonshot are solutions for HDI (hosted desktop infrastructure), virtualization, solutions hadoop, efficient image and sound processing. HPE Moonshot will be perfect for a university or in a development environment.
• HPE Apollo - a very efficient server solution ensuring high density of server modules and mass memory at the same time. With the use of HPE Apollo, we can build efficient clusters for a variety of applications, e.g. in design, simulations, financial risk modeling or scientific modeling.
• HPE 3Par - we discussed the new version of 3Par OS 3.3.1 and favorable changes in the licensing of individual functionalities. HPE 3Par StoreServe is a family of mass storage products dedicated to large enterprises. HPE 3Par StoreServe enables the construction of efficient multi-node storage solutions ensuring redundancy and load balancing.

Our audience.

Below are the presentations and materials from the seminar:

• Piotr Flis - About UpGreat
• Maciej Grabowski - server solutions
• Piotr Nogaś - mass storage solutions

Additional information:

• HPE VM Explorer specification (simple backup software)
• HPE StoreOnce specification (storage with deduplication)
• HPE StoreVirtual 3200 specification (2-node matrix with built-in replication)
• HPE Moonshot specification (blade server system - up to 180 computers in one housing)
• HPE Moonshot presentation
• HPE 3Par StorServe 7000 specification (multi-node enterprise-class array)
• HPE Synergy 480 Gen10 Module specification (the latest module for HPE Synergy 12000)
• HPE Synergy 660 Gen10 Computing Module specification (the latest module for HPE Synergy 12000)
• HPE Apollo system specification (efficient modular servers)

We would like to thank everyone present for their time and invite you to contact our Sales Department!

The HPE offer includes several new products and opportunities that we decided to present to you at a technology meeting that we organize together with HPE Polska.

Below we present our subjective choice:

• An alternative backup solution at a very good price: HPE VM Explorer + deduplication from HPE StoreOnce (alternative to veeam).
• Inexpensive multisite stretched cluster (network RAID) using the HPE StoreVirtual 3200 array.
• The successor of blade servers - HPE Synergy 12000 (especially interesting for owners of blade computers, a lot of news).
• Cosmic possibilities with HPE Moonshot and HPE Apollo servers (highly scalable modular computers with high density).
• News in the HPE 3PAR world - additional functionalities, favorable licensing changes.

Our free seminar will be held on Tuesday, September 19 at the Concordia Design conference center in Poznań at 3 Zwierzyniecka Street. Apart from interesting topics and gifts that we will distribute among the participants of the meeting, the proximity of the newly opened "Bałtyk" Business Center will be an additional attraction: o)

Information on the meeting agenda can be found here here. Please register using form on our websitej.

We finished in early July series of workshops introducing our clients to IT security issues. There were four meetings devoted to the following topics:

• Penetration tests (reconnaissance, scanning, enumeration, metasploit, password cracking, wifi analysis),
• Social engineering tests (backdoors, delivering malware, avoiding detection by antiviruses),
• Web application tests (password cracking, SQL injecting, BurpSuite scanning),
• Risk analysis and protection of personal data in the context of GDPR.

In total, about 40 people visited us during the workshops. More people were interested, but due to the capacity of our conference room, we could not register all of them

Our experience gained so far during security audits and system tests shows that the security solutions used in enterprises do not correspond to rapidly changing threats, and one of the most effective and, at the same time, the most neglected security measures for IT systems is training and a continuous process of improving employee competences. It should be noted that training should be periodic and be oriented towards updating knowledge in line with emerging threats.

I am pleased to inform you that our autumn safety workshop proposals for you are very interesting. You will of course be informed about the dates. The topics presented include new generation firewalls operating on the application layer, protection of workstations with the use of behavioral analysis, issues of backup as a service and outsourcing of services related to security.

Using the links below, you can read the materials from our workshops:

• Ethical hacker workshop,
• GDPR workshops - risk analysis,
• assets - risk analysis.

We would like to thank all participants for their time and feel free to contact us.

In recent days, some companies have experienced a ransomware attack WannaCry. More than 200,000 computers in over 100 countries have been infected. Antivirus protection and user training are not always effective with this type of software. For this reason, an efficient solution for managing data backups (backup) is an effective supplement to data protection methods.

We invite you to a workshop on EMC Avamar - the best workstation and server backup solution on the market, which will take place on June 8 this year at our company's headquarters in Poznań at 22 Ostrobramska Street.

The distinctive features of EMC Avamar are:
- backup of physical and virtual environments,
- backup of servers, workstations and databases (MS-SQL, Oracle, DB2),
- the best data deduplication ratio on the market (many times better than in the case of veeam Backup & Replication),
- efficient deduplication "on the source side",
- efficient work in a wide area network - effective use of the available band,
- data recovery also available to users,
- reconstruction of single and whole machines (also "bare metal"),
- intuitive user interface,
- very favorable licensing.

EMC Avamar is available as a complete hardware appliance containing the necessary disk resources and as a virtual appliance. EMC Avamar can be complemented by EMC DataDomain - an efficient, hardware data deduplicator.

During our workshops, we will discuss in detail the technical aspects of EMC Avamar's operation and show the solution in action. After the workshop is over, you will have the option of renting the device and testing your environment.

The workshop is free of charge.

To register your participation in the meeting, please use form on our website.

We cordially invite you and see you!

Ladies and gentlemen,

IT system security issues are of interest not only to institutions such as banks, energy companies and government administration. The problem affects all companies, regardless of their size, on a daily basis, including many of our clients. According to the report entitled "Business protection in digital transformation or 4 steps to a safer company" recently published by PwC Polska, as many as 96% companies experienced over 50 security incidents in the last year. Due to the growing integration of production systems with IT systems, threats also apply to the continuity of production.

According to our experience, the most common (realized) manifestation of cybercriminals' activity among our clients are the effects of ransomware in order to obtain a ransom. We wrote about the spectacular amounts of ransom in an article on our blog. In this context, it is also worth considering attacks on production systems (OT) such as production lines, industrial automation, and warehouses. In this case, you can also expect interest from cybercriminals - they can count on a large ransom for withdrawing from the attack, since in some companies known to us the costs of stopping and restarting production are counted in millions of zlotys.

In order to meet the expectations of our clients and to make them aware of the scale of the threats, we decided to organize a series of 4 workshops during which we will show how and how easy it is to threaten our IT and OT systems. Below you will find the dates and agendas of individual meetings. The meetings will be held at our company's headquarters in Poznań at 22 Ostrobramska Street. The duration of each workshop is 4 hours, and participation is free of charge.

During meetings 1, 2 and 3, please have a computer with a virtual machine with the KALI Linux distribution with you, the installation version of which can be downloaded using of this link.

Workshop 1 - Introduction to Penetration Testing - April 25, 2017

Topics:
- information reconnaissance,
- scanning and enumeration,
- brute force and dictionary attacks on passwords,
- attacks on WLAN networks.

To register for the workshop on April 25, 2017, please use registration form.

Workshop 2 - Penetration Testing and Social Engineering - May 16, 2017

Topics:
- metasploit,
- social engineering toolkit,
- generating backdoors,
- C&C servers.

To register for the workshop on May 16, 2017 please use registration form.

Workshop 3 - Web Application Penetration Testing - May 30, 2017

Topics:
- structure of web applications (languages, frameworks, web servers),
- introduction to SQL,
- vulnerability scanning,
- sql-injection and CSS attacks.

To register for the workshop on May 30, 2017, please use registration form.

Workshop 4 - General Data Protection Regulation (May 4, 2016, Official Journal of the European Union) - moved to July 4, 2017

Topics:
- uniform rules throughout the European Union,
- new obligations of the Data Protection Officer,
- risk analysis - methodologies and examples,
- severe penalties.

To register for the workshop on June 20, 2017 please use registration form.

You're welcome!