Vulnerability assessment software and file/folder encryption software

Hypercat (Deb)
Hypercat (Deb) used Ask the Experts™
We're getting more and more requests from clients for recommendations and implementation of two security related systems: vulnerability assessments and file/folder encryption software. Our clients are:

1.  Law firms.
2.  Small (10 to 75 users).
3.  Networked; servers are virtualized.
4.  Windows OS (2008/2012/2016 on servers, 7/8/10 on workstations).
5.  Have perimeter firewalls suited to the size of the firm (mostly WatchGuard).

These requests for vulnerability assessments and encryption are prompted by requirements of certain clients of these firms, such as banks and insurance companies.  We're looking for tools that we can use/recommend to our clients for assessing vulnerabilities and providing encryption for files/folders.  Generally they don't require full disk encryption, as only a portion of their work product is affected by these outside requirements.  Full disk encryption, however, may be required for laptops.

We have a product for email encryption in place in some cases, but any thoughts or specific recommendations in that area would also be welcomed.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
btanExec Consultant
Distinguished Expert 2018
Since it is mostly Windows, the FDE should really leverage n Bitlocker and there is MBAM to manage it for domain machine. As for FE (File encryption), EFS is one consideration. Both suggestion is on using what Windows provides, they will not be worst off but of some preferred another layer of provider and for that Symantec File Share Encryption ((formerly known as PGP NetShare) is another candidate. Generally, when moving files within the same hard drive, or even external HDDs, the files will remain encrypted. BUt always good to know its limitation which may applies to most FE too.
If a file is moved out of the Symantec File Share Encrypted folder, the file will remain encrypted except in the following circumstances:

-The file is sent via FTP or other non-CIFS based protocols.
-The file is sent in an email message.
-The file is saved or copied using a different name in another folder outside of the PGP NetShare protected folder.
-Burning a Symantec File Share Encrypted file to CD\DVD or other optical media.
-When copying File Share Encrypted files to Microsoft Encrypted EFS shares (This scenario is unsupported.   EFS Encryption should not be used with File Share Encryption).

-When copying File Share Encrypted files from an RDP session to a local machine via direct copy\paste.  This method requires copying a file, then minimizing the RDP session, and then pasting to the local machines's system, such as the Desktop and not through the NTFS shares.
A much more "far fetched" candidate can be Microsoft Right Mgmt System (RMS) as it can enhance the restricted by not just encryption but go into access control and action that can be done on the document level - right mgmt in  place and it will have the document stay encrypted through out even if it leaked out to external parties. One good thing is there is RMS in Information right mgmt for Exchange and the email message will be S/MIME encrypted. The challenge is to set up the PKI infrastructure, have your CA etc
Distinguished Expert 2018

Hypercat, you need to describe the scenario(s) that you are protecting against. Before doing so, it will not be answerable.
Distinguished Expert 2018
For vulnerability assessment, I'd recommend getting a product that you can load on a laptop and simply carry with you. Something like Retina would make sense (I pick Retina because I know they have a licensing that allows for a consultant who carries the machine site to site). Obviously, you do have other products like Nessus. Several others may make sense as well, and I am sure those products will get suggested. Note that this is on the topic of INTERNAL vulnerability assessments, not external. As for external, you could either partner with someone or try to put together your own set of tools (partnering might make more sense).

For full disk encryption, you could go with Bitlocker, or the encryption product of whatever endpoint protection product the client is using (i.e. Symantec or McAfee).
Distinguished Expert 2018

H'cat, are you on vacation?
@McK - only in my own mind....  I'm not sure what kind of scenario description you're looking for. Broadly, the overall business scenario is a law firm that has a specialty or does a fair amount of business in the real estate and insurance markets. The firm's client is typically a large bank or insurance company.  These clients are increasingly asking the firm to provide evidence of certain types of security practices.  From my experience with the bank/insurance company requirements, they each have specific requirements and these may differ from one to the other.  Generally, they ask for file encryption and email encryption, sometimes full encryption for mobile devices. They ask about perimeter firewalls but don't go into a lot of specifics; they seem to be satisfied if you say "yes, we have one." So far, their concerns seem to be mostly that only authorized users should be able to access the privileged client information that resides on the firm's internal systems, and that when this information is transmitted by firm personnel to them or someone else as required by the nature of the transactions between the client and the firm and a third party, the information is encrypted in transit.

Even though the clients don't necessarily require testing of the firewall, I feel that for my business and my client's protection, we should be able to test and provide proof that external access is properly firewalled, what ports are open and why, etc. I know there are some external sites that provide basic testing of firewalls and open ports, and maybe that's sufficient.

My company's role would be two-fold: first to provide the tools for them to control access and provide encryption; and second to test the tools and controls to make sure they're working properly so that the firm can certify to the client that they have the appropriate practices in place.
Distinguished Expert 2018
I suggest to split this into at least 3 questions and describe each scenario you would like to see protected.
With your last comment, I cannot grab anything I can comment on, although I feel fit in mail encryption, endpoint encryption and most things security.


I had to abandon this project for the time being. Thanks to all for your advice and suggestions.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial