Listrak Approach to Data Security

Customer information will constantly be in transit across the public Internet traveling between Listrak HQ, customer servers, customer PCs, consumers and other rightful users and data owners. This information is to be protected between endpoints in several ways:

Two-Factor Authentication: The Two-Factor authentication prevents phishing attempts by requiring the end user to Authenticate their browser with an authorization code sent to the email address tied to their username. The API uses an IP authentication which the client can enable on their account when they deem necessary. By default, all IPs attempting to access the API are blocked until they are granted access in the system.

Encrypted Transport: Secure Sockets Layer (SSL) protocol encrypts communications between Web servers and Web browsers for tunneling over the Internet. The Listrak web-based graphical user interface supports SSL over HTTPS for secure transport of data via a web browser.

Robust Password Policy: The Listrak application supports account passwords that are in a format which require at least 8 alpha-numeric characters, are case sensitive, and must have at least one number, one upper and one lower case character.

An initial login to the system can require the user to change his/her password.

Reset password functions require the user to know his/her old password as well as the new password.

Failed Login Account Lockout Functionality: The Listrak application enforces an account lockout process after multiple failed attempts. This is to deter brute force password attacks. The Listrak account owner is notified of failed login attempts via email including remediation procedures to unlock account.

Sensitive Data Encryption: Listrak application passwords are stored with a proprietary one way encryption algorithm so passwords cannot be extracted by support, development, or exploitation. Other sensitive information, such as Salesforce credentials, are encrypted with a proprietary two way encryption process where only authorized servers in a set environment are able to encrypt and decrypt the information. This prevents the development environment, support personnel, foreign workstations, etc. from extracting usable information.

Network Edge Security: Our Firewall clusters provide a perimeter defense to guard our networks and servers against unauthorized users. We use our firewalls to protect all areas within our network.

Request Filtering: All web requests are scanned for possible malicious content by a custom built filtering module. If the communication is suspected of containing an exploit, such as SQL Injection, cross site scripting, and so on, the request is blocked and we are notified of the incident.

Password Reset Policy: The Listrak Support Team has created a Password Reset Policy that disallows the reset or retrieval of passwords until we can positively identify the client by contacting them via the telephone number on file. If we are unable to positively identify the client, this policy prevents us from resetting or retrieving the password.

In addition, the Listrak Support Team is unable to check or verify the password on file and provides only temporary password resets, forcing the client to enter the permanent password and thereby eliminating the possibility that the permanent password can be obtained through any communication with Listrak.

Physical Security Policy and Standards

Physical Location: All physical equipment is housed in a Tier 1 collocation facility maintained by a leading National colocation provider – TierPoint, LLC. TierPoint’s headquarters are located in St. Louis, MO.

Security: Secured perimeter access, Security cameras inside and outside of the building, The facility has badge access throughout the building, with retinal scans at the primary door(s). This is all monitored 24x7x365 with alerts generated to the TierPoint NOC.

Power and UPS: Multiple redundant UPS units and diesel generators maintain clean power for the datacenter. The UPSs serving battery backup to enable a hitless cutover to generator as needed. Both of these systems are monitored 7x24x365 by the building management system.

HVAC: Multiple industrial air conditioning units provide complete redundancy for the datacenter cooling requirements. TierPoint controls and monitors the HVAC systems with the Building Management System 7x24x365.

Fire Suppression and Detection: FM 200 suppression systems protect the datacenter. This system is monitored 7x24x365 by the building management system.

Cloud Based Security Policy and Standards

Cloud Based Environments: Some Listrak services have been distributed to cloud based locations including Amazon and Verizon/EdgeCast. These locations provide geographic access closer to our end-users offering improved performance and redundancy. All data traffic between regions is encrypted over secured VPN links. Public access to the webservers at these regions is restricted to just the required ports (http and https).

Network Topology and Protection

Physical Network: Diverse Path Fiber into the facility providing dual 10 Gigabit Ethernet WAN connectivity. Our network edge routers are connected using redundant links to our upstream providers. BGP routing enables rapid fail over in the event any single connection is lost. Firewalls – Firewall services are provided by redundant active/passive firewall clusters.

Vulnerability Assessments: Listrak performs regular vulnerability assessments of their networks, network equipment and hosted servers using a variety of tools and technologies including Nessus and other industry accepted solutions.

Monitoring and Reporting

Listrak monitors each server 24x7x365. We utilize multiple monitoring solutions to provide alerts as simplistic as ping, and on up through the data stack including bandwidth, cpu, services, applications, netflow, and other advanced monitors. These applications can warn of attacks, failures, and pending problems. Together, this monitoring allows us to intercept pending outage scenarios before they occur. Alerts are sent directly to engineers via email and SMS text message to mobile phones. At least one engineer is always “on call” via rotation 24x7x365.