With the announcement last week that Google is adding file transfer to Google Talk, I had some thoughts.  

1). Are there security challenges posed by the Google Talk news?

These challenges are similar to those we’ve seen with Windows Live, AIM, ICQ, Trillian, Skype and others, which all offer peer-to-peer mechanisms. But unlike these forums, Google – and Google Chat – deserve deeper scrutiny over the ubiquity and consumerization Google brings.

For example, it’s likely that Google Talk, and thus file transfer, will now be included within Google’s free productivity suite, Google Docs – which is frequently used as a means for flexible, faster business collaboration and file exchange

read more “Let’s Talk About Google Talk”

Convicted TJX hacker Albert Gonzalez was sentenced to 20 years in prison today for leading a gang of cyberthieves who stole more than 90 million credit and debit card numbers from TJX and other retailers.  The sentence for the largest computer-crime case ever prosecuted is the lengthiest ever imposed in the U.S. for hacking or identity-theft.

I had some thoughts around the sentence:

  • It’s an acknowledgment that the government isn’t seeing this as an isolated/ individual action; the government recognizes a true crime organization issue on par with any other type of organized crime without the guns and violence… yet.
  • Given some of the emerging detail around the Google/ China incident and the rise in cyber terrorism, raising the bar with sentences like this may detract some future “hackers”.
  • Many of the cyber gangs don’t do it for the money; this wasn’t the case with Gonzalez. The idea of taking 15 million dollars to buy a yacht is seen as no different than if he had robbed a bank at gunpoint. What hasn’t been solved is how do you catch, prosecute and make an example of the cyber gangs that aren’t in it for the money?
  • Gonzalez was given an opportunity to provide valuable information on other people, organizations and methods being used for cybercrime. He choose to be a double agent. This probably did not sit well with the judge.

What’s your take?  Too long a sentence?  Not long enough?  Will this deter future hackers?  I’d love to hear from you.

I participated on a panel discussion at SecureWorld Boston yesterday. The discussion topic was striking a balance between productivity and security and it yielded three thoughts that I would like to discuss in today’s blog.

  1. The notion that our companies are going to employ the same type of security policies that we used over the last 30 years is ludicrous. With the arrival of the digital natives into the workforce, simply assuming that your new knowledge workers can adapt to your existing security policy is a farce.How do you establish security mechanisms for information when the people who use this information and data on a daily basis have a much more radical perception on information security and risk? Most digital natives think nothing of providing personal information via the Internet because there is a firm understanding that the information already exists there. These digital natives have grown accustomed to the idea that you should check your credit report every six months and always look for fraudulent charges when the statement arrives.
    read more “Striking a balance between productivity and security”

Using free online storage and collaboration systems dramatically increases a company’s risk of a data breach.  Many of these tools automatically synchronize desktop folders with folders in the cloud.  Compromised credentials can give hackers easy access to all of a company’s sensitive information.

Companies need to monitor traffic over known P2P ports and over commonly used ones, like 80 and 21.  It’s not just data loss prevention, it’s ensuring that policies that address “what data can be sent to whom” are enforced – regardless of port and security mechanisms.

Most of today’s threats with P2P file sharing come from applications that work in conjunction with cloud services, leaving room for hackers to create desktop onramps for their own use.”

 In a recent case, the FTC found the breach.  The truth is – the companies breached should have found it first.

Many enterprise collaboration tools have browser-based portals set to automatically download documents from specific locations.  Simply changing the default settings away from “My Documents” can prevent employees from unknowingly downloading and installing applications that could increase a company’s risk of a breach.

Multi-enterprise collaborative implementations and deployments can be extremely difficult to benefit from because all too often the companies deploying these solutions overly emphasize the security mechanisms and protocol support. While those aspects are important, the ecosystems around companies are expanding to include smaller partners and Prosumers that need to be managed, provisioned, and have their expectations met. In short, companies will need to spend the time and effort on better managing all aspects of the interactions in their ecosystem.

The agreement between Cleo Communications and Stonebranch is a good step in this direction, but we continue to advise our customers, prospects, and the overall market to strongly consider the visibility, management, and enforcement aspects of any type of integration and collaboration. Much of this partnership seems to be based on technology around providing multiple protocol and security support. I will never underestimate or undervalue the importance of protocols and security mechanisms, but I will always focus on the larger aspects of governance: visibility, management, and consistent enforcement of policies related to security and performance. These are the things that matter. This agreement furthers my strong and publicly stated beliefs that companies are consolidating their approaches to integration and collaboration.

Simply put, there continues to be a high degree of volatility (this impacts the entire marketplace in a positive way) in the managed file transfer market.

Frank: “Hey Dad, before I go off into the world what is the one bit of advice that you would give me?”

Frank’s Dad: “If I had to give you one piece of advice it would be save all your receipts and tax returns for seven years in a file cabinet someplace in the back of your closet.”

Frank: “That’s it?! You mean nothing about women? Nothing about credit? Nothing like own at least one suit and a pair of good shoes?”

Frank’s Dad: “Nope that’s it. Trust me you’ll see…”

Now that I’m older I can give this advice to my son. I can also give the same advice to e-mail administrators, “save all your e-mails, someplace safe, for at least three years… preferably more.”

Now here’s the technology part:

It’s becoming more and more apparent that offloading large file attachments from e-mail using a third-party technology integrated with e-mail servers, requires a rethinking of strategy of e-mail and data archival and storage strategy. read more “I’m not a lawyer I just play one on TV OR getting whipped by the tail of the e-mail offloading”

There was yet another security breach inside the government this week and this one involved an employee sending personal information via the Internet.

What in the world does that mean?

Open letter to the White House CIO: please better define what you mean by Internet. As I said in earlier blog posts, whenever you pull people into the middle of information technology it is unreasonable to expect that they will self-enforce 100% of the policies 100% of the time. We won’t lock our laptops all the time. We won’t choose passwords that are totally random with a combination of numbers and punctuation (my WEP password for my wireless router is based on the key 3210abcdef!) No matter how many encryption products you put on our desktop we will forget to use them and we won’t check for SSL encryption and check the certificate on every website that we go to.

  read more “Homeland alert! Beware of the Internet (but e-mailing, web browsing and file sharing are okay)”

People are non-consistent, incredibly stubborn and risk prone when it comes to information technology. Bottom line you can’t nor should you depend on them to accurately establish and mitigate risk according to your corporate standards and policies.

What incredibly geeky statement to make…

But it’s absolutely true. The future set of technologies from Ipswitch will include capabilities that better allow IT departments to have visibility, management and control of the things that people do. As vision and strategy guide it’s easy for me to make this statement, but trust me our product manager and senior developers are looking at me through the crosshairs of their rifles and shotguns. That is because they understand people dynamically assign and mitigate risk, based on context that we just cannot re-create in current IT environments.

read more “Living at the Intersection of People and Technology”

Frank Kenney, VP of Global Strategy, Ipswitch

Frank Kenney, Ipswitch’s VP of Global Strategy, recently spoke in London at a press conference for InfoSecurity Europe, Europe’s leading information security event which take place on April 27-29, 2010.

Dan Raywood from SC Magazine UK attended this week’s press conference and his article can be seen below:

Problem with the professional consumer is leading to an information security headache
Dan Raywood  January 15, 2010

The culture of the professional consumer, or ‘prosumer’, is leading to increased problems within the workplace.

L. Frank Kenney, vice president global strategy at Ipswitch File Transfer, explained that a ‘prosumer’ is a consumer buyer who purchases an electronic device from personal funds but intends to use it primarily for business rather than consumer applications.

read more “Frank Kenney: Problem with the prosumer is leading to an information security headache”