Word has quickly spread that a serious weakness has been discovered in the Secure Sockets Layer (SSL) protocol that allows attackers to silently decrypt data that’s passing between a web server and an end-user browser.
All reports indicate that this vulnerability affects the SSL protocol itself and is not specific to any operating system, browser or software/hardware product. This is an information disclosure vulnerability that allows the decryption of encrypted SSL 3.0 and TLS 1.0 traffic. It primarily impacts HTTPS web traffic, since the browser is the primary attack method.
SSL and TLS are two of the industry standard technologies that Ipswitch File Transfer solutions use to encrypt data while in-transit. Additional technologies such as AES transport encryption, PGP file encryption, and the encrypted FTPS and SFTP protocols are also used to secure data. As always, we recommend a defense-in-depth approach for protecting sensitive data.
At this point the vulnerability is not considered a high risk. Ipswitch is closely monitoring the situation closely and will implement recommendations and provide updates if this turns into a serious threat. We agree with Microsoft’s recommendation to prioritize the RC4 cipher suite and to enable TLS 1.1 in client and server. And given the choice, use the unaffected FTPS and SFTP protocols (and not HTTPS) until this vulnerability investigation is complete. Microsoft has also issued a fix fix that enables support for TLS 1.1 in Internet Explorer on Windows 7 and Windows 2008.
As George Hulme recently wrote, the vision of Senator Richard Blumenthal’s data breach legislation is simple enough: Protect individuals’ personally identifiable information from data theft, and penalize firms that don’t adequately secure their customers’ information.
Clearly, there’s a need for organizations to better secure confidential and private customer information. It seems that a week rarely passes without a new high-profile data breach in the news. In fact, 2011 is trending to be the worst-ever year for data breaches. And that is despite many U.S. states introducing legislation that expands the scope of state laws, sets stricter requirements related to notification of data breaches involving personal information, and increases penalties for those responsible for breaches.
The need to protect customer data is unanimously shared by honest people worldwide…. The issue is HOW to effectively govern and enforce the various data protection requirements and laws?
I agree with Senator Blumenthal’s concept of establishing “appropriate minimum security plans”…. But color me skeptical on the government’s ability to appropriately monitor and enforce those plans, especially after witnessing the mighty struggles at effectively governing the dozens of state laws already on the books.
My skepticism is shared by many, including Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation: “The devil is in the details with these laws. We’ve had regulations, from Gramm-Leach-Bliley to HIPAA, that purport to help protect consumer data. Companies are already victims in these attacks, so why are we penalizing them after a breach? I think that’s because it’s easier to issue fines than it is to track down the criminals and go after them.”
In my opinion, business leaders need to prioritize their own internal efforts to properly protect sensitive information rather than wait on the government to catch up. First order of business is to identify where confidential files and data live in your organization and ensure visibility of that info (after all, how can you protect what you don’t know about?). Fortunately, there are technology solutions available to help organizations better manage and govern their critical files and data as they are being moved and consumed both internally and with business partners and across people, systems and various business applications.
Here’s a great article by Brian O’Connell of CPA Site Solutions on how to deal with email security difficulties. The context of the article is from the perspective of the accounting industry, but I’d say it’s an extremely universal topic that actually impacts almost every kind of company today.
The premise of the article is that email is generally accepted as a dependable way to communicate and share files…. And then he points out that in reality, email isn’t very safe. Sound familiar? – And for you encrypted email lovers out there (you know who you are), I’d like to quickly mention that while encryption can make it harder to open an email or attachment, it does nothing to prevent it from being intercepted.
Brian draws a very important difference between “security” and “privacy” that I want to highlight.
“Privacy is the shield that protects a person’s identity while actively sharing information via the web.
Where privacy is about keeping the door locked, security is about the lock itself.
Security is the actual online authentication and authorization protocols that networks use to protect information and the audit system used to verify the overall system’s effectiveness.”
While I agree that the distinction is important, I’d also like to point out that an organization must protect both the security and privacy of confidential information in order to comply with the growing number of data protection laws and compliance mandates. I wouldn’t worry too much about the distinctions, but instead focus on the need to have visibility and governance over all files, data and information that are being shared both within your company and also externally with business partners and customers.
Email is the world’s collaborative tool and is the electronic ‘sending’ system of choice between people, both within and across organizations.
While the capabilities of transferring files via email hasn’t improved much in the past 10 years, the size and sensitivity of files has multiplied ten-fold.
Email usage is ungoverned at most organizations, meaning that employees can attach any file they have access to and send it to anyone in the world. For CIOs, it’s about more than just security – it’s also about visibility. If you can’t see the files flowing within and from your organization, you can’t protect them.
And how about employees, who are bound and determined to quickly transfer needed information (which may be confidential) with customers, co-workers and partners? For the majority of workers, not sending that file for security’s and visibility’s sake is not an option. Employees will choose ‘productivity’ over ‘security’ if they are given the choice.
Please do take some time to identify and evaluate the tools your employees use to share information with other people and ask yourself if it’s being done in a visible, secure and well managed way. You’ll likely want to rethink how people are really sharing information at your organization.
Ipswitch has been cautioning companies about the dangers of private/confidential information being sent through Google (and other hosted and person-to-person services), both from a security and a responsibility perspective.
Last week’s GMail hack further drives home the point that organizations must proactively manage and have visibility into what information is being shared with service providers and how information is being sent between people.
Don’t let your guard down and simply treat the cloud as just another internal resource…. They need to be properly managed and governed just like any other third-party.
Ipswitch’s Frank Kenney recently concluded a 4-part webcast series on integration. It’s not too late to watch a replay of it. In parts 3 and 4, Frank talks through the issue of relying on cloud providers and provides tips for managing and governing cloud and person-to-person interactions.
Google revealed yesterday a targeted phishing attack from China against hundreds of GMail users, including government officials and military personnel. The FBI, Department of Homeland Security, and the White House National Security Council are all participating in an investigation of the cyber attack.
My hope is that this breach will serve as the wake up call that public and private businesses need to start enforcing policies around personal email. According to an Ipswitch survey at the InfoSec Europe conference, employee use of personal email is still a major problem. Nearly 70% of respondents send classified information (including payroll and customer info) via standard email every month… And 40% admitted to sending confidential information through personal email accounts specifically to eliminate the trail of what was being sent to whom.
Have you provided your employees with a simple tool to send large and confidential files? Do you have visibility into what is being sent and to whom?? Do you have a documented AND enforced policy around using personal webmail accounts from work computers???
Employees have proven over and over that they will ‘do what they need to do’ in order to be productive. It’s critical that organizations provide simple, safe and auditable tools that enable employees to collaborate and share files. It’s equally important that they govern employee activities to mitigate data risk by increasing visibility, control, compliance and security.
Ipswitch’s Frank Kenney shares his perspective on breach responsibility and security with Information Week:
“Google has asked for U.S. government support against censorship, but the government’s response has been to ask companies to take responsibility. If Google does have an ulterior motive, it’s likely to be to pressure the U.S. government to take a more active role in defending U.S. companies in markets like China that present obstacles to fair competition.
Google is urging Gmail users to review their account settings to make sure they’re secure, but Kenney suggested Google could do more to alert users when their accounts are accessed from an unfamiliar IP address or when their accounts have been configured to forward messages.”
Last week I ranted a bit about the importance of governing your cloud vendors. At about the same time, Ipswitch’s Frank Kenney participated in a panel discussion on cloud security at the Interop conference in Las Vegas.
As you know, there is great debate over whether cloud services are secure enough for businesses to use. I believe that the cloud model will quickly evolve and prove itself to a point where security is deemed no riskier than doing business with solely on-premises tools.
I also believe that member-driven organizations such as the Cloud Security Alliance – which focus on providing security assurance within Cloud Computing – will help us get there.
At the Interop discussion, Frank Kenney spoke about the safety of the cloud, here’s what he had to say:
“Cloud customers have the obligation to assess the risk of allowing data to be stored in a cloud based on how valuable it is to the customers…. The cloud is as secure as you want it to be.
Cloud services can provide value if performance and service-level agreements align with what customers need. If not, customers shouldn’t buy them. It’s not ‘the sky is falling’. Assign risks appropriately. Security is just one of many things you have to do.”
Many thanks to the Verizon RISK Team (along with the U.S. Secret Service and the Dutch High Tech Crime Unit) for publishing their 7th annual analysis of data breaches. Compromised data continues to plague organizations worldwide, and studies like the 2011 Data Breach Investigations Report can help us all avoid becoming a victim – both as individuals and also as corporate citizens.
Here are a few noteworthy data points:
- Nearly 800 data breaches were reported in 2010, a sharp increase from the 900 breaches reported in the previous six years combined
- 4 million records were compromised in 2010 which is significantly less than the 144 million compromised in 2009
- Many breaches involved sending data externally – Take this as a warning to pay more attention to information leaving your organization
- 89% of companies suffering credit card breaches were not PCI compliant at the time of the breach, indicating that organizations with rigorous compliance efforts are less likely to be breached
- Only 17% of breaches implicated insiders (down from 31% last year) and 29% had a physical component
A key takeaway is that while the quantity of data breaches quintupled in 2010, the number of compromised records actually dropped. This data is consistent with the growing belief that attackers are increasingly targeting smaller companies (which tend to have less focus and expertise on IT security) simply because they are easier to exploit.
As the Verizon team points out, in the world of cyber crime, knowledge is power. Not only do companies require visibility into the files and data that are being transferred around an in/out of their organization, but they also need the management and enforcement capabilities to control, govern, and protect the growing number of mission-critical and confidential files that are being accessed every day by internal and external systems, applications and people.
I, like many others, have received security notifications about the Epsilon data breach. In the last 48-hours I have been sent email warnings from 8 companies that I trusted with my personal information – Banks, retailers and hotels.
These companies entrusted my private contact information to Epsilon, a 3rd party e-mail marketing company…. And that information has now been compromised by hackers. Awesome.
Details of this massive breach are still rolling in, but so far the list of affected companies is known to include: Ameriprice Financial; Best Buy; Brookstone; Capital One; Citibank; Disney Destinations; Hilton; Home Shopping Network; JPMorgan Chase; Kroger; LL Bean Visa Card; Marriott; QVC; Robert Half; Red Roof Inn; Ritz-Carlton; Target; The College Board; TiVo; US Bank; Walgreens; 1-800-FLOWERS. And there are likely many more that we haven’t heard about yet.
The Epsilon e-mail breach is a warning about the data security standards employed by third-party service providers, as well as a not-so-subtle reminder to organizations to require strong contractual obligations related to security practices with every business partner and third-party provider you do business with. As we learned with Epsilon, the privacy – and trust – of your customers may depend on it.
Lastly, be on the lookout for scam emails in your inbox. The Epsilon breach is an example of how hackers can now match your name and email address to companies that you interact with. So get ready for the onslaught of emails trying to trick you into handing over your online usernames and passwords. I suggest not clicking links embedded in emails, instead always go to the company website directly and logon from their safe homepage. Check out this informative article on The Last Watchdog for more on spear phishing risks as well as some commentary by Ipswitch’s Frank Kenny on data breaches and customer notifications.
Did you know that the average cost of a data breach is $7.2 million dollars?
Or that the cost of each compromised record is $214, an increase of 7% over last year?
A data breach resulting in the loss or theft of protected personal data will have serious financial consequences on an organization – the least expensive breach reported in 2010 was $780,000 (and the most expensive one was over $35 million). You can read more about the cost of data breaches in the Ponemon Institute’s 2010 U.S. Cost of Data Breach survey results.
Here are a few other key takeaways:
- For the 5th year in a row, data breach costs have continued to rise
- Lost business accounts for over 60% of data breach costs, the remaining amount is data breach detection, escalation, notification and response
- Escalating data security threats and compliance pressures are driving rapid responses to data breaches, resulting in higher costs
- Criminals now account for 31% of data breaches and they are significantly more expensive to contain and fix
- Negligence remains the most common threat, and an increasingly expensive one
What is your organization doing to ensure the privacy and confidentially of your information, including when it’s sitting on your servers, being shared between systems and business partners, and shared between people? And don’t spend all your time combating criminal threats…. Negligence now accounts for 41% of data breaches, you must safeguard against negligence too.
Go ahead, estimate the data breach risk to YOUR organization. First, ballpark how many pieces of sensitive files and data are floating around your company today…. Then multiply that number by $214. I’m sure you’ll agree that the ROI on the time, technology and resources spent to protect company data are well worth the investment and risk avoidance effort.
We’ve got some fresh stats and trends to share from data that we collected at the recent RSA Security Conference. Many thanks to the “statistically significant” number of people that took the time to fill out our survey questionnaire.
Our survey results highlight some major security and compliance concerns for businesses – information security, visibility and policy enforcement remain a major problem in 2011. Here are a few key data points:
- 65% have no visibility into files and data leaving their organization
- >80% use easily lost or stolen portable devices like USB drives and smartphones to move and backup confidential work files
- >75% send classified documents as email attachments – including payroll, customer data and financial information
- >25% percent have purposely used a personal email account (like yahoo or hotmail or gmail) instead of their work accounts as a way to hide their file transfer activity
- 55 percent said their companies provide – but do not enforce – policies and tools around sharing sensitive information
The fact that so many companies admittedly lack visibility into the files and documents that are moving around and leaving their organization is pretty scary. How can an organization protect information that they don’t know even exists? Clearly, increased focus is needed to first identifying sensitive data and then protecting it – These critical information security components should be carefully baked into an organizations security, governance and compliance initiatives.
Lastly, I’d like to vent on the last data point for a minute. Policy creation simply isn’t enough…. the enforcement of that policy is the critical step. Writing down a policy but not enforcing it is just as risky as not having documented the policy in the first place. Creating the policy is a good start, but please please please don’t stop there.