A top Pentagon official has confirmed a previously classified incident that he describes as ‘the most significant breach of U.S. military computers ever,’ a 2008 episode in which a foreign intelligence agent used a flash drive to infect computers, including those used by the Central Command in overseeing combat zones in Iraq and Afghanistan.”

Brian Knowlton, in a NYTimes.com article gives us the rundown on what happened, and what this all means to the military and to the future of cyberdefense and the U.S. Cyber Command.

Deputy Secretary of Defense, William J. Lynn III, referred to the breach as “…a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” and he also describes it as “a digital beachhead, from which data could be transferred to servers under foreign control.”

The nightmare of this happening to the military is enough to keep you awake at night, and thinking of this closer to home doesn’t make sleep come that much sooner.

Think of your own office where USB flash drives, removable disk drives and cell phones are making it easier than ever for employees who need to transfer large files. It’s harder than ever for companies to monitor and protect sensitive information.

Portable devices are far too easily lost or stolen, and while most employees have good intentions, USBs are one of the easiest ways for insiders to compromise business-critical information. IT managers need to make it easier for people in their organization to move information securely. By decreasing reliance on transferring physical media and focusing more on easy-to-use browser-based or email plug-in solutions, information will be better governed.”
Frank Kenney, VP of Global Strategy at Ipswitch File Transfer.

Last year (2009) there was a study by the Ponemon Institute of nearly 1,000 recently terminated individuals. The study revealed that 42% of them used USB memory sticks to take business data and that 38% sent documents as attachments to personal email accounts.

Digital beachhead” is such a great way to put this, especially coming from Deputy Secretary of Defense, William J. Lynn III. The images one can conjure up of storming the “digital beach” and imagining the data security version of those first 15 minutes of “Saving Private Ryan” is truly powerful stuff and should keep us up a little later at night.

Give Knowlton’s article a read and if you’re interested in hearing more from Frank Kenney on this topic, check out his surprised reaction at a recent RSA event.

Please do not send the Sept. and Oct. payment together in one wire transfer. Anything over $10,000 wired could draw too much attention.”
Alleged email written by Paul Shim Devine on October 5th, 2007

Is your business-critical information walking out the door?

A few months ago Ipswitch conducted a survey at an RSA Conference. The line of questioning regarding visibility into files moving out of organizations produced some shocking results:

  • 83% of IT executives surveyed have no idea what files are moving both internally and externally at their organizations.
  • 25% of IT professionals surveyed admitted that they used personal email accounts to send files that were proprietary to their own organizations, with the intent of using that information in their next job.

Both of those figures are frightening. Some companies have refused to seriously consider these numbers, so consider this tale as devine intervention (yes, that’s a play on Paul Shim Devine’s name.) This is the saga of one man getting caught with his hand in the cookie jar. It’s actually a perfect example of the reality and consequences of not knowing what files are moving in and out of your organization. It’s the story of a recent case involving Apple and Paul Shim Devine.

See Martyn Williams’ article for the full details, but here’s the 2 cent version. Back in April 2010 “Apple investigators discovered a Microsoft Entourage database of e-mails and a cache of Hotmail and Gmail messages on Devine’s Apple-supplied laptop. The company took a copy of the drive and began working through its contents,” and as for what they found Apple says “the e-mails contained details of payments, and the supply of confidential information that began in October 2006 with a Singaporean company called Jin Li Mould Manufacturing.”

This is happening. Employees are using private e-mail accounts to transfer confidential company information, but really, how often is this happening?

Not only is it common, but it’s startling in its frequency,” said Ipswitch’s own Hugh Garber, recently quoted in a ComputerWorld article.

Garber goes on to say that it’s not always done with bad intentions and that “of course, most of that privileged information misuse is not malicious. Many of the times, it’s your hardest-working employees just trying to get the job done.”

To Hugh’s point, that’s true. I know that in other jobs that I’ve had I’ve emailed spreadsheets or word docs home (to my Yahoo account) to work on so I wouldn’t have to schlep my laptop home.

But what about the “other” kind? How do you deal with the malicious kind?

I received your e-mail on my Apple account. Please avoid using that e-mail as Apple IT team will randomly scan e-mails for suspicious e-mail communications for forecast, cost and new model information.”
Alleged email written by Paul Shim Devine on Sept. 16, 2008.

Ok, that’s one way. Randomly scanning emails for something suspicious. Seems like a good policy to have. Do you know where your organization is in terms of these kinds of policies?

With hundreds of data breaches over the past five years resulting in multi-million-dollar consequences, it’s hard to believe that organizations still don’t have the right solutions in the right places to protect sensitive information,” said Frank Kenney, VP of Global Strategy at Ipswitch File Transfer. “You may be investing heavily on business applications and their inherent security requirements but if you’re not monitoring and enforcing policies with respect to the information moving both internally (between business applications and people) and externally (between you and your business partners and collaborators), the consequences are dire.”

You can check out more of what Frank has to say on this issue, and see what else Hugh has to offer.

And, with this issue in particular, we’d love to hear your thoughts. Do the numbers surprise you? What is your organization doing? Any crimes or misdemeanors you’d care to confess to?

Of the 385 organizations hit with data breaches so far this year, 113 were in health care.”
The Identity Theft Resource Center (ITRC).

Are Dr. Howard, Dr. Fine and Dr. Howard in charge of the health care industries data security? You’ll most likely need 113 aspirin after reading this article on eWeek.com by Brian T. Horowitz.

In it Horowitz quotes Jay Foley, executive director of the ITRC, who says that when it comes to data breaches that “hospitals are vulnerable to insider data breaches with the multitude of doctors, nurses, lab technicians, janitors and food service personnel circulating throughout the facility.

The article also quotes Ipswitch’s very own Frank Kenney, VP of global strategy, who confirms the ITRC’s diagnosis. Frank notes that “health care facilities are not complying with HIPAA (Health Insurance Portability and Accountability Act) and regional government regulations on data privacy.”

As usual Frank has a way of breaking the issue down to it’s most honest and simplest point, and he stats that “even signing your name in at the front desk in a doctor’s office for all to see is a breach of HIPAA regulations.”

It’s an interesting read that may have you reaching for the Anacin.

Shocker!  So let me get this straight…. A leader in the B2B Gateway, MFT, and Integration Provider markets gets acquired and the leading analysts firms in the universe reduce it to an apps in the Cloud story????  SMH.  Let’s peel away just one layer of the onion… Just one layer, no analysis needed on this one.

Companies with investments in Connect:Direct and/ or Connect:Enterprise have to think long and hard about continuing their reliance on the NDM protocol.  We aren’t talking about just two or three companies, we are talking about thousands of financial, manufacturing, healthcare and telecomm companies.  So we need some advice on this one…

read more “Peeling the Sterling Onion”

To some folks this is just a flash banner on a website, amongst the many marketing messages that you typically find on a technology provider’s dot com website.

“IBM acquires Sterling Commerce from AT&T for $1.4B”.

For many customers it means reconsidering 30 year old technology that enables many mission critical processes.  When something like this happens, in my past life at Gartner I would be required to write 3 paragraphs: what happened, my analysis and what should customers do.  And I had to be politically correct because all three companies were important customers to Gartner.  I could give thoughtful analysis but I had to produce multiple caveats to indemnify myself and Gartner.  ( Hey it’s a decent business model!)

read more “IBM Buys Sterling- A Glimpse From The Land Of Rounding Errors”