Information security isn’t what it used to be — firewalls, although necessary, are not enough to prevent a data breach. The problem for IT is that the old methods of keeping data secure are not enough to stop intruders who, for instance, use sophisticated phishing attacks on unaware employees.

Ashok Sankar, director of cybersecurity at Raytheon-Websense, said in Computer Weekly that cybercriminals are determined to breach company security walls, no matter how long it may take them. But these concerns can’t pose a roadblock to innovations in, say, the cloud, and impede businesses in their efforts to access new markets and gain a competitive advantage.

RSA president Amit Yoran agrees, according to SC Magazine, citing infosecurity as fundamentally broken. Firewalls and policing network perimeters are just things that make you “feel safe” but don’t address real security problems.

The evolution of security is widely discussed in the technology community:

Traditional approaches to security are making us more vulnerable to attack, suggests Yoran. It’s time to rethink security to become less reactive and more resilient.

Measure Your Detection Deficit

Teach employees to use all of their mobile devices, cloud applications and business innovations securely. “This means understanding their needs, explaining to them the security implications and coming to a consensus on what can and what cannot be done,” says Sankar. “If employees want flexibility, they must understand the responsibilities that go with that.”

Stop measuring security strength by the number of attacks a system has endured and stopped. Instead, monitor the time elapsed between the data breach and when the intruder has been detected and contained — otherwise known as the detection deficit.

Firewalls Aren’t Impervious to Breaches

Firewalls do little to contain invasions at the business level too. In order to best protect the assets of your organization, prepare for an advanced persistent threat (APT), which is usually purposeful and done with malicious intent.

Assess Your Loopholes and Know What to Protect

The first step is to prioritize. Align your security goals with those of business executives to determine which assets are most sensitive. “It is now imperative to develop a layered security approach that will amp up the security arsenal with a 360-degree visibility into all corners of the network,” warned Chloe Green, security reporter for Information Age.

Ultimately, you need to improve how you monitor and detect for a data breach, which can come out of loopholes in your security system that lockdown protocol is ineffective against once malware has been installed. Once these endpoints are closed, you’ll be able to better protect your most important information.

What Absolutely Needs Securing?

According to a report by the privacy and data-protection team at Baker & Hostetler LLP, 36 percent of problems were borne out of employee negligence — only 22 percent came from external theft.

Informing your employees not only on what information they have to protect but also, how they should protect it, will lower the majority of your post-breach data loss risk.

Preparing for an APT Prepares You for the Worst

If you’re going to contain the scope of a potential APT, a firewall won’t be enough. End-to-end encryption for data in motion and comprehensive monitoring of all inbound and outbound traffic in your network have to be top priorities. End-to-end encryption protects data being transferred or shared between end-points, whether people or systems. Pair your traditional security solutions with advanced detection and real-time analytics, provided they’re configured to detect malicious activity before it causes actual damage. Differentiate this traffic by identifying patterns with an IP-based device that connects to the network, and you’ll be able to isolate the problem immediately if it occurs.

Security measures can help you minimize the looming threat of a data breach. It’s no longer practical — let alone sustainable — to approach problems with the idea that they can all be prevented once they touch your network.

Recently, Cisco published a blog post on an interview with a former Anonymous hacker who offered his top security tips for the enterprise. Some of the suggestions were fairly obvious, while others were intuitive and absolutely on point. For example:

#5: Teach your staff about information security

Take note, he didn’t refer to just security staff; he was referring to the entire staff – from the administrative assistants to the most critical of security analysts. In fact, a recent Ipswitch survey shows that even the most stringent security professionals break protocol when it comes to the transfer and collaboration of information. And these folks have tons of acronyms behind their names!

What chance does the layman have? Establishing the groundwork for the dissemination and adherence to corporate policies around information security is a positive set of actions to better protect companies.

There needs to be a general awareness around information security and data and a clear understanding of the security and risk issues associated with physical media, such as DVDs and memory sticks, and outside services, like Gmail, which allows employees to ‘easily’ send large files.  This combination can be the best deterrent to data breaches.

#6: Teach your staff about social engineering

The use of technology to interact and collaborate – and how that collaboration can involve unknown third parties – is the very reason your staff should have an understanding around social engineering. Let’s face it, anyone can get an e-mail address and register on any social site. Hackers, thieves, con artists, and scammers aren’t the only ones that want access to
your personal information.

Employees who use shareware or free cloud service are exposing sensitive information and risking an unintentional data breach. Employees who work from home, on a personal machine late at night or on an unapproved smart phone (at any hour) are the biggest targets for hackers and breaches. How many corporate iPhone users are there anyway?

#13: Keep an eye on what information you are letting out into the public domain

In many cases, all information about major IT purchases and deployments by publically traded companies is public record. A move to incorporate MySQL databases, a content management system based on open source technology or even portal technologies can give a hacker everything they need to exploit your system.

Again, this is an issue of determining risk associated with information and mitigating that risk. Laying out your architecture and your infrastructure blueprints for the world to see may not be the best idea for your company…

#14: Use good physical security. What good is all the [security] software if someone could just walk in and take your “secure” system?

Stop everything you’re doing and walk from the front entrance of your office to the mailroom.

Is that door of the mailroom locked? How hard is it to just pick up a backup tape or CD and slip it into a bag? For that matter, how hard is it to just walk into the office without proper credentials? And when you walk into your office, are there secure terminals? Maybe someone in human resources went to the break room for coffee and neglected to lock their computer?

A simple, misplaced memory stick or an unsecured PC are potential recipes for disaster. There is never any excuse for leaving a terminal unsecured in a public or semipublic setting. My rule of thumb: if you can’t leave your purse or wallet opened with hundred dollar bills in plain view, you cannot keep your desktop, laptop, smart phone or a terminal unsecured.

All in all, I think the suggestions make sense. Looking at a few of the tips allows you to take a few steps in the mind of a hacker. A few seconds of non-diligence equals a career of regret.

Security researcher Derek Newton and a few Dropbox users have found a significant security hole in Dropbox. They published their results and Dropbox responded.

Dropbox’s response is not adequate.  It’s not enough for them to bury their head in the sand and to say that this security gap is not their problem if a hacker has physical access to the computer. The very nature of Dropbox lets its users increase their physical presence onto many more computers.  As such, these users are increasing the risk of their information being stolen and their businesses being compromised.

Instead, Dropbox needs to say what steps they are taking to close this security gap.  If Dropbox wants to minimize the impact to their business and to increase their presence as a responsible corporate citizen, Dropbox needs to make this security issue theirs to resolve.

Encryption is the best way for Dropbox to proceed right now.  Encrypting their configuration files would be the first and best place to start.  Second, Dropbox (like Google or my credit card company) should monitor users’ accounts for unusual activity.  Whenever they notice a blip or a change in user’s activity, they should send the user an email or SMS.

Third, no application or user should be given implicit access to a user’s files.  All access needs to be explicit.  An end user needs to specify each application and user that has permission to view, update, copy or remove their files. 

As all our transactions become electronic, it’s more important than ever that securing the data, securing access to the data without compromising usability and authorized access is the number one requirement for software vendors.

The real highlights for me at last week’s SecureWorld Expo were the attendees who visited Ipswitch’s tradeshow booth.  From global enterprises to small business owners, public utilities to brand name consumer products companies, the people I met described challenging business problems and showed genuine interest in managing and protecting their data.

A couple of visitors jump to mind:

  • The ex-Secret Service agent (Electronic Crimes Task Force), now an independent consultant, who came straight to SecureWorld after flying cross-country to attend another security conference in Atlanta.  Her curiosity about managed file transfer solutions, and her breadth of knowledge about encryption methods and sources of risk I had never even considered, gave us lots to talk about.
  • The Chief ISO from the CA Dept of Water Resources, one of at least 10 people I met from local environmental agencies or private utilities.   I had no idea that the business of managing natural resources was so data intensive!  They have a huge amount of traffic between and among state and county agencies, and send hundreds if not thousands of files per week to private businesses, citizen groups, and individual consumers.  Many of these files contain sensitive information, making it an ideal scenario for Ipswitch’s managed file transfer solutions that can handle high volume data files sent programmatically to a wide number of recipients.

These two booth visitors highlight 2-days worth of insightful conversations I had with customers, prospects and fellow vendors.  Needless to say, I’m very excited to dive into the MFT space and look forward to sharing more insights.

A top Pentagon official has confirmed a previously classified incident that he describes as ‘the most significant breach of U.S. military computers ever,’ a 2008 episode in which a foreign intelligence agent used a flash drive to infect computers, including those used by the Central Command in overseeing combat zones in Iraq and Afghanistan.”

Brian Knowlton, in a NYTimes.com article gives us the rundown on what happened, and what this all means to the military and to the future of cyberdefense and the U.S. Cyber Command.

Deputy Secretary of Defense, William J. Lynn III, referred to the breach as “…a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” and he also describes it as “a digital beachhead, from which data could be transferred to servers under foreign control.”

The nightmare of this happening to the military is enough to keep you awake at night, and thinking of this closer to home doesn’t make sleep come that much sooner.

Think of your own office where USB flash drives, removable disk drives and cell phones are making it easier than ever for employees who need to transfer large files. It’s harder than ever for companies to monitor and protect sensitive information.

Portable devices are far too easily lost or stolen, and while most employees have good intentions, USBs are one of the easiest ways for insiders to compromise business-critical information. IT managers need to make it easier for people in their organization to move information securely. By decreasing reliance on transferring physical media and focusing more on easy-to-use browser-based or email plug-in solutions, information will be better governed.”
Frank Kenney, VP of Global Strategy at Ipswitch File Transfer.

Last year (2009) there was a study by the Ponemon Institute of nearly 1,000 recently terminated individuals. The study revealed that 42% of them used USB memory sticks to take business data and that 38% sent documents as attachments to personal email accounts.

Digital beachhead” is such a great way to put this, especially coming from Deputy Secretary of Defense, William J. Lynn III. The images one can conjure up of storming the “digital beach” and imagining the data security version of those first 15 minutes of “Saving Private Ryan” is truly powerful stuff and should keep us up a little later at night.

Give Knowlton’s article a read and if you’re interested in hearing more from Frank Kenney on this topic, check out his surprised reaction at a recent RSA event.

As more and more of our personal information is collected and stored online and on computers, we need to ensure that the businesses storing this information are keeping it safe and giving us quick warning if it falls into the wrong hands.”
Senator Mark Pryor (D-Ark.) and chairman of the Subcommittee on Consumer Protection, Product Safety and Insurance.

Senator John Rockefeller (D-W.V.) and Senator Mark Pryor (D-Ark.) have introduced The Data Security and Breach Notification Act. The goal of this is to make sure that any firm that collects and stores personal information must then be responsible for making sure that they have “reasonable security policies and procedures” put into place that will prevent leaks or breaches.

Kenneth Corbin, Associate Editor at InternetNews.com, gives his account of this bill, and what’s happening with it, in this recent article.

It’s interesting that there have been two similar bills introduced, but those bills never made it past the senate floor.

With all the threats and breaches we’ve been seeing, coming from outside organizations AND inside them, you’ll want to give Corbin’s article a read and see where your tax dollars (if you’re in the US) are going.

We are sorry for any concern we are causing anyone at this time.”

It’s pretty certain that those are 13 words that no CEO ever wants to have to say. Just ask Richard H. Aubut, president and CEO of the Weymouth hospital.

Seems that some computer files containing the personal information of about 800,000 people might have been misplaced or possibly lost or maybe even stolen.

We’re talking about information such as names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, diagnoses, treatments relating to hospital and home health care visits … just to name a few pieces of personal information, you get the picture.

800,000 records. 800,000 reasons why Managed File Transfer is important. Just ask Richard H. Aubut, president and CEO of the Weymouth hospital.

Seems that somewhere in the process of these 800,000 records being shipped to a contractor to be destroyed, and actually getting to the contractor to be destroyed they disappeared.

Boston.com has some information worth reading.

Forgive the obvious Ipswitch plug here, but c’mon, any one of these solutions could help any CEO avoid having to say those 13 words.

So, that’s today’s 800,000 reasons why MFT is important, and how to avoid those 13 words. As a special bonus for you, here’s 7 words you’d surely like to steer clear of:

We are still searching for those files.’’

Just ask Richard H. Aubut, president and CEO of the Weymouth hospital.

We’ve all been to the company meeting where tons of sports metaphors have been thrown about. From the in-depth analysis of how the company is just like the Patriots, with the CEO being Tom Brady, all the way to the simple comparison of your department being just like the Celtics starting five.

Rajon Rondo, Doc Rivers - Boston Celtics

I always wondered if Doc Rivers, during a time out, explained a play and used the analogy of Kevin Garnett as the VP of Marketing, or even better something like this:

Rajon, you need to protect the ball when passing, don’t throw it into traffic. Think like Ipswitch’s safe and secure file transfer. You know, using 256-bit AES encryption …”

You get the idea.

So, what happens when sports and a common business issue like data security have a nice pick and roll and drive to the hoop for two?

Bill Brenner (Senior Editor at CSOonline/Magazine/IDG Enterprise) has an interesting Q&A with The Boston Celtics VP of Technology, Jay Wessel. Some noteworthy stuff regarding security, Apple’s MacBook Pro, Exchange-supported iPhones, and some cloud-based services.

Ipswitch File Transfer is going (more) global. We’re thrilled to announce the expansion of our already successful Ipswitch FT Partner Program.  It now boasts a number of new benefits for our global partners, including a new Elite Partner Level and a deal registration program.

The Elite Level expansion was created for those partners looking for even greater association and support from Ipswitch File Transfer.  A new deal registration program has also been introduced, which will incent resellers with additional discount points for registering qualified net new sales opportunities on the FT Partner Portal.

read more “Going Global: Ipswitch File Transfer Expands Partner Program”

Tax season is behind us (at least for most of us) and we can all give a sigh of relief… but can we? This year, getting my taxes organized and handing them to my accountant seemed to be more difficult than usual. Fortunately for me, the Federal Government gave certain areas that were dealing with flooding a small extension that allowed me to find the time to pass my taxes into my accountant.

Once that task was completed, I was able to relax except for the fact I now had one day to get back into the accountant’s office and sign the documents for them to send to the IRS.

read more “Do People Realize What They Are Sending and the Risks Associated?”

A quick summary of key industry happenings:

A) The economic impact of piracy (including software) is *really* not understood: http://www.gao.gov/products/GAO-10-423. See pages 15 – 19 of the full report in particular.

I’ve always been skeptical of the piracy claims, good to see someone actually reviewed them. I think it is better for the industry to focus on the valued real customer rather than to fabricate and fret about the unknown and unquantifiable pirate customer.

read more “HTML 5, Memristors and Software Piracy”

Those of you who visited the Ipswitch File Transfer tradeshow booth at the recent RSA Security Conference were likely asked to fill out a short survey.  When the show ended, we tabulated the survey results and there are some staggering data points that we want to share:

  • 83% of IT executives surveyed lack visibility into files moving both internally and externally
  • Nearly 90 percent of survey respondents admitted to using thumb drives or other external devices to move work-related files
  • 66 percent of survey respondents admitted to using personal emails to send work-related files
  • More than 25 percent admitted to sending proprietary files to their personal email accounts, with the intent of using that information at their next place of employment

Here’s my colleague Frank Kenny, VP of Global Strategy at Ipswitch File Transfer, sharing his thoughts on the survey results.


The key takeaway here is that IT organizations are at a greater risk for sensitive company information ending up in the wrong hands if they don’t know who is accessing company information and how they use/move files, where they send them, and to whom they are sent to.  It’s not enough to secure common data access points or provide tools for some employees.  Rather, true visibility into all file and data interactions enables IT organizations to then actively manage, secure and enforce policies for company information, both inside and outside of the organization.