SANS Network Security 2011 will take place at Caesars Palace in Las Vegas from September 17-26, 2011. SANS Network Security is an annual event which offers network security training, certification, and research on the most important topics in the industry today.

The WhatsUp Gold team will be hosting a lunch and learn presentation:

 “Adding Rich Access Control and Audit Logging to Windows Applications

  • Presented by: Andy Milford – Product Manager, Log Management & Andy Hopper – Senior Software Architect
  • Thursday, September 22nd 12:30pm – 1:15pm US PST
  • Register to attend now! (link to registration)

Our session will cover how applications that target the Windows platform can incorporate the ability to manage highly granular access control and automate audit logging by using the security subsystems in the Windows operating system. Topics covered include discretionary access control lists, system access control lists, the Windows audit log and the Windows Authorization APIs.

Do you have an application that is managing potentially sensitive information? Then you must join us for this exciting lunch and learn presentation!
http://www.sans.org/network-security-2011/vendor.php

Here’s a great article by Brian O’Connell of CPA Site Solutions on how to deal with email security difficulties.  The context of the article is from the perspective of the accounting industry, but I’d say it’s an extremely universal topic that actually impacts almost every kind of company today.

The premise of the article is that email is generally accepted as a dependable way to communicate and share files…. And then he points out that in reality, email isn’t very safe.  Sound familiar?  – And for you encrypted email lovers out there (you know who you are), I’d like to quickly mention that while encryption can make it harder to open an email or attachment, it does nothing to prevent it from being intercepted.

Brian draws a very important difference between “security” and “privacy” that I want to highlight.

“Privacy is the shield that protects a person’s identity while actively sharing information via the web.

Where privacy is about keeping the door locked, security is about the lock itself.

Security is the actual online authentication and authorization protocols that networks use to protect information and the audit system used to verify the overall system’s effectiveness.”

While I agree that the distinction is important, I’d also like to point out that an organization must protect both the security and privacy of confidential information in order to comply with the growing number of data protection laws and compliance mandates.   I wouldn’t worry too much about the distinctions, but instead focus on the need to have visibility and governance over all files, data and information that are being shared both within your company and also externally with business partners and customers.

Last week I ranted a bit about the importance of governing your cloud vendors.  At about the same time, Ipswitch’s Frank Kenney participated in a panel discussion on cloud security at the Interop conference in Las Vegas.

As you know, there is great debate over whether cloud services are secure enough for businesses to use.  I believe that the cloud model will quickly evolve and prove itself to a point where security is deemed no riskier than doing business with solely on-premises tools.

I also believe that member-driven organizations such as the Cloud Security Alliance – which focus on providing security assurance within Cloud Computing – will help us get there.

At the Interop discussion, Frank Kenney spoke about the safety of the cloud, here’s what he had to say:

“Cloud customers have the obligation to assess the risk of allowing data to be stored in a cloud based on how valuable it is to the customers…. The cloud is as secure as you want it to be.

Cloud services can provide value if performance and service-level agreements align with what customers need.  If not, customers shouldn’t buy them.  It’s not ‘the sky is falling’.  Assign risks appropriately.  Security is just one of many things you have to do.”

Security researcher Derek Newton and a few Dropbox users have found a significant security hole in Dropbox. They published their results and Dropbox responded.

Dropbox’s response is not adequate.  It’s not enough for them to bury their head in the sand and to say that this security gap is not their problem if a hacker has physical access to the computer. The very nature of Dropbox lets its users increase their physical presence onto many more computers.  As such, these users are increasing the risk of their information being stolen and their businesses being compromised.

Instead, Dropbox needs to say what steps they are taking to close this security gap.  If Dropbox wants to minimize the impact to their business and to increase their presence as a responsible corporate citizen, Dropbox needs to make this security issue theirs to resolve.

Encryption is the best way for Dropbox to proceed right now.  Encrypting their configuration files would be the first and best place to start.  Second, Dropbox (like Google or my credit card company) should monitor users’ accounts for unusual activity.  Whenever they notice a blip or a change in user’s activity, they should send the user an email or SMS.

Third, no application or user should be given implicit access to a user’s files.  All access needs to be explicit.  An end user needs to specify each application and user that has permission to view, update, copy or remove their files. 

As all our transactions become electronic, it’s more important than ever that securing the data, securing access to the data without compromising usability and authorized access is the number one requirement for software vendors.

On July 16, 2001 Bruce Schneier gave testimony before the Senate Subcommittee on Science, Technology, and Space of the Committee on Commerce, Science and Transportation.  A complete transcript of his testimony is available here, and I strongly encourage it be read in its entirety.  However, I want to emphasize a central theme from Mr. Schneier’s testimony:

Real-world security includes prevention, detection, and response. If the prevention mechanisms were perfect, you wouldn’t need detection and response. But no prevention mechanism is perfect. This is especially true for computer networks.

I expect there are a number of network administrators who will roll their eyes and say to themselves “oh please, not another soapbox on the need for better network security measures.”  I agree vigorously with those readers and offer that in an age of increasing state sponsored cyber-warfare/terrorism and increasingly sophisticated private sector industrial espionage that we should give up the arms race.   As technology professionals, developers, and engineers building the better mousetrap has not and will not prevent breaches, thefts, or the embarrassing publication of diplomatic “secrets” (http://www.wikileaks.ch/).

According to the archaeological record the lock was invented nearly 4,000 years ago and in 4000 years no lock has been created that cannot be picked, broken or circumvented.  As Mr. Schneier points out in his testimony, criminals rarely even try to break the lock itself and find creative ways around the lock by any means necessary.  We live in a world where the data, including credit card numbers, of 45.7 million customers can be stolen from a retail outlet without ever setting foot inside the building.

When I say we give up the arms race, I don’t mean to imply we give away that which must be protected, we just need to pay attention. Deploying more prevention measures, adding more locks to the doors, isn’t making our information assets substantially safer, but deploying monitoring solutions that have been effectively tuned and configured will increase the safety of those assets significantly.  Chances are such that if you are an organization of any size you already have all the pieces you need to effectively mitigate the risks your assets are exposed to, but you may not have effectively deployed and configured those tools to maximize your ability to detect and respond to potential attacks.  You may be in the position where all you really need is a good watch dog to make sure you know when someone is trying to climb the fence. Training that watch dog so that it doesn’t bark at every passing car but lets you know when a true threat presents itself is where true protection and security lie.

Let’s do a news recap of yesterday. Some tax legislation was passed, lame-duck Congress, celebrity mishaps, missteps and gossip as usual. Oh and there was also notification of a few data breaches; most notably McDonalds, University of Wisconsin and the Gawker website (the folks that bought a prototype of the iPhone 4 after it was lost by an Apple engineer.). Unlike the “it’s been two weeks and it’s still in the news” WikiLeaks data breach, expect McDonalds, UW and Gawker to melt into the ether of public consciousness along with the Jersey Shore, AOL and two dollar a gallon gas prices.

Lately, we are seeing more companies and institutions admitting to data breaches. Passwords get hacked and ATM cards, identities and cell phones are stolen all the time. Expect to here about more breaches as companies move ahead of legislation that forces them to admit security breaches and expect the media to pick up on the stories and run wild with them. What this forces the public to do is look closer at the type of data breach, the type of data that was stolen and what the company or institution did to cause the breach.

 For example:

  • the McDonalds breach was about third-party contractors and not enough governance around customer e-mail
  • the UW breach was about unauthorized access to databases over a two-year period… again not enough governance around data storage and access
  • the Gawker breach was about outdated encryption mechanisms and a rogue organization purposely trying to embarrass that community.

Of these three things, the Gawker breach is most troubling because of the organized and intentional motivations of a rogue organization. This is why the FBI is involved. For the past year I’ve been telling you to classify your data, assign risk to your data and mitigate that risk appropriately. Old news.

The new news is this: even something like a breach involving low risk information can actually damage your brand. And damage to the brand can be costly to repair. So when classifying risk be sure to consider not just the loss of the data but the nature of the media hell-bent on reporting any and all data breaches.

This just in… I’m getting that watch I always wanted for Christmas because I compromised that space in the attic where we hide all the gifts. Happy holidays!

This new log management platform boosts enterprise security, regulatory compliance and forensics

WhatsUp Event Log Management 9.0 allows enterprises of all sizes to protect critical information and meet important security and regulatory compliance requirements. The modular set of applications delivers a flexible, user-friendly format to simplify the challenges and complexity of log management.

With WhatsUp Event Log Management, customers can automatically collect, store, analyze, alert and report on both Windows Event and Syslog files for real-time security event detection and response, compliance assurance and forensics.

Enhanced by Zemanta

On Wednesday, November 3 and Thursday, November 4, Ipswitch File Transfer will be exhibiting and speaking at SecureWorld Expo, the leading regional security conference that brings together the security leaders, experts, senior executives, and policy makers who are shaping the very face of security.

The “Exhibits and Open Sessions Registration” for SecureWorld Expo is complimentary and it gives you access to the expo floor, the keynote presentations, and open industry expert panels. Plus, you’ll get to hear the luncheon keynote from L. Frank Kenney, The Data Breaches You Don’t See Hurt You The Most,” and the industry expert panel Data Protection: Walking the Thin Line Between Employee Productivity and Security.”

Here are the details:

What: SecureWorld Expo – Dallas

Where: Plano Convention Centre, Plano, TX

When: November 3, 2010 and November 4, 2010

Why: Meet the Ipswitch File Transfer team, learn about our solutions (from WS_FTP to MessageWay), listen in on L. Frank Kenney’s luncheon keynote, and keep up to date on the latest in the security world!

Plus, if you visit us and mention this blog post, you’ll receive a Starbucks gift card – on the spot!

See you in Dallas!

Two months ago we posted about the massive data breach at South Shore Hospital in Weymouth, Massachusetts, “800,000 Reasons Why MFT is Important“.

Well, the drama and the headaches continue.

What originally happened was that computer files containing personal information of about 800,000 people, information such as names, addresses, phone numbers, dates of birth, Social Security numbers, driver’s license numbers, medical record numbers, patient numbers, health plan information, dates of service, diagnoses, treatments relating to hospital and home health care visits had been misplaced, possibly lost or maybe even stolen.

Aspirin worthy.

On September 8th, 2010 Wickedlocal.com reported that “South Shore Hospital initially informed the Attorney General’s Office and the public that it would send individual written notice of the data breach to each affected consumer.”

Aspirin worthy, but the legal and responsible thing to do…that is until a brilliant idea occurred:

However, South Shore Hospital has informed the Attorney General’s Office that it does not plan to send individual written notice to affected consumers. Instead, South Shore Hospital has chosen to invoke a provision under state law to notify consumers through the ‘substitute notice’ process, which means rather than receiving individual letters at their homes, consumers who are affected by the breach will be generally notified of the data loss through a posting on South Shore Hospital’s website, publication in newspapers throughout the Commonwealth, and by e-mail for those consumers for whom South Shore Hospital has e-mail addresses.”

So the move here is that to notify the people who’s data they lost, they’ll put that information in a place where everyone can see it. Isn’t that counter-intuitive? 

In a related story on Healthdatamanagement.com – Joseph Goedert reports that:

Massachusetts Attorney General Martha Coakley ‘has objected to South Shore Hospital’s revised notification plans and maintains that affected consumers should receive individual notification as originally represented by South Shore Hospital in its prior public announcements concerning the data loss,’ according to a statement from her office.”

What are your thoughts on how South Shore Hospital is handling this? Am I the only one reaching for the Anacin?

A top Pentagon official has confirmed a previously classified incident that he describes as ‘the most significant breach of U.S. military computers ever,’ a 2008 episode in which a foreign intelligence agent used a flash drive to infect computers, including those used by the Central Command in overseeing combat zones in Iraq and Afghanistan.”

Brian Knowlton, in a NYTimes.com article gives us the rundown on what happened, and what this all means to the military and to the future of cyberdefense and the U.S. Cyber Command.

Deputy Secretary of Defense, William J. Lynn III, referred to the breach as “…a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary,” and he also describes it as “a digital beachhead, from which data could be transferred to servers under foreign control.”

The nightmare of this happening to the military is enough to keep you awake at night, and thinking of this closer to home doesn’t make sleep come that much sooner.

Think of your own office where USB flash drives, removable disk drives and cell phones are making it easier than ever for employees who need to transfer large files. It’s harder than ever for companies to monitor and protect sensitive information.

Portable devices are far too easily lost or stolen, and while most employees have good intentions, USBs are one of the easiest ways for insiders to compromise business-critical information. IT managers need to make it easier for people in their organization to move information securely. By decreasing reliance on transferring physical media and focusing more on easy-to-use browser-based or email plug-in solutions, information will be better governed.”
Frank Kenney, VP of Global Strategy at Ipswitch File Transfer.

Last year (2009) there was a study by the Ponemon Institute of nearly 1,000 recently terminated individuals. The study revealed that 42% of them used USB memory sticks to take business data and that 38% sent documents as attachments to personal email accounts.

Digital beachhead” is such a great way to put this, especially coming from Deputy Secretary of Defense, William J. Lynn III. The images one can conjure up of storming the “digital beach” and imagining the data security version of those first 15 minutes of “Saving Private Ryan” is truly powerful stuff and should keep us up a little later at night.

Give Knowlton’s article a read and if you’re interested in hearing more from Frank Kenney on this topic, check out his surprised reaction at a recent RSA event.

According to the Washington Post, Deputy Defense Secretary William J. Lynn III just confirmed that a classified military network was breached with a single USB drive in 2008.

http://www.washingtonpost.com/wp-dyn/content/article/2010/08/24/AR2010082406154.html

As a security expert, the fact that someone used a USB drive on the wrong machine isn’t surprising: it happens every day when people use these drives to swap files between work and home computers.

What is surprising is Lynn’s statement that: “code spread undetected on both classified and unclassified systems”.  This suggests that neither the content of the files being distributed nor the network behavior of the malicious application were being analyzed – even on a secure network.

This incident demonstrates that even the most sensitive network can be breached if there is only a single layer of defense.   With data loss prevention (DLP), intrusion detection, antivirus and integrity technology there should be multiple layers of defense seeking and listening for threats in a coordinated manner on any modern secure  network.

The government’s reaction to the incident was also interesting: ban all USB drives.  The military did it in 2008…and survived.

So what about the file transfers that needed to occur between the military’s various networks?  Managed file transfer technology is all about answering that question, and answering it with easy-to-use, scalable solutions built on the concept of defense in depth.

Please do not send the Sept. and Oct. payment together in one wire transfer. Anything over $10,000 wired could draw too much attention.”
Alleged email written by Paul Shim Devine on October 5th, 2007

Is your business-critical information walking out the door?

A few months ago Ipswitch conducted a survey at an RSA Conference. The line of questioning regarding visibility into files moving out of organizations produced some shocking results:

  • 83% of IT executives surveyed have no idea what files are moving both internally and externally at their organizations.
  • 25% of IT professionals surveyed admitted that they used personal email accounts to send files that were proprietary to their own organizations, with the intent of using that information in their next job.

Both of those figures are frightening. Some companies have refused to seriously consider these numbers, so consider this tale as devine intervention (yes, that’s a play on Paul Shim Devine’s name.) This is the saga of one man getting caught with his hand in the cookie jar. It’s actually a perfect example of the reality and consequences of not knowing what files are moving in and out of your organization. It’s the story of a recent case involving Apple and Paul Shim Devine.

See Martyn Williams’ article for the full details, but here’s the 2 cent version. Back in April 2010 “Apple investigators discovered a Microsoft Entourage database of e-mails and a cache of Hotmail and Gmail messages on Devine’s Apple-supplied laptop. The company took a copy of the drive and began working through its contents,” and as for what they found Apple says “the e-mails contained details of payments, and the supply of confidential information that began in October 2006 with a Singaporean company called Jin Li Mould Manufacturing.”

This is happening. Employees are using private e-mail accounts to transfer confidential company information, but really, how often is this happening?

Not only is it common, but it’s startling in its frequency,” said Ipswitch’s own Hugh Garber, recently quoted in a ComputerWorld article.

Garber goes on to say that it’s not always done with bad intentions and that “of course, most of that privileged information misuse is not malicious. Many of the times, it’s your hardest-working employees just trying to get the job done.”

To Hugh’s point, that’s true. I know that in other jobs that I’ve had I’ve emailed spreadsheets or word docs home (to my Yahoo account) to work on so I wouldn’t have to schlep my laptop home.

But what about the “other” kind? How do you deal with the malicious kind?

I received your e-mail on my Apple account. Please avoid using that e-mail as Apple IT team will randomly scan e-mails for suspicious e-mail communications for forecast, cost and new model information.”
Alleged email written by Paul Shim Devine on Sept. 16, 2008.

Ok, that’s one way. Randomly scanning emails for something suspicious. Seems like a good policy to have. Do you know where your organization is in terms of these kinds of policies?

With hundreds of data breaches over the past five years resulting in multi-million-dollar consequences, it’s hard to believe that organizations still don’t have the right solutions in the right places to protect sensitive information,” said Frank Kenney, VP of Global Strategy at Ipswitch File Transfer. “You may be investing heavily on business applications and their inherent security requirements but if you’re not monitoring and enforcing policies with respect to the information moving both internally (between business applications and people) and externally (between you and your business partners and collaborators), the consequences are dire.”

You can check out more of what Frank has to say on this issue, and see what else Hugh has to offer.

And, with this issue in particular, we’d love to hear your thoughts. Do the numbers surprise you? What is your organization doing? Any crimes or misdemeanors you’d care to confess to?