Archive for March, 2010
Those of you who visited the Ipswitch File Transfer tradeshow booth at the recent RSA Security Conference were likely asked to fill out a short survey. When the show ended, we tabulated the survey results and there are some staggering data points that we want to share:
- 83% of IT executives surveyed lack visibility into files moving both internally and externally
- Nearly 90 percent of survey respondents admitted to using thumb drives or other external devices to move work-related files
- 66 percent of survey respondents admitted to using personal emails to send work-related files
- More than 25 percent admitted to sending proprietary files to their personal email accounts, with the intent of using that information at their next place of employment
Here’s my colleague Frank Kenny, VP of Global Strategy at Ipswitch File Transfer, sharing his thoughts on the survey results.
The key takeaway here is that IT organizations are at a greater risk for sensitive company information ending up in the wrong hands if they don’t know who is accessing company information and how they use/move files, where they send them, and to whom they are sent to. It’s not enough to secure common data access points or provide tools for some employees. Rather, true visibility into all file and data interactions enables IT organizations to then actively manage, secure and enforce policies for company information, both inside and outside of the organization.
Convicted TJX hacker Albert Gonzalez was sentenced to 20 years in prison today for leading a gang of cyberthieves who stole more than 90 million credit and debit card numbers from TJX and other retailers. The sentence for the largest computer-crime case ever prosecuted is the lengthiest ever imposed in the U.S. for hacking or identity-theft.
I had some thoughts around the sentence:
- It’s an acknowledgment that the government isn’t seeing this as an isolated/ individual action; the government recognizes a true crime organization issue on par with any other type of organized crime without the guns and violence… yet.
- Given some of the emerging detail around the Google/ China incident and the rise in cyber terrorism, raising the bar with sentences like this may detract some future “hackers”.
- Many of the cyber gangs don’t do it for the money; this wasn’t the case with Gonzalez. The idea of taking 15 million dollars to buy a yacht is seen as no different than if he had robbed a bank at gunpoint. What hasn’t been solved is how do you catch, prosecute and make an example of the cyber gangs that aren’t in it for the money?
- Gonzalez was given an opportunity to provide valuable information on other people, organizations and methods being used for cybercrime. He choose to be a double agent. This probably did not sit well with the judge.
What’s your take? Too long a sentence? Not long enough? Will this deter future hackers? I’d love to hear from you.
I participated on a panel discussion at SecureWorld Boston yesterday. The discussion topic was striking a balance between productivity and security and it yielded three thoughts that I would like to discuss in today’s blog.
- The notion that our companies are going to employ the same type of security policies that we used over the last 30 years is ludicrous. With the arrival of the digital natives into the workforce, simply assuming that your new knowledge workers can adapt to your existing security policy is a farce.How do you establish security mechanisms for information when the people who use this information and data on a daily basis have a much more radical perception on information security and risk? Most digital natives think nothing of providing personal information via the Internet because there is a firm understanding that the information already exists there. These digital natives have grown accustomed to the idea that you should check your credit report every six months and always look for fraudulent charges when the statement arrives.
As a participating organization in the PCI Security Standards Council, Ipswitch File Transfer has the opportunity to review documents and recommendations before they become public. That is the case with the “Securing Virtual Payment Systems” document currently under review.
While I cannot provide specific details or quotes from the document at this time, it is common knowledge (after being stated at the 2008 PCI Community Meeting) that the PCI Council has been trying to get its arms around the proliferation of virtual machines and cloud resources in PCI deployments for some time.
The direction the council seems headed in is to treat not only virtual machines (“guests”) but the hypervisor software that manage all virtual machines as IN SCOPE during PCI audits. If this comes to pass, this may have the following effects on the credit card processing industry (including many Ipswitch File Transfer customers).
- Users of Virtualization technology (including EMC VMware and Microsoft Hyper-V) may be encouraged to either segregate their PCI systems from non-PCI systems onto different physical VM platforms or bear an increased control and documentation burden on “mixed” PCI and non-PCI virtualized environments.
- Users of Virtualization technology will need to control and document their hypervisors as tightly as they control and document their operating systems.
As an accredited security auditor, I wholeheartedly agree with treating hypervisors as in scope and encourage the PCI Council to make this the final recommendation this year.
However, in terms of the direction the PCI Council seems to be taking in the cloud space, I worry that cloud providers will not be provided the same latitude that existing third-party hosting providers are currently afforded in the later sections of PCI DSS 1.2.
While I cannot cite specific passages here, I believe that limiting the definition of a “private cloud” to equipment that must be entirely owned and controlled by an organization will unfairly exclude third-party cloud providers that would otherwise be able to demonstrate segregated processing.
But all in all, this document is an important step forward into evolving deployments for the PCI Council and I encourage all involved to complete the work to make it official.
Several updates for MOVEit folks today.
First, if you haven’t already done so, please sign on to Linkedin and connect with:
- Me: http://www.linkedin.com/profile?viewProfile=&key=9278506&locale=en_US&trk=tab_pro Since I wrote the first editions of MOVEit software way, way back in 2002, direct customer feedback has been key and I’ve love to connect with you on Linkedin.
- The “File Transfer Technology Group”: http://www.linkedin.com/groups?home=&gid=2160411&trk=anet_ug_hm
- The “Managed File Transfer Group”: http://www.linkedin.com/groups?home=&gid=138445&trk=anet_ug_hm
Second, I promised to post some of the results of the survey taken by over 100 MOVEit server administrators last month.
- 99% of you would “recommend MOVEit” and 95% of you continue to use it for new projects.
- Over 50% of you took time to write in about the excellent support you get from MOVEit Support Manager Kevan Bard and his team. Thank you for the accolades – we’ll work to ensure great support is available forever.
- Over 50% of you said that a web interface on MOVEit Central and combined MOVEit DMZ and MOVEit Central reporting should be a “high” development priority.
- Over 50% of you listed “data loss protection” (DLP) as a “high” development priority.
- Your most pressing OS concern was “64-bit support”, beating out other selections like “Virtual Appliance” and “Linux” (in that order).
Finally, the second-most popular “content” feature in that survey was “extract, transform and load” (ETL). This is a modern title for the file transformation, manipulation, splitting, merging and extraction plus a management layer to define the transformation maps. If you want to contact me (via Linkedin or other methods), I would love to hear how you do this today or how you might see this working with our software in the future.