Archive for September, 2010
I had the pleasure of attending the SecureWorld Expo last week in Santa Clara, CA, right in the heart of Silicon Valley. Although it was a relatively small show, the audience was feisty! And as the first tradeshow I’ve attended as an Ipswitch employee, and my first security-themed show, there was a ton to learn.
The range of exhibitors and their offerings was impressive and instructive. Attendees (and this reporter) had the opportunity to learn about end point security, patch management, threat management appliances, disaster recovery, identity management, and much more.
Here are a few vendors that caught my eye:
- ESET – whose live, 2-inch long cockroaches drew cringes and well-earned attention to their anti-virus solutions set;
- Websense – whose DLP solution is a great complement to Ipswitch’s managed file transfer products, as it automatically identifies content that likely contains data that is sensitive and needs to be secured;
- Veracode – which is changing the game in application security testing with its SaaS static testing and analysis offerings.
I was tapped to be a panelist for a breakout session entitled “Data Protection – Walking the Thin Line Between Employee Productivity and Security”. It was a great subject that my fellow panelists handled very well, demonstrating their deep knowledge about security solutions and how they fit (or don’t) within corporate cultures. I look forward to exploring these questions with Ipswitch’s customers and at other tradeshows in the coming months.
The most insightful conversations I had at the show were with attendees who visited our booth. More on those conversations soon….
We recently reached an amazing milestone in our iCare@Ipswitch program (also check out our new iCare blog). Through iCare, Ipswitch has donated over $2 million dollars to a variety of community and charitable causes.
As an employee of Ipswitch, I take great pride in knowing that our CEO has incorporated social conscience and philanthropy into the core culture of our company. Not only does Ipswitch donate 5% of company profits to a variety of community programs, but also employees from around the globe volunteer to participate in events and causes. It’s our unique deep-rooted culture that truly separates Ipswitch from other organizations that I have been a part of.
Community involvement is an integral part of Ipswitch’s culture and values. At the heart of the iCare@Ipswitch commitment we recognize that the vitality of our company is linked to the health of our communities. And we know that our communities cannot flourish unless we invest in their future.”
At my 1-year and 3-year Ipswitch anniversaries, Ipswitch gave me $500 to donate to a charity of my choice. When my son was born last year, Ipswitch gave me another $500 to donate to my preferred charity. These are personal and meaningful examples of why Ipswitch is so special.
And keep an eye on the iCare blog to read about our recent and upcoming events.
Today, the PCI Security Standards Council announced several changes to the PCI DSS standard that directly apply to file transfer applications. These include:
- Adding references to SSH as as a secure protocol (SSL/TLS was already mentioned).
- Explicit consideration of virtual machines and virtualization hypervisors as “in scope” during PCI audits. (As predicted by my March blog post.)
- Changing key rotation requirements from “at least annually” to “based on industry best practices and guidelines”
- Splitting some identity and authentication requirements for users, “non-consumers” and administrators.
- Increasing the importance of security around accurate timekeeping, especially as it pertains to audit logs. (Coordinated and reliable timestamps are helpful during civil and criminal investigations as well as internal forensics investigations.)
The council also gave notice that a process to classify and rank vulnerabilities by risk valuations (e.g., value of asset times exposure) would be required by June 30, 2012 – details to come later.
These changes were among the many announced by Technical Working Group Chairperson Emma Sutcliff during the general sessions at the PCI Council Community Meeting in Orlando, Florida. Complete written lists of all changes and full copies of the proposed v.2.0 PCI DSS standard were also shared with all PCI Council Community members, including Ipswitch and approximately fifty of Ipswitch’s customers in attendance at the conference.
In the next few weeks these documents will be finalized and released and implementation of the PCI DSS v.2.0 standard will begin with Reports of Compliance (“ROCs”) filed on or January 1, 2011. Additional PCI Council draft documents on emerging technologies are also expected by October 5 of this year (and periodically after that); as these become available I will continue to share what I can about them with the wider file transfer community.
Tonight I’m blogging from the PCI Council Community Meeting here in Orlando, FL. Tomorrow we’ll be talking about the new changes in version 2.0 of the PCI DSS audit requirements (set to go into effect in 2011), but tonight was the welcome reception for the 1000 attendees here at the Buena Vista Palace Hotel.
Participation in the PCI Council Community Meeting conference is on the rise. Two years ago there were about 500 attendees from 300 participating organizations – now the numbers have roughly doubled. There are probably two major factors behind this.
One factor is the de facto status of PCI DSS as one of the gold standards of information security. When five competing credit card companies came together in 2004 to publicly agree on a single security standard there was much rejoicing throughout the industry. And the standard has held up: though major releases have come every two years, the original twelve categories and most of the subcategories remain essentially unchanged from the original.
The second factor is the ever-widening circle of companies that fall under the scope of PCI compliance. Originally it was large credit card processors and retailers, but in recent years even companies that only handle a few dozen credit card transactions a year have had to take notice. And as the scope widens, there are more people who want their voices to be heard in the decision-making process, which is where this week’s conference comes in.
I’ll be posting a few more items about this conference in next few days – please stay tuned.
Here’s another reminder for webmasters and server admins that you need to carefully protect your FTP login credentials because people are trying hard to steal them.
Last week SC Magazine wrote about a website containing over 100,000 stolen FTP login credentials. Network security and management firm Blue Coat discovered the sensitive files, which contained username and password combinations to FTP servers located around the globe.
The really scary part of this story is that most of the compromised passwords were deemed “reasonable strong”, according to Chris Larsen, a security researcher at Blue Coat. The breach wasn’t the result of weak passwords that were easily hacked or guessed. The credentials were stolen by an attacker who used sophisticated tools to get machine or network access, and then watched for them.
“The discovery, however, does provide an opportunity to remind webmasters that their FTP credentials should be protected and treated with as much care as banking credentials. Try to only use them from computers that are known to be secure. The bad guys want your login.”
Here are a few password tips to keep in mind:
- Always use strong passwords. Here’s a nice primer on how to create strong passwords.
- Don’t use the same password for all your online accounts. Sure, it’s easier, but the flipside is that if your password is hacked for one account, then the password you use for your other accounts is compromised also.
- Change your password to sensitive accounts at least every couple of months. That way, even if your account has been compromised, you’ve limited how long it stays that way.
- Never leave a post-it note with your secret passwords stuck to your wall or on your desk.