Posts from ‘Enforcement’
FTP is unsecure and generally unmonitored
SC Magazine just published a short article titled “FTP described as unsecure and generally unmonitored”.
In the article, fellow Managed File Transfer (MFT) vendor Axway correctly points out that “usernames, passwords, commands and data can be easily intercepted and read while files transferred via FTP are uploaded or downloaded without any encryption.”
Not to overstate the obvious, but I wholeheartedly agree (and this should come as no surprise to our avid blog readers). The FTP protocol turned 40 years old in 2011 and although still functional, it was not designed to provide any encryption or guaranteed delivery. Unfortunately, many organizations are still relying on outmoded homegrown FTP scripts or have deployed basic FTP servers scattered throughout their organization – all lacking basic security measures, not to mention important visibility, management and enforcement capabilities.
Today, the 40-year old FTP protocol proudly serves as the foundation for the majority of data transfer and application integration technologies that organizations rely on so heavily. But luckily for us all, modern file transfer solutions deliver much more than basic FTP:
- VISIBILITY capabilities such as logging; reporting; alerts; notifications; chain-of-custody and file life cycle tracking
- MANAGEMENT capabilities such as workflows and scheduling of file related processes; person-to-person file transfer; integration with systems/applications; data transformation; high availability; virtualized platform support
- ENFORCEMENT capabilities such as user provisioning; password policies; encryption requirements (for example, requiring 256-bit AES encryption over FTPS or SFTP protocols); file integrity checking; non repudiation
Now is the time to replace old and often insecure point FTP solutions and hard-to-maintain scripts with technology that includes the benefits of a modern MFT solution.
Ipswitch has been cautioning companies about the dangers of private/confidential information being sent through Google (and other hosted and person-to-person services), both from a security and a responsibility perspective.
Last week’s GMail hack further drives home the point that organizations must proactively manage and have visibility into what information is being shared with service providers and how information is being sent between people.
Don’t let your guard down and simply treat the cloud as just another internal resource…. They need to be properly managed and governed just like any other third-party.
Ipswitch’s Frank Kenney recently concluded a 4-part webcast series on integration. It’s not too late to watch a replay of it. In parts 3 and 4, Frank talks through the issue of relying on cloud providers and provides tips for managing and governing cloud and person-to-person interactions.
Google revealed yesterday a targeted phishing attack from China against hundreds of GMail users, including government officials and military personnel. The FBI, Department of Homeland Security, and the White House National Security Council are all participating in an investigation of the cyber attack.
My hope is that this breach will serve as the wake up call that public and private businesses need to start enforcing policies around personal email. 
According to an Ipswitch survey at the InfoSec Europe conference, employee use of personal email is still a major problem. Nearly 70% of respondents send classified information (including payroll and customer info) via standard email every month… And 40% admitted to sending confidential information through personal email accounts specifically to eliminate the trail of what was being sent to whom.
Have you provided your employees with a simple tool to send large and confidential files? Do you have visibility into what is being sent and to whom?? Do you have a documented AND enforced policy around using personal webmail accounts from work computers???
Employees have proven over and over that they will ‘do what they need to do’ in order to be productive. It’s critical that organizations provide simple, safe and auditable tools that enable employees to collaborate and share files. It’s equally important that they govern employee activities to mitigate data risk by increasing visibility, control, compliance and security.
“Google has asked for U.S. government support against censorship, but the government’s response has been to ask companies to take responsibility. If Google does have an ulterior motive, it’s likely to be to pressure the U.S. government to take a more active role in defending U.S. companies in markets like China that present obstacles to fair competition.
Google is urging Gmail users to review their account settings to make sure they’re secure, but Kenney suggested Google could do more to alert users when their accounts are accessed from an unfamiliar IP address or when their accounts have been configured to forward messages.”
Last week’s Sony data breach shattered TJX’s longstanding record for the largest customer data theft ever, a dubious honor that TJX has held since 2007.
The massive Sony breach leaves millions and millions of credit cards at risk. Details still aren’t clear yet, but the Sony breach *may* have included the theft of customer credit card information, as well as other personal information such as billing addresses, usernames/passwords, email addresses, birthdays, and transaction histories.
Did Sony take reasonable care to protect, encrypt, and secure the private and sensitive data of its users?
Did Sony take too long to notify customers that their personal information had been exposed?
Looks like these questions will be answered in a courtroom as the first lawsuit resulting from the Sony security breach of the personal data of more than 75 million Sony PlayStation Network customers has been filed.
The class action lawsuit seeks seeks a trial by jury and fitting monetary reimbursement…. And the case’s Overview cites “breach of warranty, negligent data security, violations of consumers’ rights of privacy, failure to protect those rights, and failure and on-going refusal to timely inform consumers of unauthorized third party access to their credit card account and other nonpublic and private financial information” as cause enough, noting Sony’s “failure to maintain adequate computer data security of consumer personal data and financial data.”
For more information, take a look at the post on the Sony PlayStation blog. I’m sure we’ll be learning more as further breach details are disclosed and as court proceedings advance.
Many thanks to the Verizon RISK Team (along with the U.S. Secret Service and the Dutch High Tech Crime Unit) for publishing their 7th annual analysis of data breaches. Compromised data continues to plague organizations worldwide, and studies like the 2011 Data Breach Investigations Report can help us all avoid becoming a victim – both as individuals and also as corporate citizens.
Here are a few noteworthy data points:
Nearly 800 data breaches were reported in 2010, a sharp increase from the 900 breaches reported in the previous six years combined- 4 million records were compromised in 2010 which is significantly less than the 144 million compromised in 2009
- Many breaches involved sending data externally – Take this as a warning to pay more attention to information leaving your organization
- 89% of companies suffering credit card breaches were not PCI compliant at the time of the breach, indicating that organizations with rigorous compliance efforts are less likely to be breached
- Only 17% of breaches implicated insiders (down from 31% last year) and 29% had a physical component
A key takeaway is that while the quantity of data breaches quintupled in 2010, the number of compromised records actually dropped. This data is consistent with the growing belief that attackers are increasingly targeting smaller companies (which tend to have less focus and expertise on IT security) simply because they are easier to exploit.
As the Verizon team points out, in the world of cyber crime, knowledge is power. Not only do companies require visibility into the files and data that are being transferred around an in/out of their organization, but they also need the management and enforcement capabilities to control, govern, and protect the growing number of mission-critical and confidential files that are being accessed every day by internal and external systems, applications and people.
