Data Breach Primer – What Does it all Mean?
Hey SEC, it’s Frank Kenney at Ipswitch. I don’t mean to rock the boat but I had a few quick questions regarding your recent announcement that you are requiring companies to notify their customers of a breach or risk of breach.
- What’s a “breach”? Does it mean the bad guys came in and took the data? Or maybe the data was left unencrypted? Or perhaps an executive lost his or her BlackBerry? Wikipedia talks about breaches of confidence, breaches of contract and breaches of faith. Is it all or none of the above?
- What does “notify” mean? Email? Snail mail? SMS? Press release? Facebook status update? Tweet? We just don’t know. And when do they need to send that out? When it happens (or it happened?) When it was discovered? When it was fixed? This is key and I say this because the breaches that happened were reported months after they actually happened. So when?
- And by “customers”, do you mean people who pay for my services? What if my services are free like social networks? Does free = exempt? What if I give you my email and contact info, does that make me a customer?
- What in the world is “risk of breach” and why shouldn’t I just fix it instead of telling my customers?
If you don’t mind I’d like to give the public in general my 2 cents…
The real story is this: we should all take these breaches seriously because at some point they will impact us individually. We must make it crystal clear to our service providers, our Internet providers and in some cases our employers that there needs to be policies and enforcement around the proper use and retention of our private information. We must also make clear that these same providers must put processes in place to better communicate and resolve any future data breaches. In much the same way we now see consumers making purchase decisions based on the carbon footprint of their suppliers/providers, the same approach will be taken when it comes to private confidential information. We at Ipswitch believe putting a secure managed file transfer solution in place will allow these suppliers to stem breaches by giving them visibility into how data is being accessed and for what purpose BEFORE these breaches happen.
Every day, files are exchanged between your systems, employees, and business partners on a global scale. It’s no secret that with each file transfer, your organization faces potential exposure to viruses, worms, Trojan horses and other malware – and the damaged files, corrupted applications, reduced performance and other adverse business effects that come with them.
Are your file transfers as safe as they can be? Specifically, when you receive inbound files, are you doing all you can to protect your IT infrastructure from the risk of viruses and malware?? Are your outbound data and file transfers “clean,” so you don’t expose your trading partners to any viruses that might be undetected in your systems???
Ipswitch MOVEit and MessageWay solutions offer the ability to integrate with specific antivirus solutions. Here’s a link to learn more about MOVEit DMZ’s new ability to integrate with Sophos and Symantec ICAP enabled antivirus solutions to ensure that only clean files enter your infrastructure.
For example, all files uploaded to MOVEit DMZ (including those sent using the person-to-person Ad Hoc Transfer module) are first scanned and validated to ensure that they are free of viruses, trojans, malware and other malicious threats. If an infected file is detected the following actions will immediately and automatically be taken:
• Rejects the transfer of the infected file
• Alerts end user that upload failed due to virus detection
• Logs the virus, timestamp, the scan engine, version and definition tag
• Reports the list of infected files that have been detected during a specified time period
By integrating your antivirus solution with your managed file transfer solution, you ensure that all the files you receive are scanned before they enter your network. Not only does this protect your applications, data and valuable IT assets, but it prevents you from accidentally passing on any viruses that may exist in your systems.
Word has quickly spread that a serious weakness has been discovered in the Secure Sockets Layer (SSL) protocol that allows attackers to silently decrypt data that’s passing between a web server and an end-user browser.
All reports indicate that this vulnerability affects the SSL protocol itself and is 
not specific to any operating system, browser or software/hardware product. This is an information disclosure vulnerability that allows the decryption of encrypted SSL 3.0 and TLS 1.0 traffic. It primarily impacts HTTPS web traffic, since the browser is the primary attack method.
SSL and TLS are two of the industry standard technologies that Ipswitch File Transfer solutions use to encrypt data while in-transit. Additional technologies such as AES transport encryption, PGP file encryption, and the encrypted FTPS and SFTP protocols are also used to secure data. As always, we recommend a defense-in-depth approach for protecting sensitive data.
At this point the vulnerability is not considered a high risk. Ipswitch is closely monitoring the situation closely and will implement recommendations and provide updates if this turns into a serious threat. We agree with Microsoft’s recommendation to prioritize the RC4 cipher suite and to enable TLS 1.1 in client and server. And given the choice, use the unaffected FTPS and SFTP protocols (and not HTTPS) until this vulnerability investigation is complete. Microsoft has also issued a fix fix that enables support for TLS 1.1 in Internet Explorer on Windows 7 and Windows 2008.
As George Hulme recently wrote, the vision of Senator Richard Blumenthal’s data breach legislation is simple enough: Protect individuals’ personally identifiable information from data theft, and penalize firms that don’t adequately secure their customers’ information.
Clearly, there’s a need for organizations to better secure confidential and private customer information. It seems that a week rarely passes without a new high-profile data breach in the news. In fact, 2011 is trending to be the worst-ever year for data breaches. And that is despite many U.S. states introducing legislation that expands the scope of state laws, sets stricter requirements related to notification of data breaches involving personal information, and increases penalties for those responsible for breaches.
The need to protect customer data is unanimously shared by honest people worldwide…. The issue is HOW to effectively govern and enforce the various data protection requirements and laws?
I agree with Senator Blumenthal’s concept of establishing “appropriate minimum security plans”…. But color me skeptical on the government’s ability to appropriately monitor and enforce those plans, especially after witnessing the mighty struggles at effectively governing the dozens of state laws already on the books.
My skepticism is shared by many, including Mark Rasch, director of cybersecurity and privacy consulting at Computer Sciences Corporation: “The devil is in the details with these laws. We’ve had regulations, from Gramm-Leach-Bliley to HIPAA, that purport to help protect consumer data. Companies are already victims in these attacks, so why are we penalizing them after a breach? I think that’s because it’s easier to issue fines than it is to track down the criminals and go after them.”
In my opinion, business leaders need to prioritize their own internal efforts to properly protect sensitive information rather than wait on the government to catch up. First order of business is to identify where confidential files and data live in your organization and ensure visibility of that info (after all, how can you protect what you don’t know about?). Fortunately, there are technology solutions available to help organizations better manage and govern their critical files and data as they are being moved and consumed both internally and with business partners and across people, systems and various business applications.
Many customers today expect ‘WAN acceleration’ technology (sometimes referred to as WAN Optimization) as part of their MFT vendor’s solution offering. In general this is a useful addition to the MFT feature set, and can certainly reduce file transfer times in a wide variety of scenarios. However, customers should have realistic expectations of what these acceleration technologies can offer, and be cognizant of the limitations and constraints imposed by the carrier network itself.
Ipswitch FT in the News
- NHBC delivers security and compliance with Ipswitch File Transfer MOVEit
- Corporate data loss seen to be a collective responsibility
- Do You Know Where Your Files Are Headed?
- Four Out Of Five Businesses Have Little Or No Visibility Of Data Movement
- Four out of five businesses (80%) have little or no visibility of data movement, reveals Ipswitch File Transfer UK security survey
