Proofpoint: Security, Compliance and the Cloud

164 posts categorized "Data Loss Prevention"

December 16, 2013

FFIEC Raises the Bar on Social Media and Regulatory Compliance

On Wednesday, the Federal Financial Institutions Examination Council (FFIEC) issued its long awaited guidance "Social Media:  Consumer Compliance Risk Management Guidance", covering the use of social media within financial services. The guidance applies to banks and nearly every other financial entity that fall under the regulatory umbrellas of the Office of the Comptroller of the Currency (OCC), FDIC, NCUA, and Consumer Financial Protection Bureau (CFPB).

While the guidance imposes no new obligations upon firms, it does a very thorough job of highlighting the plethora of existing regulations whose rules should be considered in assessing the risks of using social media for firm business. Amongst these include:

Applying to Deposit and Lending:

  • Truth in Savings Act/Regulation DD
  • Fair Lending Laws: Equal Credit Opportunity
  • Fair Housing Act
  • Truth in Lending Act/Regulation Z
  • Real Estate Settlement Procedures Act
  • Fair Debt Collection Practices Act
  • FTC Section 5 on Unfair, Deceptive, or Abusive Acts
  • FDIC requirements on Deposit Insurance

Applying to Payment Systems:

  • Electronic Fund Transfer Act
  • Check Transactions rules

Applying to Data Privacy:

  • Children's Online Privacy Protection Act
  • CAN-SPAM Act
  • Gramm-Leach Bliley Act (GLBA)

On the GLBA point, the FFIEC noted specific relevance when social media has been integrated into the over-all customer experience. In this case, firms should clearly disclose the use of social media within its privacy policies as required under GLBA.

Most importantly, the ruling outlines the compliance, operational, and reputational risks associated within social media, and encourages the use of risk management programs to assess the potential exposure to the firm. Components of this program should include:

  • Design with participation from stakeholders from compliance, technology, information security, legal, human resources, and marketing,
  • A governance structure with clear roles and responsibilities
  • Policies and procedures regarding the use and monitoring of social media and compliance with all applicable consumer protection laws and regulations
  • A risk management process for selecting and managing third-party relationships in connection with social media
  • An employee training program that incorporates the institution's policies and procedures for official, work-related use of social media, and potentially for other uses of social media, including defining impermissible activities
  • An oversight process for monitoring information posted to proprietary social media sites administered by the financial institution or a contracted third party
  • Audit and compliance functions to ensure ongoing compliance with internal policies and all applicable laws and regulations, and incorporation of guidance as appropriate
  • Periodic evaluation of the effectiveness of the social media program and whether the program is achieving its stated objectives.

The net effect of the FFIEC should be to encourage firms to think holistically about social media as an integrated component of its information risk management strategy. As a component of this strategy, firms should also evaluate available technologies that allow for the proactive capture and secure storage of social media content - as is provided today for email, instant messages and other mature communication technologies.

The business use of social media is undeniable - and the FFIEC guidelines clearly demonstrate that regulated firms should take proactive steps now to ensure issues with existing regulations are avoided.

November 25, 2013

Social Media and Compliance: Salesforce Chatter

We just returned from the Financial Services track at Dreamforce, where many speakers  touched on the topic of Archiving for Chatter – and its potential regulatory implications.  This led to many interesting discussions at our booth, with some of the common themes and conclusions summarized here.

  1. The most frequently asked question/comment: “We would like to enable Salesforce Chatter, but our compliance team is concerned about the implications. What can we do?” Not surprisingly, many of the Dreamforce attendees we talked to had recognized the business value of leveraging their investment in SFDC to drive collaboration and productivity via Chatter (or, perhaps, are being pressured by SF users to enable this feature). The reasons are clear within financial services: enabling better customer service, improving communication flow with independent agents, and in sharing account information with peers. But, simply turning that feature on led many into conversations about internal policies pertaining to social media, supervisory obligations addressed under FINRA’s 11-39 guidance on social media, and storage requirements within financial services outlined by SEC 17a3-4. Conclusions: 1) Chatter is easy to enable? Yes. 2) Opening a new collaboration channel within financial services raises regulatory compliance questions? UNEQUIVALLY YES.
  2. Compliance teams are becoming more active in decisions regarding use of Chatter. Again, not surprising, as firms have become accustomed to since FINRA 11-39 in 2011, and as more have acknowledged the futility of blocking social channels including LinkedIn and Twitter. Today, this involvement is moving beyond the yes/no of enabling access toward the issues of social media policy refinement, in determining what specific social media channels can be utilized, which features within those channels are usable by investment professionals whose actions are regulated under FINRA and NASD rules, and how firms intend to monitor, supervise and report on those activities. Simply turning on the capability is the starting point – looking at how you may enable selective access to those users whose activities need to be archived and reported is where many companies appear headed.
  3. Salesforce Communities creates additional risk. As firms iron out plans to enable Salesforce Communities, it’s important to consider regulatory compliance as part of the discussion. Salesforce Communities enables firms to expose parts of their Salesforce environment to the outside world; creating a collaboration portal for customers, vendors or partners. The Chatter feed is an integral component of Communities and, without Chatter, the benefits of enabling Communities diminish. Similar to “internal” Chatter communications, it’s important to ensure that your archiving solution supports the capture of Chatter content that is authored within Communities as well. Moreover, if your firm creates multiple Communities, your archiving solution should be able to capture Chatter content only from the Communities that you specify, thereby eliminating unnecessary noise from your archive.
  4. Archiving of social media goes beyond basic storage. For many, envisioned processes  for manual collection and basic store/retrieve Chatter content would be - in most cases – woefully inadequate. SEC Rule 17a3-4 in particular contains a number of specific provisions about information storage locations being “WORM-like” and actively managed to ensure information retains its integrity. Simply moving captured Chatter content to a network storage location – or copying to DVDs and sending to giant records warehouses via couriers in small vehicles – may not be meeting the risk profiles of your compliance executives.
  5. Firms are seeking leverage across other information sources.  Enabling the capture and archival of Chatter content is not unique discussion. Firms have already been through this with email. But, firms are reluctant to deploy yet another single-purpose repository to manage that information. In fact, most of the attendees we talked to are seeking to aggregate Chatter with other captured social media content – and leverage their existing processes and technology in place that is used for email. This leverage brings familiarity and comfort to compliance teams – and higher likelihood that SFDC teams can roll-out Chatter faster  with fewer compliance obstacles.

Proofpoint, with its Archiver for Chatter solution, can help organizations address these challenges, with a proven track record of capturing and managing content for many leading financial institutions that need to adhere to SEC, FINRA, and other emerging regulatory requirements. For more information about our Social Platform for Archiving solution, please visit



October 09, 2013

Free RSA® Security Expo 2014 Passes, Courtesy of Proofpoint: Use Code SC4PROOFB


It might seem like the far future, but RSA Conference 2014 is only a few months away and registration is now open!

Proofpoint will be exhibiting at the RSA Conference 2014, to be held February 24 thru February 28, 2014 at Moscone Center in San Francisco.

If you'd like to attend the RSA Conference 2014 expo (exhibits), you can get a free exhibits-only pass (which RSA calls an "Expo Pass") courtesy of Proofpoint by using code SC4PROOFB or EC4PROOFE when you register.

To register for your free RSA exhibits pass, please visit the following URL and enter code SC4PROOFB during the registration process:

Proofpoint will be at RSA 2014 in a big way, with booths in both the South (booths #1527 and #520) and North halls (booth #3615).  Since you won't be able to miss us, we fully expect you to stop by, meet the friendly Proofpoint staff, and take a moment to learn about our latest cloud-based solutions for threat management (including email security and targeted attack protection), compliance (data loss prevention, email encryption), enterprise information archiving & governance, and secure communications.

I also expect we'll be doing our traditional information security survey and we'd love to have you take a few minutes to participate. (If you're interested in the findings from the 2013 survey, you can find them here:

See you in San Francisco next February!

RSAC 2014 Briefing Center invite - fixed - Proofpoint

February 26, 2013

Phishing Statistics 2013: New Proofpoint Report on "Longline" Phishing Attacks

Longline-phishing-industrial-phishing-whitepaperIn conjunction with our exhibit at the 2013 RSA Security conference, Proofpoint published a new report today that describes a new class of phishing attacks that the company has dubbed "Longline" phishing attacks.

Longlining, which is named after the industrial fishing practice of deploying miles-long fishing lines with thousands of individual hooks, combines successful spear phishing tactics with mass customization. Using these techniques, attackers are now able to rapidly deploy thousands of unique, malware laden messages that are largely undetectable to traditional signature and reputation-based security systems.

Worse, despite their scale, these mass customized phish were effective enough to trick more than 10 percent of recipients into clicking on malicious content capable of taking complete control of PCs and compromising corporate networks.

Proofpoint was able to trace and defeat these attacks for enterprises using Proofpoint Targeted Attack Protection™, the company's recently introduced, big data protection solution. Download our new paper, Longline Phishing: Email-borne Threats, Cloud Computing, Big Data, and the Rise of Industrial Phishing Attacks to learn more about this new class of attacks, including:

  • The unique characteristics of longline phishing attacks
  • How those characteristics make longlining attacks extremely difficult for traditional email and perimeter security systems to detect and block
  • Details about how these attacks are carried out
  • Data about the alarming effectiveness of longline phishing attacks

And if you're at the RSA Conference this week, come visit us at booth 739 -- take our annual security survey and we'll give you one of our limited edition t-shirts (as usual, they are pretty cool for vendor swag).

January 23, 2013

Proofpoint Winter 2013 Release Introduces Proofpoint Secure Share: Secure, Managed File Transfer for the Enterprise

In a press release issued today, Proofpoint announced its Winter 2013 release, which includes updates to our entire suite of cloud-based enterprise security and compliance solutions. One of the highlights of the latest release is a new cloud solution for securely transferring large or sensitive files, Proofpoint Secure Share.

Proofpoint Secure Share provides enhanced security and administrative control over traditional file transfer methods, existing on-premises solutions, and public cloud file sharing services. It leverages the advanced data loss prevention features of Proofpoint Enterprise Privacy to automatically enforce DLP rules such as blocking or encrypting sensitive content.

For a quick overview of the capabilities of Proofpoint Secure Share, including the end-user experience, administrative interface and data loss prevention features, check out this brief video demonstration:

In addition to the new secure file transfer capabilities, the Winter 2013 release includes enhancements across our cloud-based threat protection (Proofpoint Enterprise Protection, Proofpoint Targeted Attack Protection), archiving (Proofpoint Enterprise Archive), and governance (Proofpoint Enterprise Archive Content Collection option) solutions.

In our next live web seminar, File Sharing: Getting Data Control Without Frustrating Your Enterprise Users, we'll be taking a closer look at Proofpoint Secure Share and the issues involved in enabling business users to share large files in an easy, secure and compliant way.

December 03, 2012

Best Email Security Solutions 2013: Proofpoint is a Finalist in SC Magazine Reader Trust Awards, 2013

SC-Awards-2013-Finalist-Best-Email-Security-SolutionWe're honored once again to be finalists in SC Magazine's Readers Trust Awards. Proofpoint Enterprise Protection and Proofpoint Enterprise Privacy are finalists in the Reader Trust Awards category "Best Email Security Solution."

You can read more about this category and find the complete list of best email security solution finalists here, "Best Email Security Solution."

As usual, the winners of the annual SC Awards will be unveiled at an event held in conjunction with the RSA Security Conference which will be held at San Francisco's Moscone Center, February 25 through March 1, 2013. (If you'd like to attend the RSA Security Expo free of charge, see my previous blog post about how you can use Proofpoint's code FXE13PRF when you register.)

Proofpoint followers may recall that Proofpoint Enterprise Protection and Privacy won a similar category ("Best Email Content Management Solution") in 2012. If you'd like to learn more about why SC Magazine readers selected Proofpoint as the 2012 winner, you can register to download the award write-up here.

Thanks to our friends at SC Magazine for once again recognizing Proofpoint Enterprise as one of today's leading email security solutions!

November 27, 2012

Spear Phishing Attack Cause of Massive South Carolina Data Breach

Spear phishing cause of South Carolina Dept. of Revenue Data BreachIt will come as no surprise to regular readers of this blog, but it was revealed this week that a recent, massive data breach at the South Carolina Department of Revenue -- which exposed "millions of Social Security numbers, bank account information and thousands of credit and debit card numbers" according to SearchSecurity -- started with a phishing attack around mid-August 2012.

According to the official response report (South Carolina Department of Revenue, Public Incident Response Report, November 20, 2012),  "A malicious (phishing) email was sent to multiple Department of Revenue employees. At least one Department of Revenue user clicked on the embedded link, unwittingly executed malware, and became compromised. The malware likely stole the user’s username and password."

Later, the attacker logged into a remote access service using compromised user credentials and began an ongoing process of escalating privileges and installing malware on compromised servers. Potentially stolen information exfiltrated by the attacker totalled more than 74 Gigabytes of data.

SearchSecurity's coverage (see, "Phishing attack, stolen credentials sparked South Carolina breach") notes that, "In addition to the 3.8 million people whose data were exposed, the breach included information on 1.9 million dependents. It also included data on 699,900 businesses. Information on 3.3 million bank accounts were also stolen."

SC Magazine also has a good summary of this attack and the phishing attack that ulitmately lead to the release of confidential information (see, "S.C. tax breach began when employee fell for spear phish").

If you're interested in the methods and motives of today's advanced targeted attackers, you'll want to join us for our next live web seminar, "Targeted Hybrid Attacks on Organizations:
2012 & Beyond
," on Wednesday, December 5 (11 AM PT / 2 PM ET).

Forrester Research security analyst Rick Holland will be on hand to discuss the South Carolina breach as just the latest example of spear phishing-lead attacks, why organizations keep getting phished, and how to apply today's email security solutions to keep your enterprise's most valuable data secure.

Follow the link above to register, or simply complete the form below:

November 16, 2012

Stay Safe Online this Holiday Season: Proofpoint's Seven Simple Rules and New Advanced Targeted Attacks Webinar

Mugshot-Santa-Stay-Safe-Online-2012-Holiday-Season-ThreatsYes, the holiday season is approaching once again and along with holiday celebrations and shopping — especially "Cyber Monday" and "Black Friday" sales, which seem to start earlier every year — also comes an increase in online threats.

Over the past several years, Proofpoint security researchers have observed that the that the volume of attacks — including phishing email attacks, social media exploits and other types of malware attacks — typically increases during the holiday season. Many of these attacks are engineered to take advantage of the consumer mindset during the holidays.

Our October 2012 report on email security threats found that, on any given day, phishing attacks represented 10% to more than 30% of total unsolicited email volume and this trend has continued into the first part of  November.

So, as is traditional here at Proofpoint, I wanted to take a moment to remind you of our "Seven Simple Rules" for staying safe online during the busy holiday season. Read on for our updated tips for 2012 and feel free to share them with your friends, family and email users!

As usual, we also have a couple of early presents for you IT security types: December's live web seminar "Targeted Hybrid Attacks: 2012 and Beyond" will feature special guest Rick Holland, security analyst for Forrester Research. And you can read Rick's latest research, The Forrester Wave™: Email Content Security, Q4 2012, compliments of Proofpoint.

Proofpoint's Seven Simple Rules for Staying Safe Online During the Holidays

1. Be aware: Always view with suspicion any email with requests for personal IDs, financial information, user names or passwords. Your bank, online services, government agencies or legitimate online stores are extremely unlikely to ask you for this type of information via email. Consumers should also be suspicious of similar emails that appear to come from an employer or friend. Never send personal financial information such as credit card numbers and Social Security numbers via email. Today’s malicious emails and phishing attacks are disguised as communications from all sorts of organizations, including banks, money transfer services, government agencies, media outlets, and package delivery services.

2. Don’t click: If you receive a suspicious email, don’t click the links in the email or open file attachments from anything but 100 percent trusted sources. Links embedded in emails may take you to fraudulent sites that look similar or identical to the legitimate “spoofed” site. In addition to attempting to gather your personal login credentials, these phishing sites may also automatically install malicious software, without your knowledge. Increasingly, scammers are using link shortening services to disguise the true destinations of their links. Instead of clicking, open a browser and type the actual Web address for the site into the address bar. Alternatively, call the company using a phone number you already know.

3. Be secure: When you are shopping online, entering important information such as credit card numbers, or updating personal information, make sure you’re using a secure Web site. If you are on a secure Web server, the Web address will begin with “https://” instead of the usual “http://”. Most Web browsers also show an icon (such as Internet Explorer’s “padlock” icon) to indicate that the page you are viewing is secure.

4. Don’t fill out email forms: Never fill out forms within an email, especially those asking for personal information. Instead, visit the company’s actual Web site (using a Web address you already know) and ensure that the page you are using is secure before entering sensitive information.

5. Keep an eye on your accounts: Check the accuracy of your credit card and bank statements on a regular basis, especially during the busy holiday shopping season. Many scammers count on consumer inattention to get away with fraudulent charges. If you see anything suspicious, contact your financial institution immediately.

6. Get social media savvy: Email isn’t the only attack vector used by spammers and scammers. Social media sites like Facebook and Twitter are increasingly used to deliver the same kinds of scams and malicious links to unsuspecting users. Spammers and malware writers continue to distribute malicious, but convincing, emails that masquerade as notifications such as friend requests or message notifications. Keep all of the preceding tips in mind when using the latest communication tools.

7. Make security your first stop: If your holiday includes giving or receiving a new computer, mobile device or upgraded operating system, install a good anti-virus or Internet security solution before doing anything else online. Reputable vendors include F-Secure, McAfee and Symantec. There are also reputable free solutions such as Avast, so a lack of resources doesn't mean you have to go without security. Be extremely wary of Web pop-ups that offer “free security scans” or that inform you that your machine is infected with a virus. Such offers commonly lead to fraudulent anti-virus solutions that are actually malicious software.

Have a safe and happy holiday season, OK?


October 04, 2012

Free RSA® Security Expo 2013 Passes, Courtesy of Proofpoint: Use Code FXE13PRF

RSA-Conference-Free-Exhibit-Passes-2013[Update 10/9/2013: Looking for 2014 passes? Use our new code SC4PROOFB.  Find registration link in this post.] 

In a sure sign that summer is over and that the holidays are nearly here, I am informed that registration is now open for the RSA Conference 2013.

As usual, Proofpoint will be exhibiting at the RSA Conference 2013, to be held February 25 thru March 1, 2013 at Moscone Center in San Francisco.

If you'd like to attend the RSA Conference 2013 expo (exhibits), you can get a free exhibits-only pass (which RSA calls an "Expo Pass") courtesy of Proofpoint by using code FXE13PRF when you register.

To register for your free RSA exhibits pass, please visit the following URL and enter code FXE13PRF during the registration process:

We look forward to seeing you there! Proofpoint will be exhibiting at booth #739, demonstrating our entire suite of cloud-based data protection solutions, including threat management (email security), compliance (data loss prevention, email encryption), archiving & governance, and secure communications.


October 02, 2012

Cloud Storage and Collaboration Meet Security, Compliance and DLP: Box and Proofpoint Team Up

Box-and-proofpoint-logosOur friends at content sharing leader Box issued a press release about ongoing efforts to improve enterprise adoption of its service by improving visibility and security for files stored in Box's cloud.

A significant part of that effort involves an integration partnership between Proofpoint and Box that extends Proofpoint's cloud-based data loss prevention (DLP) capabilities to content stored in Box. Using these new features, administrators will be able to ensure compliance with a wide variety of corporate policies, comply with data protection/privacy regulations and guard against the loss or exposure of confidential information.

As Proofpoint CEO Gary Steele explained to CIO Today, "We are delivering an advanced layer of security capabilities that enable enterprises to have a full view of what is happening with sensitive information across their organization."

Gary will be talking more about this partnership during a panel discussion at the upcoming Box customer conference, BoxWorks.



Blog Search

Email Security Gateways, 2012

Magic Quadrant


What people are saying right now about us.

©2012 Proofpoint, Inc.
threat protection: Proofpoint Enterprise Protection compliance: Proofpoint Enterprise Privacy governance: Proofpoint Enterprise Archive secure communication: Proofpoint Encryption