Proofpoint: Security, Compliance and the Cloud

In this digital age, our smartphones tend to know more information about us than say, our great Aunt Suzie. From your name and location to the interests of you and your closest friends; all of this information is readily available to advertisers and marketers the moment you accept the terms and agreements of certain mobile applications.

The accessibility of such data has sparked a continued dispute between consumer groups and online marketing firms over the access of user information via mobile applications.

On July 12, the National Telecommunications and Information Administration (NTIA) will host the first of several meetings in an effort to develop new codes of conduct for handling private consumer data on the internet and on mobile networks. The meeting will focus primarily on mobile application security and provide a chance for industry stakeholders to voice their concerns regarding access to private consumer data.

The upcoming meetings stem from a Consumer Privacy Bill of Rights released by the Obama Administration in February of this year. Instead of calling for new privacy standards, Obama’s Bill of Rights calls for a multi-stakeholder process to develop general rules and regulations. The process has generated skepticism about whether this system will incorporate the desires of all publics fairly, most importantly the consumers.

The start of the NTIA meetings could not come soon enough. Recent episodes of mobile applications illegally downloading user information has heightened the need for defined mobile privacy standards. The issue of mobile security now goes beyond simply the applications to also include the advertisements shown within them.

As we watch to see if an outcome can be achieved at the NTIA meetings, it will be interesting to see how these standards will reflect on the corporate side of the equation. Right now, companies must decide for themselves which security features to implement for their employees. This increasingly means creating mobile security applications that encrypt, archive, and protect company data on an employee's smartphone will likely become a corporate necessity.

[Editor's note: Please welcome intern Courtney Klosterman as a new, regular contributor to the blog. Courtney is a recent graduate of Purdue University working with us on public relations and social media. Take it away, Courtney!]

What is your philosophy on passwords? Do you stick to simplicity or maintain a mixture?

Depending on your answer, you may or may not be surprised to learn that the passwords people choose are often easy to figure out. According to a recent story on NPR News regarding password safety, among the grand champions in popularity include patterns on the keyboard—such as 123456—and terms of endearment, with princess topping the charts.

Like a lot of people, I used to be unconcerned about the thought of someone hacking into and manipulating my online information. But today, I'm definitely more mindful of this issue as I've become aware of just how many Internet users have had issues with password security. Whether you've personally had experience with a compromised account or not, you can't ignore the constant stories in the media about passwords being compromised from even the most reputable banks, enterprises and social sites.

The recent password hack attacks on social media sites LinkedIn and eHarmony have prompted social media giant, Facebook, to ramp up its own security features.  Within the next few weeks the company will be asking users to provide a mobile phone number so that in the instance that a person’s account is hacked, the confirmed phone number will allow Facebook to wipe out the user’s password immediately and send them a new one via SMS.

So how do we stay one step ahead of the ever broadening force of hackers? Here are five of the latest and greatest password tips to ensure your accounts are highly protected.

1. Avoid all aspects of the phrase “Reduce-Reuse-Recycle.”

With more personal information available on the internet than ever before, it is crucial to increase the number of passwords used for different accounts. Refrain from reusing and recycling old passwords as it heightens the possibility of re-using a compromised password.

2. Use an open source password manager.

For those of us who are much too wary to keep an aggregated list of usernames and passwords hidden in our desk drawer, there are secure software programs to help keep track. An example of such a program is KeePass, a free program that retains all of your passwords in one database, which is encrypted and only opened with a master password. The program can also generate random, highly-secure passwords for separate accounts with a user specified amount of characters, numbers and symbols.

3. Create strong security questions.

An account is less likely to be hacked if you provide less personal information. Instead of providing the answer to the infamous your mother’s maiden name, think up a question that is less obvious to the public, such as what street did you live on in third grade? Of course, there is nothing wrong - if you can remember it - with using a fictional answer to these questions. Mitt Romney's email was allegedly hacked when someone guessed the correct answer to one of his security questions. The NPR news story makes a similar suggestion worth checking out.

 4. Mix up the characters.

If you have anything less than a photographic memory, i.e. you have difficulty remembering an ambiguous mixture of numbers, letters and symbols then instead try to replace symbols and numbers for letters within a word. For example, if you wanted to use PROOFPOINT as a strong(er) password, it could be written as Pro0fp0!nt.

5. Variance is key.

Refrain from setting yourself up for a single point of failure. In many instances, a hacker will steal passwords from sites with weak security and then try the same username and password combos on other more secure sites. By using a program such as KeePass you can make sure to avoid this possibility by having different, strong, automatically-generated passwords for every account.

[Update 10/4/2012: Looking for 2013 passes? Use our new code FXE13PRF. Find registration link in this post.]

Wow, is it almost the end of 2011? Looking forward to 2012 for a moment, once again Proofpoint will be exhibiting at the RSA Conference 2012, to be held February 27 thru March 2, 2012 at Moscone Center in San Francisco.

If you'd like to attend the RSA Conference 2012 expo (exhibits), you can get a free exhibits-only pass (which RSA calls an "Expo Pass") courtesy of Proofpoint by using code EC12PRF when you register.

To register for your free RSA exhibits pass, please visit the following URL and enter code EC12PRF during the registration process:

https://ae.rsaconference.com/US12/portal/login.ww

We look forward to seeing you there! Proofpoint will be exhibiting at booth #850, demonstrating our latest SaaS-based threat management (email security), compliance (data loss prevention, email encryption), archiving & governance, and secure communication solutions.

There are two kinds of people: Those who get up early enough on Sunday to watch the news and policy wonk shows and, well, those of us who don't. If, like me, you find yourself in the second camp, you might have missed Proofpoint's CEO, Gary Steele, discussing "Cloud Computing and the Law" with reporters from NBC, Forbes and Bloomberg on yesterday's edition of NBC's "press:here" interview show.

In this segment, Gary discusses some of the legal issues around cloud computing, including whether an electronic document stored in the cloud is entitled to the same protection as that same file stored in a physical safe. While this conversation is focused on data privacy and legislative issues, a discussion of some of the security concerns around cloud computing and storage also comes up.

The conversation ranges from basics about "the cloud" to the concerns around data locality, search and seizure of data and the evolving state of privacy legislation. You can watch a video replay below:

Our partner Microsoft recently published results of a survey revealing a new kind of internet scam that involves criminals calling people at home to tell them their computers are not fully protected from security threats.  The callers request remote access to users’ computers and credit card information by posing as computer security engineers from legitimate companies.

And, of course, once granted access to that information they "run through a range of deception techniques designed to steal money," according to Microsoft's announcement.

Out of 7,000 users surveyed in the U.K., Ireland, U.S. and Canada, 15 percent received a call from scammers and 3 percent fell for the scam.  The average amount of money stolen was $875 and the average cost of repairing damaged computers was $1,730.

Richard Saunders of Microsoft says, “Criminals have proved once again that their ability to innovate new scams is matched by their ruthless pursuit of our money.” 

The line between legitimate calls and malicious schemes can be blurry at times as we often give out credit card information over the phone to pay for bills and order products.  This is especially true with older generations that may not be technically savvy enough to distinguish the difference. 

Microsoft offers some tips on how to protect yourself:

• Be suspicious of unsolicited calls related to a security problem, even if they claim to represent a respected company.
• Never provide personal information, such as credit card or bank details, to an unsolicited caller.
• Do not go to a website, type anything into a computer, install software or follow any other instruction from someone who calls out of the blue.

You can also protect yourself online by following Proofpoint's “seven simple rules for staying safe online.”

LulzSec recently released 62,000 emails and passwords to the public through the group’s Twitter account.  The tweet was shortly deleted but many have already downloaded the list. 

Gizmodo.com developed a simple tool that allows you to check whether your email was part of the leak. 

Our friend at F-Secure, Mikko H. Hypponen, tweeted that the emails and passwords might have originated from writerspace.com:

"Why writerspace.com? Well, the most common passwords include these: mystery, bookworm, reader, romance, library, booklover and..writerspace."

As a friendly reminder, change your passwords often and use passwords with special characters and numbers.

See my previous blog post on LulzSec.

Proofpoint's vice president of technology, Andrés Kohn, apparently used some mildly salty language at the opening of his well-attended InfoSecurity Europe presentation, "Can Data Be Safer in the Cloud?" last week.

If you're one of those cloud skeptics who holds the view that, to remain secure, data needs to stay within the corporate datacenter, Andrés begs to differ.

"Quite frankly, I think this view is a bunch of...," says Kohn.

All kidding aside, ServerWatch's Paul Rubens has an excellent overview of Andrés's talk, reported in 5 Reasons Why the Cloud Should be More Secure than Your Data Center.

Highly recommended reading, but in short, providers of secure, cloud-based services can potentially keep your data more secure than even your own datacenter through:

1. Greater Economies of Scale
2. More Secure Development Lifecycles
3. Continuous Auditing
4. Higher Levels of Automation and Repeatability
5. Stricter Access Controls

Of course, not every cloud-based vendor is going to follow security best practices or even make security a top priority.

A slightly scary press release and new report from the Ponemon Institute and CA Technologies drove that point home this week with some interesting data that shows that many providers of cloud-based services are focused more on delivering cost and speed-of-deployment advantages over security.

Among the findings:

• Fewer than 20% of cloud providers across the U.S. and Europe view security as a competitive advantage.
• Fewer than 30% of respondents consider security as an important responsibility.
• Fewer than 27% of respondents feel their cloud services substantially protect and secure customer information.
• The majority of cloud providers (69%) believe security is primarily the responsibility of the cloud user... In contrast to 35% of cloud users who believe security is their responsibility.

Yikes. Here's the link to the full report:

Ponemon Institute, Security of Cloud Computing Providers Study, April 2011
(PDF format)

 We recently launched a new newsfeed called "Proofpoint Security, Compliance and the Cloud News."

Each weekday our editors publish new, original articles about topics that readers of this blog will appreciate. Subjects include cloud computing, SaaS, IT security, compliance, archiving, eDiscovery, email security and data loss prevention issues.

There are several ways to stay up to date with this newsfeed:

You can read the articles online in your web browser by visiting:

http://www.proofpoint.com/news-and-events/security-compliance-and-cloud-news/index.php

Or you can subscribe to our Security Compliance and the Cloud RSS feed and read the articles in your favorite RSS reader.

If you're more social media oriented, follow our @ProofpointNews Twitter account, which automatically tweets headlines and links whenever new articles are published. (Unlike our main  Twitter account, @ProofpointNews only tweets headlines from the  Security, Compliance and the Cloud newsfeed... Follow @Proofpoint_Inc for those and a whole lot more...)

In our newest Proofpoint CEO Series video, Gary Steele shares his thoughts on some of the cost, scalability, reliability and security advantages offered by cloud computing, especially as it relates to enterprise solutions for IT security and compliance.

More videos in our ongoing CEO series can be found in the blog here:

http://blog.proofpoint.com/ceo-series/

One of my favorite parts of RSA is the now traditional Security Bloggers Meetup, organized by the fine folks at the Security Bloggers Network.

Each year, a growing number of bloggers from the field of IT security get together to meet, greet, exchange ideas, have a cocktail and acknowledge the "best of the best" in the annual "Social Security Awards." That's Alan Shimel (of the excellent AShimmy blog) and Rich Mogull (analyst at Securosis) presenting this year's awards.

Somehow, yours truly wound up presenting the award for "Single Best Security Blog Post of the Year" which was a new category this year.

Anyway, the winner in that category was Chris Eng's excellent video "How to be an Information Security Thought Leader," which has to be one the most awesome uses of the (very odd) Xtranormal online video creator I've yet seen. Unfortunately I can't seem to embed the video here in the blog, so you'll have to follow the link (or click the preview image at left).

Believe me, it's well worth checking out...

In addition to be an impromptu award presenter, I also met some great new contacts (that I hope to feature here as guest bloggers on occasion) and catch up with friends like our pal Richi Jennings (who had an excellent post yesterday at Computerworld about the aftermath of attacks on security firm HBGary).

My thanks again to the organizers and sponsors of this year's event for a great time!