Proofpoint: Security, Compliance and the Cloud

Yes, the holiday season is approaching once again and along with holiday celebrations and shopping — especially "Cyber Monday" and "Black Friday" sales, which seem to start earlier every year — also comes an increase in online threats.

Over the past several years, Proofpoint security researchers have observed that the that the volume of attacks — including phishing email attacks, social media exploits and other types of malware attacks — typically increases during the holiday season. Many of these attacks are engineered to take advantage of the consumer mindset during the holidays.

Our October 2012 report on email security threats found that, on any given day, phishing attacks represented 10% to more than 30% of total unsolicited email volume and this trend has continued into the first part of  November.

So, as is traditional here at Proofpoint, I wanted to take a moment to remind you of our "Seven Simple Rules" for staying safe online during the busy holiday season. Read on for our updated tips for 2012 and feel free to share them with your friends, family and email users!

As usual, we also have a couple of early presents for you IT security types: December's live web seminar "Targeted Hybrid Attacks: 2012 and Beyond" will feature special guest Rick Holland, security analyst for Forrester Research. And you can read Rick's latest research, The Forrester Wave™: Email Content Security, Q4 2012, compliments of Proofpoint.

Proofpoint's Seven Simple Rules for Staying Safe Online During the Holidays

1. Be aware: Always view with suspicion any email with requests for personal IDs, financial information, user names or passwords. Your bank, online services, government agencies or legitimate online stores are extremely unlikely to ask you for this type of information via email. Consumers should also be suspicious of similar emails that appear to come from an employer or friend. Never send personal financial information such as credit card numbers and Social Security numbers via email. Today’s malicious emails and phishing attacks are disguised as communications from all sorts of organizations, including banks, money transfer services, government agencies, media outlets, and package delivery services.

2. Don’t click: If you receive a suspicious email, don’t click the links in the email or open file attachments from anything but 100 percent trusted sources. Links embedded in emails may take you to fraudulent sites that look similar or identical to the legitimate “spoofed” site. In addition to attempting to gather your personal login credentials, these phishing sites may also automatically install malicious software, without your knowledge. Increasingly, scammers are using link shortening services to disguise the true destinations of their links. Instead of clicking, open a browser and type the actual Web address for the site into the address bar. Alternatively, call the company using a phone number you already know.

3. Be secure: When you are shopping online, entering important information such as credit card numbers, or updating personal information, make sure you’re using a secure Web site. If you are on a secure Web server, the Web address will begin with “https://” instead of the usual “http://”. Most Web browsers also show an icon (such as Internet Explorer’s “padlock” icon) to indicate that the page you are viewing is secure.

4. Don’t fill out email forms: Never fill out forms within an email, especially those asking for personal information. Instead, visit the company’s actual Web site (using a Web address you already know) and ensure that the page you are using is secure before entering sensitive information.

5. Keep an eye on your accounts: Check the accuracy of your credit card and bank statements on a regular basis, especially during the busy holiday shopping season. Many scammers count on consumer inattention to get away with fraudulent charges. If you see anything suspicious, contact your financial institution immediately.

6. Get social media savvy: Email isn’t the only attack vector used by spammers and scammers. Social media sites like Facebook and Twitter are increasingly used to deliver the same kinds of scams and malicious links to unsuspecting users. Spammers and malware writers continue to distribute malicious, but convincing, emails that masquerade as notifications such as friend requests or message notifications. Keep all of the preceding tips in mind when using the latest communication tools.

7. Make security your first stop: If your holiday includes giving or receiving a new computer, mobile device or upgraded operating system, install a good anti-virus or Internet security solution before doing anything else online. Reputable vendors include F-Secure, McAfee and Symantec. There are also reputable free solutions such as Avast, so a lack of resources doesn't mean you have to go without security. Be extremely wary of Web pop-ups that offer “free security scans” or that inform you that your machine is infected with a virus. Such offers commonly lead to fraudulent anti-virus solutions that are actually malicious software.

Have a safe and happy holiday season, OK?

In this digital age, our smartphones tend to know more information about us than say, our great Aunt Suzie. From your name and location to the interests of you and your closest friends; all of this information is readily available to advertisers and marketers the moment you accept the terms and agreements of certain mobile applications.

The accessibility of such data has sparked a continued dispute between consumer groups and online marketing firms over the access of user information via mobile applications.

On July 12, the National Telecommunications and Information Administration (NTIA) will host the first of several meetings in an effort to develop new codes of conduct for handling private consumer data on the internet and on mobile networks. The meeting will focus primarily on mobile application security and provide a chance for industry stakeholders to voice their concerns regarding access to private consumer data.

The upcoming meetings stem from a Consumer Privacy Bill of Rights released by the Obama Administration in February of this year. Instead of calling for new privacy standards, Obama’s Bill of Rights calls for a multi-stakeholder process to develop general rules and regulations. The process has generated skepticism about whether this system will incorporate the desires of all publics fairly, most importantly the consumers.

The start of the NTIA meetings could not come soon enough. Recent episodes of mobile applications illegally downloading user information has heightened the need for defined mobile privacy standards. The issue of mobile security now goes beyond simply the applications to also include the advertisements shown within them.

As we watch to see if an outcome can be achieved at the NTIA meetings, it will be interesting to see how these standards will reflect on the corporate side of the equation. Right now, companies must decide for themselves which security features to implement for their employees. This increasingly means creating mobile security applications that encrypt, archive, and protect company data on an employee's smartphone will likely become a corporate necessity.

Proofpoint is hiring! If you're searching for the next defining step in your career, come and see us at the Tech Career Expo in San Francisco.

The Tech Career Expo and Developer Jam is taking place today and tomorrow June 28 and 29 at the Moscone Center in San Francisco. The expo is being held concurrently with Google’s sold out developer conference, Google I/O, which is also taking place in the Moscone Center. As an added perk, keynotes and key sessions from Google I/O will be live streamed into the developer theater for Tech Career Expo attendees to view.

The most exciting part of the event (other than talking with awesome Proofpoint recruiters!) is that anyone can attend the Tech Career Expo free of charge.

Don’t miss out on the opportunity to network with Proofpoint professionals who are hiring in all areas of technology. We're seeking the best and the brightest for positions in engineering, operations, big data (Hadoop, Mapreduce, Hive, etc.), quality assurance, software R&D,  marketing and sales.

If you will be attending the Expo or Google I/O, make a point to stop by Proofpoint's Tech Career Expo booth (#512) to learn about all of our incredible employment opportunities.

For those who cannot make the event but are interested in a career with Proofpoint, check out the Proofpoint careers page for information on available positions.

[Editor's note: Please welcome intern Courtney Klosterman as a new, regular contributor to the blog. Courtney is a recent graduate of Purdue University working with us on public relations and social media. Take it away, Courtney!]

What is your philosophy on passwords? Do you stick to simplicity or maintain a mixture?

Depending on your answer, you may or may not be surprised to learn that the passwords people choose are often easy to figure out. According to a recent story on NPR News regarding password safety, among the grand champions in popularity include patterns on the keyboard—such as 123456—and terms of endearment, with princess topping the charts.

Like a lot of people, I used to be unconcerned about the thought of someone hacking into and manipulating my online information. But today, I'm definitely more mindful of this issue as I've become aware of just how many Internet users have had issues with password security. Whether you've personally had experience with a compromised account or not, you can't ignore the constant stories in the media about passwords being compromised from even the most reputable banks, enterprises and social sites.

The recent password hack attacks on social media sites LinkedIn and eHarmony have prompted social media giant, Facebook, to ramp up its own security features.  Within the next few weeks the company will be asking users to provide a mobile phone number so that in the instance that a person’s account is hacked, the confirmed phone number will allow Facebook to wipe out the user’s password immediately and send them a new one via SMS.

So how do we stay one step ahead of the ever broadening force of hackers? Here are five of the latest and greatest password tips to ensure your accounts are highly protected.

1. Avoid all aspects of the phrase “Reduce-Reuse-Recycle.”

With more personal information available on the internet than ever before, it is crucial to increase the number of passwords used for different accounts. Refrain from reusing and recycling old passwords as it heightens the possibility of re-using a compromised password.

2. Use an open source password manager.

For those of us who are much too wary to keep an aggregated list of usernames and passwords hidden in our desk drawer, there are secure software programs to help keep track. An example of such a program is KeePass, a free program that retains all of your passwords in one database, which is encrypted and only opened with a master password. The program can also generate random, highly-secure passwords for separate accounts with a user specified amount of characters, numbers and symbols.

3. Create strong security questions.

An account is less likely to be hacked if you provide less personal information. Instead of providing the answer to the infamous your mother’s maiden name, think up a question that is less obvious to the public, such as what street did you live on in third grade? Of course, there is nothing wrong - if you can remember it - with using a fictional answer to these questions. Mitt Romney's email was allegedly hacked when someone guessed the correct answer to one of his security questions. The NPR news story makes a similar suggestion worth checking out.

 4. Mix up the characters.

If you have anything less than a photographic memory, i.e. you have difficulty remembering an ambiguous mixture of numbers, letters and symbols then instead try to replace symbols and numbers for letters within a word. For example, if you wanted to use PROOFPOINT as a strong(er) password, it could be written as Pro0fp0!nt.

5. Variance is key.

Refrain from setting yourself up for a single point of failure. In many instances, a hacker will steal passwords from sites with weak security and then try the same username and password combos on other more secure sites. By using a program such as KeePass you can make sure to avoid this possibility by having different, strong, automatically-generated passwords for every account.

As we enter day two of the 2012 RSA Conference, Proofpoint issued a press release this morning (see, "Proofpoint Extends Data Protection and Information Governance Solutions to Address Cloud-Based File Sharing, Collaboration and Social Media") announcing new capabilities for Proofpoint Enterprise Privacy and Proofpoint Enterprise Governance, based on integration with popular cloud content management solution, Box.

According to the release, the integration between Proofpoint Enterprise solutions and Box will offer "enhanced security, compliance and control over documents shared via Box."

The integration is part of Proofpoint's ongoing strategy to help organizations better monitor and control the flow of information across all major data stores and communication channels, including cloud-based file sharing, collaboration and social media services. Read the full release here.

If you're at RSA, do make a point of coming by Proofpoint's booth (#850) in the Moscone Center exhibit hall where the team will be demonstrating some of the new capabilities. And while you're there, take our short survey and snag one of our cool "Email Me Your Credit Card" or "Open the Attachment" tees.

The holiday season — you know, Black Friday, Cyber Monday and those other ones — is once again upon us.

Here at Proofpoint, we celebrate the season with two fine traditions: An inbound email threats webinar (see the bottom of this post for more details) and a reminder about how to stay safe online during the busy holiday shopping season.

At this time of year, both snail mail and email inboxes start to get full of special offers, catalogs and the like.

As the volume of legitimate email marketing increases, Proofpoint also sees the volume of spam, phishing and other forms of scam email increase as well. The chart below shows the relative volume of "obvious" phishing messages in Proofpoint's spam traps over the last month (click the image for a larger view):

Over the course of 2011 we've seen spear phishing messages revealed to be the exploit at the root of many high-profile data breaches.

In the same way that enterprises and government organizations need to be wary of phishing messages and other types of threats, consumers too need to be especially careful around this time of year.

So, once again, let me reiterate our “Seven Simple Rules” for staying safe online during the holidays (or any time of the year) which explain some of the tactics that scammers use and the important steps consumers can take to protect themselves. Keep these tips in mind this holiday season and share them with your friends, family and email users!

Proofpoint's Seven Simple Rules for Staying Safe Online During the Holidays

1. Be aware: View with suspicion any email with requests for personal identification, financial information, user names or passwords, especially during the busy holiday season when spammers and scammers use the increased volume of legitimate promotional email as “cover” for their attacks. Your bank, online services, government agencies or legitimate online stores are extremely unlikely to ask you for this type of information via email. Consumers should also be suspicious of similar emails that appear to come from an employer or friend. Never send personal financial information such as credit card numbers and Social Security numbers via email. 

2. Don’t click: If you receive a suspicious email, don’t click the links in the email or open file attachments. Never click email links or open attachments from anything but 100% trusted sources. Links embedded in emails may take you to fraudulent sites that look similar or identical to the legitimate “spoofed” site. Instead of clicking, open a browser and type the actual Web address for the site into the address bar. Alternatively, call the company using a phone number you already know.

3. Be secure: When you are shopping online, entering important information such as credit card numbers, or updating personal information, make sure you’re using a secure Web site. If you are on a secure Web server, the Web address will begin with “https://” instead of the usual “http://”. Most Web browsers also show an icon (such as Internet Explorer’s “padlock” icon) to indicate that the page you are viewing is secure. 

4. Don’t fill out email forms: Never fill out forms within an email, especially those asking for personal information. Instead, visit the company’s actual Web site and ensure that the page you are using is secure before entering sensitive information. 

5. Keep an eye on your accounts: Check the accuracy of your credit card and bank statements on a regular basis, especially during the holiday shopping season, when cyber attacks typically increase and busy consumers tend to be less attentive. If you see anything suspicious, contact the financial institution immediately.

6. Get social media savvy: Email isn’t the only attack vector used by spammers and scammers. Social media sites like Facebook, LinkedIn and Twitter are commonly used to deliver the same kinds of scams and malicious links to unsuspecting users. Be wary 0f social media notifications—such as friend requests, security notices and message notifications—that arrive via email. Scammers have spoofed these sorts of messages to deliver links that lead to fraudulent sites or malware. 

7. Make security your first stop: If your holiday includes giving or receiving a new computer (or tablet, netbook, operating system upgrade, etc.) always install a good desktop anti-virus or Internet security solution before doing anything else online. Always make sure that your net-connected computers are protected by such a solution—and that you keep your subscription up to date! Reputable vendors include F-Secure, McAfee and Symantec.

There are also reputable free solutions such as Avast, so a lack of resources doesn't mean you have to go without security. But be extremely wary of Web pop-ups that offer “free security scans” or that inform you that your machine is infected with a virus. Such offers usually lead to fraudulent anti-virus solutions that are actually malicious software.

If you'd like to learn more about the latest phishing threats, and new techniques for stopping them, attend our upcoming live web seminar Don't Get Hooked by the Latest Phishing Attacks (December 14th, 11 a.m. PT/2 p.m. ET). To register, visit the link — or simply fill out the form below:

[Editor's note: Please welcome guest commentator Joseph Lei, currently a student at San Jose State University, who is interning with Proofpoint for the summer. Joseph will be regularly contributing to the blog over the course of his time here. Take it away, Joseph... -K-]

At Proofpoint, one of our focus areas is fighting email spam, but spam can come in many forms on the internet.  Just about any type of online service—social networking sites, short message services, you name it—is likely to be affected by some type of spam analog.

If you've been roaming around the internet lately, you're likely to have encountered a blog just like this one filled interested articles and comments.  Blog commenting systems give readers a quick and easy way to interact with the authors, but have also become a target for internet marketers, spammers and scammers looking for a way to create back links to their own websites.

Back links can be seen by hovering over a spammer’s user name in the comments. These links are valuable for search engines such as Google and Yahoo to determine rankings for keywords.

Spammers use sophisticated bots that automatically search or “scrape” for blogs with comments enabled and can post millions of comments in a matter of hours.   

This type of "black hat" search engine optimization technique is generally frowned upon by the leading search engines, which have taken aggressive action against such tactics. As just one high-profile example, JC Penney was recently caught using this method and was able to rank number one in Google for keywords such as “skinny jeans”, “casual dresses”, and “casual dresses”.

To help you identify spam comments, here are a few common categories that I have collected:

The Inspired:

The Dreamer:

The Confused:

The English Teacher:

The Poet:

The Supporter:

There are a variety of free and commercial solutions for blog comment spam. Among them, TypePad anti-spam (which is built into TypePad's hosted solutions, but also available as a plug-in), as well as a free tool called Akismet that uses techniques similar to Proofpoint’s award-winning anti-spam technology. Askimet maintains an enormous database of known spammer I.P. addresses, usernames, email addresses, and comment styles.

So the next time you see spam comments on your favorite blog, you might want to notify the owner about the availability of these solutions!

Our live web seminar series continues on Wednesday, June 15th as Proofpoint email archiving experts present, "Why Relying on Exchange 2010 Alone for Archiving Could Cost You."

Join us to learn about recently introduced email retention and discovery features in Microsoft Exchange 2010, the extent of those features and how they match up with today's enterprise requirements for archiving and eDiscovery.

We'll discuss why those new features may not adequately address the full legal discovery, compliance and mailbox management features your organization requires.

As I've noted here regularly, failure to properly retain email and deploy the necessary technology to enable rapid discovery of electronic records in the case of lawsuits or regulatory actions can end up costing your organization significant time, money and effort.

We'll also discuss best practices for preparing your organization for the most common eDiscovery scenarios, the feature requirements you should consider when evaluating email archiving solutions and recent trends - such as the growing use of social media in the enterprise - that you should factor in when making decisions about your enterpise archiving strategy.

To register, visit our webinar registration page or simply fill out the form below. As always, all registrants will receive a link to the replay of the live webinar, so feel free to register even is you can't make it to the live event.

As regular readers of this blog no doubt realize, phishing scams aren't confined to email. On Facebook, one of the most popular phishing/malware distribution schemes has been come-ons that allege to let you "see who's been viewing your profile" or "see who's stalking you."

Per Facebook's own FAQ on this subject (see Facebook FAQ item "Can I see who's viewed my profile?"):

"Facebook does not provide applications or groups with the technical means to allow people to track profile views or see statistics on how often a particular piece of content has been viewed and by whom."

Proofpoint spam fighter Scott Panzer sent me an example of the latest version of this scam which encourages users to drop a bit of Javascript code into their browser's address bar to enable you to see who is viewing your profile.

As you've probably guessed, the code itself is malicious. If executed, it spams itself to your Facebook wall and your online friends. It then friends you to several other random accounts, probably with the goal of executing further phishing attacks.

We see Facebook friends getting fooled by these sorts of scams quite frequently and it's worth reminding your friends (or users inside your organization) to be aware of phishing attacks on Facebook and to specifically note that any application that purports to let you see who is viewing your profile is certainly phony and malicious.

You might also find it helpful to share our "Seven Simple Rules for Staying Safe Online", most recently posted in my article, "Stay Safe from Email Threats in the Wake of Epsilon Email List Breach."

Proofpoint's live web seminar series continues on Wednesday, May 18th with "Healthcare Privacy 2011: Top 5 Messaging and Collaboration Risks." Proofpoint data loss prevention expert Rami Habal will discuss:

• How hospitals, HMOs and other medical providers can manage email and social media content in compliance with privacy regulations

• How advances in policy-based email encryption can greatly simplify administration, reduce costs and improve usability for both desktop and mobile email recipients

• The impact of regulations—including HIPAA/HITECH—on data privacy and retention policies in the healthcare industry

• Recommendations for taking a proactive approach to archiving email and other communications in the event of litigation or regulatory investigation

• Trends in inbound threats that could compromise your email and messaging infrastructure, and expose private data

• How other leading healthcare organizations have tackled today’s critical messaging and collaboration challenges, while improving patient care.

To register, follow the link above, or simply fill out the form in this blog post.