Proofpoint: Security, Compliance and the Cloud

The holiday season — you know, Black Friday, Cyber Monday and those other ones — is once again upon us.

Here at Proofpoint, we celebrate the season with two fine traditions: An inbound email threats webinar (see the bottom of this post for more details) and a reminder about how to stay safe online during the busy holiday shopping season.

At this time of year, both snail mail and email inboxes start to get full of special offers, catalogs and the like.

As the volume of legitimate email marketing increases, Proofpoint also sees the volume of spam, phishing and other forms of scam email increase as well. The chart below shows the relative volume of "obvious" phishing messages in Proofpoint's spam traps over the last month (click the image for a larger view):

Over the course of 2011 we've seen spear phishing messages revealed to be the exploit at the root of many high-profile data breaches.

In the same way that enterprises and government organizations need to be wary of phishing messages and other types of threats, consumers too need to be especially careful around this time of year.

So, once again, let me reiterate our “Seven Simple Rules” for staying safe online during the holidays (or any time of the year) which explain some of the tactics that scammers use and the important steps consumers can take to protect themselves. Keep these tips in mind this holiday season and share them with your friends, family and email users!

Proofpoint's Seven Simple Rules for Staying Safe Online During the Holidays

1. Be aware: View with suspicion any email with requests for personal identification, financial information, user names or passwords, especially during the busy holiday season when spammers and scammers use the increased volume of legitimate promotional email as “cover” for their attacks. Your bank, online services, government agencies or legitimate online stores are extremely unlikely to ask you for this type of information via email. Consumers should also be suspicious of similar emails that appear to come from an employer or friend. Never send personal financial information such as credit card numbers and Social Security numbers via email. 

2. Don’t click: If you receive a suspicious email, don’t click the links in the email or open file attachments. Never click email links or open attachments from anything but 100% trusted sources. Links embedded in emails may take you to fraudulent sites that look similar or identical to the legitimate “spoofed” site. Instead of clicking, open a browser and type the actual Web address for the site into the address bar. Alternatively, call the company using a phone number you already know.

3. Be secure: When you are shopping online, entering important information such as credit card numbers, or updating personal information, make sure you’re using a secure Web site. If you are on a secure Web server, the Web address will begin with “https://” instead of the usual “http://”. Most Web browsers also show an icon (such as Internet Explorer’s “padlock” icon) to indicate that the page you are viewing is secure. 

4. Don’t fill out email forms: Never fill out forms within an email, especially those asking for personal information. Instead, visit the company’s actual Web site and ensure that the page you are using is secure before entering sensitive information. 

5. Keep an eye on your accounts: Check the accuracy of your credit card and bank statements on a regular basis, especially during the holiday shopping season, when cyber attacks typically increase and busy consumers tend to be less attentive. If you see anything suspicious, contact the financial institution immediately.

6. Get social media savvy: Email isn’t the only attack vector used by spammers and scammers. Social media sites like Facebook, LinkedIn and Twitter are commonly used to deliver the same kinds of scams and malicious links to unsuspecting users. Be wary 0f social media notifications—such as friend requests, security notices and message notifications—that arrive via email. Scammers have spoofed these sorts of messages to deliver links that lead to fraudulent sites or malware. 

7. Make security your first stop: If your holiday includes giving or receiving a new computer (or tablet, netbook, operating system upgrade, etc.) always install a good desktop anti-virus or Internet security solution before doing anything else online. Always make sure that your net-connected computers are protected by such a solution—and that you keep your subscription up to date! Reputable vendors include F-Secure, McAfee and Symantec.

There are also reputable free solutions such as Avast, so a lack of resources doesn't mean you have to go without security. But be extremely wary of Web pop-ups that offer “free security scans” or that inform you that your machine is infected with a virus. Such offers usually lead to fraudulent anti-virus solutions that are actually malicious software.

If you'd like to learn more about the latest phishing threats, and new techniques for stopping them, attend our upcoming live web seminar Don't Get Hooked by the Latest Phishing Attacks (December 14th, 11 a.m. PT/2 p.m. ET). To register, visit the link — or simply fill out the form below:

[Editor's note: Please welcome guest commentator Joseph Lei, currently a student at San Jose State University, who is interning with Proofpoint for the summer. Joseph will be regularly contributing to the blog over the course of his time here. Take it away, Joseph... -K-]

At Proofpoint, one of our focus areas is fighting email spam, but spam can come in many forms on the internet.  Just about any type of online service—social networking sites, short message services, you name it—is likely to be affected by some type of spam analog.

If you've been roaming around the internet lately, you're likely to have encountered a blog just like this one filled interested articles and comments.  Blog commenting systems give readers a quick and easy way to interact with the authors, but have also become a target for internet marketers, spammers and scammers looking for a way to create back links to their own websites.

Back links can be seen by hovering over a spammer’s user name in the comments. These links are valuable for search engines such as Google and Yahoo to determine rankings for keywords.

Spammers use sophisticated bots that automatically search or “scrape” for blogs with comments enabled and can post millions of comments in a matter of hours.   

This type of "black hat" search engine optimization technique is generally frowned upon by the leading search engines, which have taken aggressive action against such tactics. As just one high-profile example, JC Penney was recently caught using this method and was able to rank number one in Google for keywords such as “skinny jeans”, “casual dresses”, and “casual dresses”.

To help you identify spam comments, here are a few common categories that I have collected:

The Inspired:

The Dreamer:

The Confused:

The English Teacher:

The Poet:

The Supporter:

There are a variety of free and commercial solutions for blog comment spam. Among them, TypePad anti-spam (which is built into TypePad's hosted solutions, but also available as a plug-in), as well as a free tool called Akismet that uses techniques similar to Proofpoint’s award-winning anti-spam technology. Askimet maintains an enormous database of known spammer I.P. addresses, usernames, email addresses, and comment styles.

So the next time you see spam comments on your favorite blog, you might want to notify the owner about the availability of these solutions!

Our live web seminar series continues on Wednesday, June 15th as Proofpoint email archiving experts present, "Why Relying on Exchange 2010 Alone for Archiving Could Cost You."

Join us to learn about recently introduced email retention and discovery features in Microsoft Exchange 2010, the extent of those features and how they match up with today's enterprise requirements for archiving and eDiscovery.

We'll discuss why those new features may not adequately address the full legal discovery, compliance and mailbox management features your organization requires.

As I've noted here regularly, failure to properly retain email and deploy the necessary technology to enable rapid discovery of electronic records in the case of lawsuits or regulatory actions can end up costing your organization significant time, money and effort.

We'll also discuss best practices for preparing your organization for the most common eDiscovery scenarios, the feature requirements you should consider when evaluating email archiving solutions and recent trends - such as the growing use of social media in the enterprise - that you should factor in when making decisions about your enterpise archiving strategy.

To register, visit our webinar registration page or simply fill out the form below. As always, all registrants will receive a link to the replay of the live webinar, so feel free to register even is you can't make it to the live event.

As regular readers of this blog no doubt realize, phishing scams aren't confined to email. On Facebook, one of the most popular phishing/malware distribution schemes has been come-ons that allege to let you "see who's been viewing your profile" or "see who's stalking you."

Per Facebook's own FAQ on this subject (see Facebook FAQ item "Can I see who's viewed my profile?"):

"Facebook does not provide applications or groups with the technical means to allow people to track profile views or see statistics on how often a particular piece of content has been viewed and by whom."

Proofpoint spam fighter Scott Panzer sent me an example of the latest version of this scam which encourages users to drop a bit of Javascript code into their browser's address bar to enable you to see who is viewing your profile.

As you've probably guessed, the code itself is malicious. If executed, it spams itself to your Facebook wall and your online friends. It then friends you to several other random accounts, probably with the goal of executing further phishing attacks.

We see Facebook friends getting fooled by these sorts of scams quite frequently and it's worth reminding your friends (or users inside your organization) to be aware of phishing attacks on Facebook and to specifically note that any application that purports to let you see who is viewing your profile is certainly phony and malicious.

You might also find it helpful to share our "Seven Simple Rules for Staying Safe Online", most recently posted in my article, "Stay Safe from Email Threats in the Wake of Epsilon Email List Breach."

Proofpoint's live web seminar series continues on Wednesday, May 18th with "Healthcare Privacy 2011: Top 5 Messaging and Collaboration Risks." Proofpoint data loss prevention expert Rami Habal will discuss:

• How hospitals, HMOs and other medical providers can manage email and social media content in compliance with privacy regulations

• How advances in policy-based email encryption can greatly simplify administration, reduce costs and improve usability for both desktop and mobile email recipients

• The impact of regulations—including HIPAA/HITECH—on data privacy and retention policies in the healthcare industry

• Recommendations for taking a proactive approach to archiving email and other communications in the event of litigation or regulatory investigation

• Trends in inbound threats that could compromise your email and messaging infrastructure, and expose private data

• How other leading healthcare organizations have tackled today’s critical messaging and collaboration challenges, while improving patient care.

To register, follow the link above, or simply fill out the form in this blog post.

Following up on my previous video post featuring some great anti-phishing and password tips from Proofpoint customer Tony Hidlesheim of Redwood Credit Union, here are two more videos where Tony talks about how his organization uses Proofpoint to secure inbound email while preventing data loss via outbound email and HTTP traffic.

Redwood Credit Union is the 10th largest credit union in the state of California. In part one of our video interview, Tony explains how the credit union uses Proofpoint for email security while also applying those same security policies to HTTP (web or "port 80") traffic. Tony also shares some security insights about social media and the security.

Thanks again to Tony and the rest of our friends at Redwood Credit Union for taking the time to share these perspectives with me!

(And as a reminder: If you're a customer and would like to share your Proofpoint story with us, do send us an email to pr@proofpoint.com!)

 We recently launched a new newsfeed called "Proofpoint Security, Compliance and the Cloud News."

Each weekday our editors publish new, original articles about topics that readers of this blog will appreciate. Subjects include cloud computing, SaaS, IT security, compliance, archiving, eDiscovery, email security and data loss prevention issues.

There are several ways to stay up to date with this newsfeed:

You can read the articles online in your web browser by visiting:

http://www.proofpoint.com/news-and-events/security-compliance-and-cloud-news/index.php

Or you can subscribe to our Security Compliance and the Cloud RSS feed and read the articles in your favorite RSS reader.

If you're more social media oriented, follow our @ProofpointNews Twitter account, which automatically tweets headlines and links whenever new articles are published. (Unlike our main  Twitter account, @ProofpointNews only tweets headlines from the  Security, Compliance and the Cloud newsfeed... Follow @Proofpoint_Inc for those and a whole lot more...)

Proofpoint has just published a new whitepaper about the current spam environment, how spammer tactics have been changing recently and the impact those changes are having on anti-spam defenses.

Spam 2011: Protection Against Evolving Threats gives a brief overview of botnets, phishing tactics, blended threats, social engineering and the issue of outbound spam.

Then it goes into a more detailed discussion of the technology capabilities that email security solutions need to have today to stop today's attacks.

To download your copy, click the graphic at left to visit Proofpoint's download page for this whitepaper... or just fill out the form below:

As expected, our friends at Apple unveiled the iPad 2 today... and with it, tablets are starting to look like really serious computing devices. (Check out Engadget's coverage of today's launch for some examples and the basic facts on this new device.)

Expect Apple's latest volley in the tablet computing wars to once again accellerate the "consumerization of IT" in your enterprise. (For examples of enterprise iPad adoption and a little discussion of the potential risks, see USA Today's "More companies put iPads to Work", where our own Gary Steele is quoted.)

As we're seeing with social media tools, tablets and other mobile computing devices represent technologies that enterprise IT departments need to come to grips with, using a combination of policy and technology.

So, I wanted to use this event as a reminder that, if you haven't revisited your organization's remote access/mobile devices and storage policy lately, perhaps its time to do so. (And our 2010 research on this topic - see pages 13-15 of our Outbound Email and Data Loss Prevention in Today's Enterprise report - shows that nearly 10% of large organizations haven't formalized such policies.)

Of course, devices like the iPad 2 can be extremely useful for enterprise IT and security professionals with more and more vendors providing mobile apps that help with administration, monitoring and other features of enterprise software products.

Proofpoint, for example, currently offers the Proofpoint Mobile Dashboard app for iOS devices that lets Proofpoint Enterprise admins view status of their Proofpoint deployments, track support inquiries, etc. (Follow the previous link or search the iTunes store to get your copy - it's free!)

And not to get all Steve Jobs on you, but watch this space for more Proofpoint mobile-related news in near future... Me, I gotta get over to the Apple store and order a new iPad...

Those of you who are litigators or legal IT professionals based on the east coast (and I know there are a few of you out there) may be interested in this Thompson Reuters event - Litigation Project Management for In-House Counsel-being held tomorrow (March 3, 2011) at the Westin Times Square in New York City. 

Our director of eDiscovery solutions, Robert Cruz, and Proofpoint customer Steven Heller, head of IT for legal firm Graubard-Miller will be participating, presenting a workshop on "Controlling the Costs of Data Identification and Collection."

More details and registration info on this event here -- http://westlegaledcenter.com/program_guide/course_detail.jsf?courseId=33705658 -- including the day's agenda.

For those of you who can't attend the NY event, but are interested in legal IT issues and eDiscovery in particular might want to register for our live web seminar next week:

Robert Cruz and Rami Habal (our director of product management and expert on all things DLP) will be on hand to talk about the many dimensions of social media risk and how you can apply today's security technologies (including cloud-based security solutions) to address these issues.

To register, visit this link—Social Media Risks in the Enterprise: Mitigating Data Loss, Compliance and Discovery Dangers—or simply fill out the form below: