Posts Tagged Data Security

FTP “Lack of Security” Exposed

Posted by on Monday, 24 January, 2011

Apollo Project CSM Simulator Computers and ConsolesFTP was designed as an easy mechanism for exchanging files between computers at a time when networks were new and information security was an immature science. In the 1970s, if you wanted to secure a server from unwanted access, you simply locked the computer room door. User access to data was controlled by the basic User ID and password scenario. (Right is a reminder of how much technology has advanced since the 1970s. The photograph,  taken December 11, 1975, is the Apollo Project CSM Simulator Computers and Consoles. Photo Courtesy of NASA.)

The Internet did not yet exist and the personal computer revolution was still a decade away.

Today, the security of business file transfers is of paramount importance. The exchange of business records between computing systems, between enterprises, and even across international borders has become critical to the global economy.

Yet, the original native FTP facility of TCP/IP wasn’t designed for the requirements of the modern, globally connected enterprise. FTP’s basic security mechanisms – the User ID and password — have long ago been outdated by advances in network sleuthing technologies, hackers, malware, and the proliferation of millions of network-attached users.

Risks associated with using native (standard) FTP include:

  • Native FTP does not encrypt data.
  • A user’s name and password are transferred in clear text when logging on and can therefore be easily recognized.
  • The use of FTP scripts or batch files leaves User IDs and passwords in the open, where they can easily be hacked.
  • FTP alone, does not meet compliance regulations. (For example: HIPAA, SOX, State Privacy Laws, etc.)
  • When using an FTP connection, the transferred data could “stray” to a remote computer and not arrive at their intended destination leaving your data exposed for third parties or hackers to intercept.
  • Conventional FTP does not natively maintain a record of file transfers.

The first step is to examine how FTP is being used in your organization. The next step is to identify how your organization needs to manage and secure everyone’s file transfers. The final step is to evaluate what type of Managed File Transfer Product your company needs.

For more information download our White Paper – Beyond FTP: Securing and Managing File Transfers.

Cyber Threats: Beyond Entertainment Value!

Posted by on Tuesday, 7 September, 2010

On June 8th, 2010 the National Public Radio (NPR) broadcast a debate by the public charity Intelligence Squared U.S. (IQ2US) entitled “The Cyber War Threat Has Been Grossly Exaggerated.” The show’s format is based on the traditional Oxford-style debate, with one side proposing and the other side opposing a sharply-framed motion.

The broadcast pitted Marc Rotenberg (executive director of the Electronic Privacy Information Center) and Bruce Schneier, (a security technologist), against Jonathan Zittrain, (a Harvard Law School professor), and the former U.S. Director of National Intelligence, Mike McConnell. Zittrain and McConnell rolled out the heavy security artillery, describing the threats and touting facts and figures, while Zittrain and Schneier pooh-poohed the seriousness of the threat, and tried to cast suspicion onto the U.S. government’s C.I.A., claiming that they just want to spy on us.

The debate was both entertaining and informative, but it also shed light on an unusual dichotomy in our public subconscious regarding cyber security: We – as denizens of computer technology – are as wary as Jason Bourne about where, exactly, our cyber security threats are coming from. Are they coming from real terrorists and enemy spies? Is there really some vast criminal conspiracy afloat? Or are these threats perhaps coming from within the very ranks of government itself?  Who do you really trust and why?

Even the term “cyber” is a subconscious mnemonic to the old Marvel Comics super-villain of the same name, and enemy of Wolverine. Cyber, (alias Silas Burr) in the comic book, was once an agent of the Pinkerton Detective Service before he turned into a criminal mastermind. Why wouldn’t we be suspicious of government representatives telling us that we’re engaged in a kind of comic book war?

But data security is obviously not an issue about comic book super-villains, or government conspiracies. For example, in this same month that IQ2US was airing their debate many of us were receiving notices about a class action settlement. Countrywide Financial – the behemoth that sold mortgages during the real estate bubble and which is now owned by BofA – has begun the process of contacting customers whose identities may have been stolen when their records were pilfered by an employee.

No, it was not Jason Bourne nor Silas Burr, but a former Countrywide senior financial advisor who wanted to sell the names, SS#s, credit information, employment history, and other personal information of mortgage applicants.

The U.S. District Court’s remedy in the settlement will be to require Countrywide to provide free credit monitoring of all those involved in the class action suite for a period of 2 years, along with a potential liability against Countrywide of up to $50,000 for each incident of identity theft.

Isn’t it time we, in our organizations, got serious about data encryption? Shouldn’t we be stepping into this battlefield to fight back with a secure, managed file transfer system between our workstations and servers?

The cyber wars of comic books may populate our imagination, but our company’s challenges are much more real. And if we’re not mindful to use the right tools in our IT departments, we may all be faced with a customer base of angry Jason Bourne’s who have lost their identities through our security lapses.

(Listen or watch the televised debate produced by Intelligence Squared U.S. (IQ2US) entitled “The Cyber War Threat Has Been Grossly Exaggerated” by clicking here.)

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website

Who Insures the Insurer?

Posted by on Monday, 2 August, 2010

Do insurance companies maintain Data Security Breach Insurance?

On June 23, 2010 more than 200,000 Anthem Blue Cross customers received letters informing them that their personal information might have been accessed during a security breach of the company’s website. Customers who had pending insurance applications in the system are currently being contacted because information was viewed through an on-line tool that allows users to track the status of their application. Social Security and credit card numbers were potentially viewed.  It’s one more tumble in a cascade of security breaches that can have terrible consequences for the customers and clients of such a large insurance company.

And of course, this raises an ironic question: Do insurance companies maintain their own liability insurance in the event that their information systems are compromised?  As absurd as it may seem at first glance, it’s really not a laughing matter. According to the Ponemon Institute, the average cost of a security breach is now exceeding $200 per client record.  This would mean that Anthem Blue Cross’s breach last month created a liability as great as $40M.

Moreover, there’s a ripple effect to organizations that do business with insurance companies that suffer such an information security breach.  Each Personnel Department that delivers private employee information to an outside service supplier has an inherent responsibility and liability to its employees.

We all know that the privacy information transferred between companies should use a secure and confidential method of transmission.  Yet too many small and medium-sized companies are still using simple FTP (File Transfer Protocol) software that has been proven to be susceptible to the threats of network hackers.  And by the time these organizations realize their vulnerability, it’s often too late.  These companies are often performing these FTP transfers below the radar of their IT departments.  How does it happen?

Often personnel data is off-loaded to PCs from the main information systems where it is left “in the open” on the hard drives of desktops or laptops. After the data is transferred this residual data is often unprotected, where it’s subject to theft or secondary security flaws. Insurance agents – whose jobs are to facilitate the processing of the data with their insurance providers – can also suffer from such breaches. The loss of an agent’s laptop – through theft, accident, or routine use of USB thumb-drives – poses additional liability.

There are two readily available strategies to help prevent these kinds of security abuses. The first strategy is to use data encryption technologies that not only encrypt the data, but also record into a secure log detailing when, where, and by whom the sensitive data has moved from the main information database.  Linoma’s CryptoComplete offers precisely this kind of encryption capability, and it should be examined by IT professionals as a viable, highly configurable resource for the protection of the company’s information assets.

The second strategy is to use a secure method of transfer for the data itself, ensuring that the information is never left in a vulnerable state on an individual’s personal computer.  By removing FTP access to the data by any employee’s PC and channeling the transfer through the secure corporate server, IT can prevent the problem of network hacking from occurring.  Linoma’s GoAnywhere Director solution is precisely the means of achieving the goal of a secure FTP transfer between companies.

The tragedy of the Anthem Blue Cross breach was the result of a faulty security scheme in the design of its customer service solution.  But it is not the only potential failure of data security that can impact its customers and business partners. And, unfortunately, this information security breach is just one of the 356 million reported breaches that have occurred in the US over the last five years.

So who insures the insurer when a data security breach occurs?  The real answer is IT itself.  And helping IT achieve a better result will be the subject of this blog over the next few months.

Thomas Stockwell

Thomas M. Stockwell is one of Linoma Software's subject matter experts and a top blogger in the industry. He is Principle Analyst at IT Incendiary, with more than 20 years of experience in IT as a Systems Analyst, Engineer, and IS Director.

More Posts - Website

1.800.949.4696  |  sales@linomasoftware.com  |  privacy policy
Copyright ©1994 - 2012 Linoma Software  |  All rights reserved