Blog

Considering all the confidential data we come across during our testing and customer scans, it’s amazing to me how many “confidential” documents are posted that aren’t really confidential. This is extremely common with PowerPoint’s, where, in many cases, the slide deck was made available to the audience after the presentation. Sounds common, doesn’t it?So why is this happening? Is it because companies have no policies in place (unlikely)? Is it because companies struggle with enforcing policies (more likely)?More importantly, does this even have an impact on the owner? After all, it IS content that was approved for public consumption. Right?

WRONG! Think about the implications of labeling everything confidential:

 

• The eventual desensitization to confidential data in general. This leads to a greater risk of exposure through negligence – either on behalf of the owner or especially the recipient.
• Incapability to classify important data. This incurs increased inefficiencies through manual sorting processes.
• Waste of internal resources. Because you’re constantly spending time cleaning up what could have been prevented in the first place – sensitive data or not.

 

But this isn’t really an easy problem to solve, primarily, because human error is such a big decisive factor for this. People are rushed to do their jobs and rules tend to “get in the way” of doing business faster. Or perhaps they weren’t properly educated on process. In any event a difficult matter at best. Now if we had total control of our data – all the time – this would probably not be such a concern. But until then, we’ll have to spend our time cleaning up after the rule-breakers.

If you are an Exobox stockholder and plan to attend the Coffee and Cookies meeting at Exobox HQ on Tuesday the 5th, you must RSVP at ir@exobox.com. It is important that we get an accurate headcount for this event. If you have already RSVP'd, no further action is necessary. Upon your arrival, we will sign in those that have registered.

Thank you and we look forward to meeting you at Exobox!

Dear Investors, Partners and Clients,

I am excited to share with you that Exobox is in discussions with several investor groups and individuals to raise an immediate $2 million for short term operating capital needs and an additional $10 million to expedite the development of the Secure^TM Environmentalization^TM software. I believe Secure^TM is the future of the company and want to get it on a development fast track as soon as possible. These investor groups see the upside potential of our company and Secure^TM with the inherent existing potential of our SaaS-based products, ExoDetect and ExoWatch.

The company is now poised to market our existing SaaS-based Data Leak Detection products ExoDetect and ExoWatch. These products will enable Exobox’s customers to realize quickly an ROI without a long deployment cycle, or heavy capital outlay.We are actively re-engaging relationships with key beta clients in various industries to sign new contracts.Our strategies for market entry include engaging leading channel partners to further project the value-add of our existing products to their large client bases. We firmly believe that Exobox will establish a leadership position in the IT Security industry utilizing our patent pending Secure^TM technology which secures all endpoints of an organization’s infrastructure, utilizing our patented approach which we believe to be fundamentally different and superior to existing technologies in the market today.

I am excited about the future of Exobox, while returning to our core technologies and we are working diligently to steer the Company towards success and shareholder value. I will continue to keep you apprised of meaningful developments as we move forward.

Richard J Kampa, CEO

Well, it’s been an interesting couple of months for us here at Exobox. Needless to say, a lot has happened and while we’re still in the process of relaunching the company, one thing is very clear: We are well on our way to building a fantastic and very exciting business.

We understand the frustration of our customers, partners and stockholders as we went (unexpectedly yet temporarily) dormant in October. Rest assured, we hear you loud and clear and are looking forward to reengaging with all of you with a new, energy-infused team that is focused on producing the very best product suite out there; with groundbreaking technologies that will create waves in the data security industry. We are working hard to catch up and plan our future. Exciting times are right here, right now. Already, our existing products, ExoDetect and ExoWatch are up and running with new features being added as we speak. Our product development strategy is becoming increasingly clear and we are looking forward to making a lot of noise in the industry!

So thank you all for your patience and faith in Exobox. To our advisory board, our customers and partners who have already expressed their support and stuck with us through all of this, we can’t thank you enough. You can count on the fact that we’re emerging from this challenge stronger and more passionate than ever in bringing industry-changing security solutions to the market!

I could spend time giving you example after example of crazy ways that people have made mistakes in using social networks by exposing personal or business information that they shouldn't. And, other than us all having a good laugh at how dumb some people can be, I will have accomplished very little.

So what I would rather do is give you some advice on how to use social networking sites in ways that they are effective without revealing stuff about you or your company that you may regret later.

Point 1: Be careful of “Invitation Only” sites

Some social sites allow people to publish information that is only viewable by those that they allow to be a part of their digital world. But, even in this case, you must be careful. Search engines such as Google can many times still view pages that are normally only thought viewable by your “friends”.

Also, if you plan on being open with your postings and comments, be picky about who it is you accept invitations from. Make sure you can trust that you know the motives about your ‘friends'.

Point 2: Watch what you say about your boss

Whatever you do, do not talk negatively about your company. In addition, do not share anything that could be considered as confidential or inside information. This may include:

· Future strategy information

· Internal processes

· Information about customers

· Trade secrets about the ingredients of your products or services

Point 3: Don't share your normal routines

Everyone knows that thieves look for patterns in people's lives; especially about when you will and won't be home.

Point 4: Do not give out details of your personal life

· Address / Phone number

· Information concerning health issues

· Salary, investments, etc.

Point 5: Don't try using “anonymous” or fake IDs on open message boards to share confidential info

If you think this will mask you, think again. There have been cases where workers shared details under false names only to have court orders open the doors to forensic teams so that they get nailed later.

Bottom line: If you want your friends to know the innermost details of your life, pick up the phone.

There's an amazing amount of sensitive information actually posted on corporate websites. The same goes for education institutions, government agencies, non-profit organizations and more. Having sensitive information and data leak out of a company is one thing, but having it stored on their own website is more than embarrassing. Try to explain a data leak from your own website in your next regulation compliance audit.

Regulation compliance such as PCI DSS, SOX, HIPAA, etc. clearly places the responsibility of protecting sensitive and confidential information on the creator or owner of the data, even if the information must be sent outside of the protected network of the company. That's a difficult task. While one could imagine sensitive information would never be mistakenly posted on a company's external website, the Exobox Internet forensics team found that 1 out of every 7 companies leaked documents with sensitive or confidential information on their company's own website. That is an alarming data leak statistic! So why and how do these data leaks happen? Many reasons, for example:

• People make mistakes, some may not realize the information that they are posting to a corporate website, portals, or microsites is sensitive or confidential.
• As the company's website has become the main “face” of the company, website content ownership is distributed across the organization that have authorization to update website content. The more people with content posting authority, the more data leaks will occur.
• Using Web Content Management (WCM) solutions, it can be easy for a website content owner to upload a document to a corporate website, portal or microsite that was intended for internal use only – but, mistakenly assign properties to the document for external access.

Understanding how the sensitive or confidential information made it to the external section of the corporate website is one thing, but how to quickly identify that it is posted and rapidly remove it before damage happens is what ExoWatch is all about. ExoWatch is an automated solution for regularly crawling a company's websites, portals and microsites to identify suspect sensitive or confidential information - then alerting the relevant person or people, including the corporate marketing department, website content managers, and executive management if a suspect data leak is found.

 

How well are IT Security Technology companies protecting themselves?

IT Security technology companies are not immune from data leaks – just like the rest of the world. While recently working with a medium-sized IT Security Technology Company, we ran an ExoDetect data leak detection assessment on their company to demonstrate the product’s capabilities – all for education purposes. Together we discovered some interesting information that is available for anyone to see in the Internet Cloud. Information uncovered, included: an email chain discussing their pricing and business arrangements, a competitive evaluation performed one of their competitors exhibiting poor product results, and more. For obvious reasons I won’t disclose the name of this company.

And, they are not alone. Over the past several months other well-known IT Security Technology companies also had their data exposed into unauthorized territory:

Articles, with examples:

 

• Symantec leaks credit card data http://apcmag.com/symantec-says-credit-card-data-could-have-leaked-from-india.htm

• Antivirius vendor TrendMicro has website SQL injected, malware uploaded http://www.cgisecurity.com/2008/03/antivirus-vendor-trendmicro-has-website-sql-injected-malware-uploaded-.html

• Security vendor McAfee spills 1400 private conference attendee details http://www.hackinthebox.org/modules.php?op=modload&name=News&file=article&sid=32539

Bottom line: No company is immune to data leaks, even IT Security Technology providers – it is a business security issue best addressed with: alignment of business processes with your IT environment; backing of sound governance, risk, and compliance policies; and an eye to the unprotected information atmosphere outside the confines of the enterprise.

That harsh jab at the former president put Texas governor Ann Richards on the national map; reminding him that the reason that his poll numbers were nose-diving at the time was the economy.

So, the question is, concerning the data security of businesses today, does the economy affect it? Since the Exobox product line focuses on data leakage, let's narrow our discussion toward that area alone. Is data being leaked into the wild at a higher rate now versus 2-3 years ago?

To be honest, the number of reported leaks has actually increased dramatically since the economy started faltering last year. There have been five major leaks this week alone by large companies that chose to make the news public; and one of those was a data security company (that can't be good for business). There are probably many reasons for this increase:

• People need money. Credit card numbers, bank account information, etc. are prime targets in today's times.

• Companies have scaled back their workforce. There may be two people doing the job that 4 people did the previous year. This causes people to take shortcuts or not be as attentive as they should be to matters of data security.

• Companies are transitioning their workforce. In many cases, there are companies that are replacing higher-priced, more experienced workers with entry-level people in order to save money. But sometimes, one of the side results is that these people are not trained in good security practices.

• Budgets are tight. Some companies see security the same as data backups. They don't need it until it's too late. This is not true of the larger public companies. They realize the litigation, public relations, consumer perception and even federal regulatory nightmares that data leaks cause. But sometimes the smaller companies try to live without it.

Bottom line: Yes, the economy affects data security.

At Exobox, I oversee our data forensics team. Time-after-time, they bring alarming issues of sensitive student information data leaks to my attention. These data leaks are coming from U.S. universities, whom I always understood to have sound data governance and compliance technologies and processes in place.

I personally have two children in college, so the growing concern of student information leaking out to the Internet Cloud really hits home for me. It makes me shutter to think about the potential identify-theft that our kids face as they begin their adult lives and start building financial responsibility and independence.

As you can see from the following links, four recent cases of data leaks have been reported:

UC Berkeley journalism school reports possible data breach – 8/13/09
https://security.berkeley.edu/jschool-info/faq.html

University of Florida warns students and staff of security breach
http://www.sophos.com/blogs/gc/g/2009/02/20/university-florida-warns-students-staff-security-breach/

Data leak reveals massive security problems
http://jtidtheftblog.blogspot.com/2009/05/data-leak-reveals-massive-security.html

File sharing program on BU ROTC computer exposes person information
http://www.adamdodge.com/esi/type_of_incident/unauthorized_disclosure

The data leaks include a plethora of person student information, including: full names, addresses, phone numbers, social security numbers, driver’s license numbers, and GPA scores. And, from what we have encounted most of the data leaks are not malicious, merely mistakes by untrained faculty.

The good news, is that colleges and universities, can be proactive in the protection of these data leaks. The first step is to find the gaps in the business environment that is allowing for the data leaks.

As an integral gear in the information-centric community, we invite all business and IT data owners of colleges and universities to join the Exobox Data Watchdog Group on Facebook. If you want to join, just click here.

Setting the Record Straight About Data Leak Protection

Here are some common misconceptions about data security and data leak, in particular, that I often hear. I just wanted to share them with you.

Fiction:

You can protect your corporate data even when employees and contractors work remotely

Fact:

Password protected log-ins to your corporate network are not sufficient data protection measures. Wireless hot spots are popping up everywhere, creating more holes for hackers to exploit and information to escape. Employees transfer information between computers using Flash drives or e-mail without a second thought. And the rise of social media and Web 2.0 has resulted in more private information being made available – both intentionally and unintentionally – on public Web sites.  The only way to be totally secure is to board up the technical doors and windows; which is not realistic in today’s corporate operations.

Fiction:

Data security policies and procedures are enough to prevent sensitive data from leaking outside of the enterprise.

Fact:

You cannot control everything that employees say or do and data leak protection software and rules only go so far. Conversations happen. People share more information than they should in e-mails and online. The best technology in the world and the strongest policies on paper are no match for a determined, or careless individual

Fiction:

The only thing you have to worry about is your own company’s internal DLP solution.

Fact:

Most companies work with outside vendors, strategic partners, and service providers who have access to proprietary or private data such as health records, benefits information, legal materials, etc. Companies must be aware of what information is where and ensure that those channels are covered and monitored regularly.  The time and effort that it takes to create and maintain Data Leak policies that an internal DLP solution can use is enormous. Even if the tool is great, it depends on the policies being accurate. And that’s a battle that has yet to be easily won.