Archive for 2010

Security Risks and Considerations with Outlook Web Access – Part 2

Thursday, December 9th, 2010

In last week’s post, I discussed several ways to improve the security of Outlook Web Access. With built-in features like forms-based authentication, WebReady Document Reading, and OWA Segmentation, organizations have several configuration options for reducing the risk of web-based email. 

But what about security risks that aren’t so straightforward for technology to detect – risks like discussing corporate secrets in public places, or carelessly forwarding a sensitive email to the wrong recipients? Maybe back in the office users are more risk sensitive, but when they are in informal environments such as airports and home offices, their sense of caution is often minimized. This is where some well-timed, user-based education and warnings can really play a role in reducing the risk of inadvertent disclosure. 

Titus Message Classification for OWA is an important piece of this security puzzle. As a Carnegie Mellon University research experiment showed, if users are warned ahead of time about the security risks of sending sensitive information over the internet, they will be much less likely to send it. This is what Titus Message Classification for OWA does: it makes users stop and think before they send an email, helping them to make the right decisions for protecting their organization’s valuable information.  (more…)



WikiLeaks – How Classification Metadata and DLP can Help

Monday, December 6th, 2010

I’m sure everyone has heard about the recent Wikileaks of diplomatic cables.  These cables discussed diplomatic viewpoints of a number of countries.   They were embarassing to both the US and other countries quoted.

Many of the wikileaks were as a result of a single malicious leak of information by an army intelligence analyst.  Stopping malicious leaks is much more difficult than trying to stop inadvertent disclosure.  Inadvertent disclosures are mistakes, and often a warning to the user is enough to stop a leak.  Malicious users will try any method to extract and disclose information.  Some of these, such as taking a picture of the screen, or re-transcribing the infromation are almost impossible to stop.  But the thing that stands out in the wikileaks case is the massive amount of information that was leaked.  You should be able to stop a leak of this size, as some kind of alarm bells should ring when someone is trying to copy of download this much information.

Here at Titus we build software to help with inadvertent data leaks, and to make information sharing easier.  When we look at the Wikileaks case we do see a few areas where our classification solutions could have helped prevent the problem.   (more…)



Security Risks and Considerations with Outlook Web Access

Thursday, December 2nd, 2010

If you’re a regular reader on our blog or website, you know that one of our mantras is “Make the user stop and think”. It’s behind so much of what we do at Titus – gently reminding users before they inadvertently disclose sensitive information to the wrong people.

So a recent Carnegie Mellon University research study about consumer behavior really piqued my interest. In the study, the researchers attempt to understand how consumers decide to reveal sensitive information online. The results are a bit surprising. It turns out that users are most likely to reveal sensitive information on websites that look informal, even unprofessional. Strangely, when users are asked sensitive questions on a website of this type, they see the questions as less intrusive than if they were on a more formal website. (more…)



Simple, Low Cost Ways to Reduce Your ITAR and EAR Risk

Thursday, November 25th, 2010

In my previous blog entry, I talked about how export compliance is similar to airport security: when you involve users up front, you can dramatically lower the cost and increase the effectiveness of your program.

In this post, I will discuss specific technologies that make users a key part of an organization’s export control program. In particular, I’ll show how Titus security and compliance solutions provide a low cost, high impact method of reducing your ITAR and EAR risk.

As I wrote in my last entry, there are two main methods for involving users in an export compliance program: 1) Educate users up front; 2) Allow users to identify sensitive content. (more…)



Export Control: Involve Your Users to Reduce Your ITAR and EAR Risk

Thursday, November 18th, 2010

If you work in the aerospace and defense industry, you’ve almost certainly heard of the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR). These U.S. regulations strictly control the import and export of defense-related equipment, software, and technology. With complicated rules and time-consuming compliance requirements, the ITAR and EAR pose a challenge for every organization that does business with the U.S. military.

But it’s not just companies working directly with the U.S. military that need to care about these regulations. You need to consider ITAR and EAR requirements if any of the following are true:

  • Your company is part of the global supply chain for an organization that works with the U.S. military. This includes suppliers who develop military components for larger aerospace and defense organizations. It can also include suppliers involved in non-manufacturing activities, such as translating manuals and designing product brochures.
  • Your (non-U.S.) company sends defense-related information to U.S. recipients, even if the information was developed completely outside of the U.S.
  • You are an individual who decides to start selling on eBay the military equipment that your brother stole from the U.S. Marine Corps (see story here, and eBay export control regulations here).

The consequences for non-compliance are high: fines, possible jail time, and potential debarrment from exporting defense articles (a business killer for any aerospace and defense company).

So where do you start?

It may help to think of ITAR and EAR regulations as being similar to airport security regulations. Everyone hates airport security, just like no one particularly enjoys complying with ITAR and EAR. But the stakes are high: public safety, national security, and in some cases, global security.

With millions of travelers passing through airport security each day, the potential for security violations is high. Likewise, with employees exchanging technical information through electronic media such as email and web sites, the possibility of ITAR and EAR violations is enough to keep most export control officers up at night. As one ITAR official said about her company, “We have 91,000 potential violations per day – otherwise known as employees.”

The only scalable way to enforce the regulations is to involve the users. By starting with the user, you can drastically cut down on the number of inadvertent policy violations.

Airport security measures provide us with important lessons for how to do this:

  1. Educate users up front. Throughout the airport, prominent signs remind travelers what they can and can’t bring in their luggage. Travelers are given several chances to remove any forbidden items before they enter the security line. Similarly with export control, users can be reminded before they send an email or document that they need to comply with export policy. This provides users with an opportunity to fix any problems before the information is sent.
  2. Allow users to identify sensitive content. Maybe you really do need to bring that firearm to your next destination. But to avoid fines and a possible criminal charge, you had better identify your restricted luggage contents before you check your baggage. Similarly, there are many reasons why you may need to send export-controlled information through email or web collaboration tools. For example, your organization may need to communicate design details to multiple suppliers involved in a military project. That information needs to be properly identified and marked to establish that it is export controlled and requires special handling.

By involving the user up front, it is now easier to take the following steps to enforce policy downstream in the process:

  1. Apply special handling based on the content. Once the traveler has identified their restricted content, special handling rules can be applied. In the firearm example above, there are specific rules for how the firearm must be packaged and transported. Similarly, restricted content in email and documents can be given special protection, such as encryption and digital rights management.
  2. Examine the sender and destination. Before you fly, your name is checked against the No Fly list. You will also be asked about your destination – where you are going, where you’re staying, the purpose of your trip. Similarly, with export control, you can enforce policy based on both the sender and recipient. Does the sender have clearance to send this export-controlled information? Are any of the recipients a “foreign person”? Is the email going to a high-risk destination?
  3. Use technology to catch mistakes and intentional violations. It’s not enough to rely on the user 100%. People make mistakes, and sometimes they intentionally violate policy to achieve their goals. That’s why it’s not enough to declare that you are carrying no restricted items in your luggage; your luggage has to be screened by machines. It’s the same with export control; there is still a role for automated scanning of email and documents to detect restricted content before the information is sent. This serves as an extra check for the user, and deters malicious users from intentionally violating policy.
  4. Audit user behaviour. Just as a traveler’s travel history can be used to assess risk, an employee’s behaviour while handling email and documents can identify unusual activities and/or opportunities for education. By involving the user up front, you can also avoid the excuse of “I didn’t know” and make the user more accountable for their actions.

Let’s not kid ourselves: ITAR and EAR compliance, just like airport security, is not easy and it’s not cheap. But when you involve the user, you have the potential to dramatically lower the cost and increase the effectiveness of your compliance program.

In my next post, I will discuss specific technologies for how you can involve your users in your export compliance program. In particular, I will show how Titus security and compliance solutions address each of the items above, to provide a low cost, high impact solution that reduces your ITAR and EAR risk.



Enhancing Inbound and Outbound Email Security – Integrating Titus Message Classification and Proofpoint

Friday, November 12th, 2010

Love it or hate it, email continues to be one of the primary methods for sharing information between employees, clients, partners and other organizations.

On average, corporate users will send 34 emails per day and receive almost 100. If you’re like me, you use email as your primary way to send all of your daily communications. My emails and likely yours, include all types of information, from very sensitive contractual and product information, to resumes and other personal and private information.

Although email is one of the best ways to communicate information, organizations must also ensure that information assets are managed and protected appropriately and that sensitive information is not used or distributed in inappropriate ways. Once it’s left your corporate network, messages can easily be forwarded to other individuals who may not be aware of the security of the information. This poses both security risks and liabilities to the organization if the information isn’t handled appropriately.

Thankfully there are ways to better protect incoming or outgoing information. One great solution is using the Proofpoint Email Security solution together with Titus Message and Document Classification applications.

Here’s how it works.

Proofpoint Email Security solutions scan email and attachments for spam and viruses. They can also scan incoming and outgoing email for key words. As the administrator, you can specify the words, phrases or information that you’d like to use in the scan. If the appliance finds a key word within a message or attached document, you can then also specify how the email should be treated. As an example, messages classified “Confidential” by Titus Message Classification, could be picked up at the Proofpoint email gateway and prevented from passing through the gateway.

There are endless ways of treating the information at the Proofpoint gateway. Options include: encrypting the message; quarantining it for review; or refusal to pass it through. With the persistence of the classification information applied by the Titus Message Classification solution, sensitive and confidential emails can be picked up at the email gateway and treated appropriately even after it’s left your network.

For incoming emails, key phrases can be used to determine the sensitivity of the information passing through the gateway. Based on the key words or phrases found at the Proofpoint gateway, the message can be given a Titus Message Classification which will be present when it’s received by the intended recipient. The message will then retain the classification as it’s replied to or forwarded to others.

If you’re interested we have provided more detail in a whitepaper on how to integrate Titus products and Proofpoint. As always, your feedback is welcome in the comments.



This is no fairy tale – why email data leaks can ruin the happy ending!

Wednesday, November 10th, 2010

Once upon a time… (that’s the way all good stories start, don’t they!?)

Anyway, once upon a time, actually just a few weeks ago, there was an employee. This employee was not malicious, wasn’t trying to cause any harm, but was simply trying to get some ‘work-related assistance’ from someone outside of their organization, and inadvertently emailed a file containing all of the names and social security numbers of all of the employees of that organization to someone outside of the organization.



ISO27001 – The difference between practicing and managing information security

Wednesday, November 10th, 2010

You’ve probably heard of ISO 27001, and may even recognize that it is just one in a series of ISO standards for Information Security. But learning a new standard can always be daunting, especially if you don’t have an incentive to do so. In this article, I’ll present some aspects of the ISO 27000 family of standards that make them worth learning and using in your organization.

Most importantly, organizations that have been “practicing” security for some time may find that they have not been getting much traction or return on their efforts. This could be because their information security practices are not being “managed”. This is where the concept of the Information Security Management System (ISMS), a core part of the ISO 27001 standard, comes in.




Ten Steps to CUI Compliance – What Obama’s Controlled Unclassified Executive Order Means for IT Administrators

Friday, November 5th, 2010

Earlier this week we posted a blog on Controlled Unclassified Information, covering the need for marking and protection in this area, and the earlier Bush government Memorandum.  Yesterday, President Obama signed off on the new Executive Order for Controlled Unclassified Information which replaces the previous order by President Bush.   The new executive order mandates all departments to provide feedback on the use of categories and sub categories of markings in their department to NARA (the Executive Agent for this order) within 180 days.  Within a year agencies must provide NARA with a proposed plan for compliance with the requirements of this order, including the establishment of interim target dates.

Ten Steps to CUI Compliance