Barracuda Networks

Privacy and Social Networks; LinkedIn Almost Doubles in a Year

Stephanie Jordan — Mon, 17 Oct 2011 02:36:06 +0000

Messaging, both professionally and personally, would not be complete these days without including social networks. Even those earlier resisters are now relenting and joining social media networks. In Q2 of this year, LinkedIn claimed that membership had climbed from 61 million to 116 million in the span of one year, while reporting revenues of $121 million, which is a 120% increase from revenues posted last year, according to The Radicati Group. The steady growth of social networks, with Facebook clearly leading the pack, parallels the incredible growth of email of days gone by, and just as email became a target for malware and other ills, social networks today are experiencing an increase in threats to security and privacy.

Even though Facebook has been under scrutiny for its privacy policies, people still come to the site in droves. In a recent study by Barracuda Labs, researchers found that one in five people has been negatively affected by information that was exposed on a social network. But is this enough to drop the social network as a messaging medium? No, as another finding points out, ease of use and friends using the network are almost equally valued to privacy and security concerns.

And are companies concerned about security or privacy when employees are online? Of the hundreds that participated in the survey, 86 percent felt that employee behavior on social networks could endanger company security. However, only 31 percent of respondents reported limitations on Facebook. LinkedIn was the least blocked in the workplace at 20 percent of respondents stating limitations being experienced.

Malware is creeping up more and more in social networks, of the survey respondents, one in four has received a virus or malware on a social network. “Social networks are a significant part of how we communicate with one another. At the same time, the dangers associated with social networking have climbed exponentially”, warns Dr. Paul Judge, chief research officer and vice president for Barracuda Networks. “The fact that nine out of 10 users already have been attacked proves that attackers are taking over social networks.”

This is an area of particular interest to Barracuda Labs, as earlier this year the company launched Profile Protector, a free service that protects social networking users against malicious threats on Facebook and Twitter. For more on the visual report, download The 2011 Social Networking Security & Privacy Study or simply view the beautiful graphics accompanying the information.

October is National Cyber Security Awareness Month. Reports such as this one are good to share with your users and executives. As always, safe messaging.

Barracuda Backup Server Now Features "Private Cloud" Capabilities

Melisa LaBancz-Bleasdale — Wed, 11 May 2011 06:16:13 +0000

Barracuda Networks today launched site-to-site replication capabilities for the Barracuda Backup Service, a market leading solution that allows companies to efficiently back up their data both locally and offsite without the hassle of tapes or other removable media. This enhancement allows customers to deploy a “private cloud” by enabling one Barracuda Backup Server to replicate data to one or more Barracuda Backup Servers housed locally or deployed at other locations for disaster recovery.

“Many organizations today prefer to utilize internal company locations as the first line of defense for disaster recovery,” said Stephen Pao, vice president of product management for Barracuda Networks. “Site-to-site replication enables those organizations to redundantly back up their data to their preferred locations while also allowing economical cloud-based data protection where appropriate.”

Leading data deduplication technology in the Barracuda Backup Service facilitates efficient replication of changing data to cloud storage. The addition of site-to-site replication provides customers with the ability to use this technology in a private network environment. This expands the market served by the Barracuda Backup Server to include customers interested in private and hybrid data replication deployments.

Today’s launch delivers replication:

Between Barracuda Backup Servers; each can back up data locally as well as send it offsite to other backup servers.
From many Barracuda Backup Servers to a single unit; common for customers or partners who would like to replicate from satellite locations to a central location.
From one Barracuda Backup Server to several others; appropriate for customers with critical data they want replicated to multiple locations on their network.
To the cloud in addition to other Barracuda Backup Servers; ideal for customers with critical data they want to protect in multiple ways.

The City of Weston, in Weston, Fla., has two Barracuda Backup Servers deployed in conjunction with the Barracuda Backup Service and finds the new feature to be a crucial benefit, allowing them to safely and reliably replicate their business critical data offsite to their disaster recovery center.

”We are impressed with the easy setup for site-to-site replication and the efficiency of data replication,” said Steven Murray, director of information technology for the City of Weston. “This is the perfect solution for our disaster management needs.”

Customizable Hybrid Cloud Solutions

In addition, site-to-site replication enables organizations to take advantage of a “hybrid cloud” by combining private replication between Barracuda Backup Servers with replication to cloud storage provided by Barracuda Networks ultimately providing protection for an organization’s most critical data.

The "State of Application Security Survey" - 88 Percent Spend More on Coffee Than Security

Melisa LaBancz-Bleasdale — Sun, 10 Apr 2011 21:46:17 +0000

Back in February, Barracuda Networks Inc., Cenzic Inc. and the Ponemon Institute released the“State of Application Security Survey,” which found that 73 percent of organizations had been hacked at least once in the last 24 months through insecure web applications. The news that web apps are insecure isn’t really shocking, but the percentage of organizations that fell prey to attacks is certainly eyebrow raising. I chose to address this report now, because it appears that companies just haven’t gotten around to determining the best way to handle the influx of insecure web apps exposing their organizations to increasingly sophisticated and damaging attacks.

In one of those, “It’s so awful it’s funny” findings, the survey notes that even though website attacks are the biggest concern for companies, 88 percent of them spend more on coffee than securing their web apps. Don’t get me wrong, I love me some coffee, but I also love me some secure banking and private medical files. I think it would be illuminating for an IT manager to use this data point in a meeting, “Last June we spent 50K on our Colombian roast and 2K our web security products. We’ve been hacked 187 times but our coffee is really, really good.”

The results of the survey reveal respondents’ perceptions and experiences protecting web applications. It underscores the lack of adequate protection currently in use and overall insufficient resources and knowledge around Web application security in general.

Strangely, (or not?), the report found that 69 percent of organizations rely on network layer firewalls to protect their websites, leaving web applications wide open for attack. Haven’t we all learned that firewalls are like long underwear? They offer some protection but won’t cut it on Mt. Everest. I was mystified to find that organizations still feel this is an adequate defense mechanism.

What wasn’t surprising to me was the finding that 72 percent of organizations test less than 10 percent of their web applications for security holes, some knowing they have been hacked in the past. I don’t actually know of any organization that runs the recommended regular security checks. This frustrates the analysts and security experts but time, resources, and competing priorities usually get in the way of such things as routine maintenance and ensuring the safety of the corporate network. I do think it should be required for all financial institutions, government agencies, medical organizations and any other company that deals with sensitive amounts of customer data—which is pretty much everyone right?

According to 74 percent of respondents, web application security is either more critical or equally critical to other security issues faced by their organizations. Despite this, the study shows there are many misconceptions around the methods used to secure Web applications, primarily web application firewalls and vulnerability assessment.

“While it is encouraging to see that web application security is on the minds of most organizations, there still seems to be a real disconnect between the desire and implementation of security countermeasures required for Web application security,” said Dr. Paul Judge, chief research officer and VP for Barracuda Networks. “The fact that 69 percent of respondents are relying upon network firewalls to secure web applications is like relying upon a cardboard shield for protection in a sword fight—eventually your shield will prove that it’s insufficient and an attack will reach you that can fly past a network firewall.” I agree. It’s probably never a good idea to use a cardboard shield whilst wearing your long underwear to a sword fight.

Mandeep Khera, CMO for Cenzic says it’s a huge red flag that a quarter of respondents could not provide a range for how many web applications they have. He expressed shock that 20 percent of organizations do not test at all and 40 percent test only 5 percent of their web applications, but as I mentioned above, it’s just never really been part of the day-to-day risk mitigation plan (and it should be). It is shocking though that most of these companies have been hacked multiple times through insecure web applications. “If you know that burglars come through a broken door repeatedly wouldn’t you want to fix that door?” asks Khera.

Other key findings in the study include:

Data protection (62 percent) and compliance (51 percent) were the top reasons for securing web apps. Job protection was also a significant reason cited by 15 percent of respondents.

Despite 51 percent listing compliance as a key driver for web application security, 43 percent are not familiar with or have no knowledge of OWASP, a key component to compliance standards like PCI.

With 41 percent reporting they have over 100 web applications or more, the majority (66 percent) test less than 25 percent of these applications for vulnerabilities.

More than half (53 percent) expect their web hosting provider to secure their web applications.

Of those respondents who own a web application firewall, nearly 2 times agreed that a reverse proxy is a better and more secure technology than a transparent bridge technology.

“While IT practitioners recognize the criticality of secure web applications, their organizations do not provide adequate resources and expertise to manage the risk,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “Over half of the respondents we polled believe they do not have resources to detect and remediate insecure web applications, and 64 percent said they believe that their organization have inadequate governance and usage policies.”

The results of the survey from the Ponemon Institute are based on responses from 637 practitioners in a variety of industries with an average of 11 years of experience in their profession.

The IT Messaging Challenge: Multi-Platforms

Stephanie Jordan — Fri, 25 Feb 2011 18:48:15 +0000

While the diversity of messaging options continues to grow, one emerging fact is that all of the options are here to stay. This makes for an IT challenge, as the role of the messaging administrator is no longer just about email. Being an Exchange expert is still extremely valuable, but some are saying organizations are going to need IT specifically trained in other emerging messaging methods. Employees will argue for (and bring in without necessarily obtaining permission) the preferred methods of communication, whether it is a mobile platform of choice, iPads, or perhaps soon Facebook’s Social Inbox.

The universe of common platforms within business has been largely the Windows universe, whether for the laptops or mobile devices for smartphones but that has changed a lot,” observes Tim Helming, director of product management for WatchGuard Technologies, Inc. Helming points to mobile platforms as an example. “Apple has been making inroads and Android is growing like mad.”

IT Department on the Spot

What does this mean from a security standpoint or for user support? It means that the strain on the IT department for protection and services is growing right along with the diversity of messaging options.

What can IT do? According to Helming a good gateway security solution is critical, as he points out that many of the different platforms may not be under corporate control. “The gateway is one place that the business can exercise a lot of control. For all the discussion these last few years about the perimeter and that the perimeter is disappearing or there is no perimeter anymore, it is actually not true. At WatchGuard, we look at it like the perimeter shrinks and hardens, but it is still very important. If IT issued and controlled all those mobile assets and every smartphone and every iPad, then you might be able to work with it because of the possibility of installing client software on all those devices, but today’s reality is that IT doesn’t issue all of those platforms.”

The diversity of messaging options is also being acknowledged by malware writers, who are using the full range of methods available to reach out to users. Like any business, cybercriminals want to get the biggest bang for their nefarious buck, and so while there are lots of platforms out there, the targets tend to be the ones that offer the highest yields.

Threat to Mobile

In the coming year, Julian Lovelock, senior director, product marketing for ActivIdentity Corporation believes that given the proliferation of mobile platforms, that we won’t see a lot of malware on mobile phones. “There is no one single point to compromise where you can get 90 percent of the users,” says Lovelock. “We have already seen that in the last ten years if you look at viruses on Mac compared to Windows. Some would argue that the Mac is more secure, but fraudsters will go to where the easiest targets are. If I can write a virus that will compromise 90 percent of the machines, I am going to focus on that. Now you are going to see that in the mobile world even more pronounced, because you have ten different platforms out there. The cost to benefit analysis for investing time in writing a virus to compromise Android doesn’t look that appealing, because it only gets a relatively small proportion of the market. Yes, we will see some compromises. Yes, they will be high-profile because it will make good headlines, but whether they actually represent substantial percent of the fraud this year, I doubt it.”

Don’t forget Email

With all of the new messaging mediums out there, and the amount that we are hearing about them, it might be tempting to think the messaging stalwart, email, is not as much of a concern anymore. But this would be untrue. “Email is still a battle,” says Paul Judge, chief research officer for Barracuda Networks, Inc.. “Email is not as much of a headline in day to day conversation as it has been, but companies still keep busy blocking malware. It’s a popular vector for pointing people towards a Web-based attack. This is especially true of targeted attacks. If the attacker is going after a particular company and they want to reach those employees, the most efficient way to get them is still email. Generally, email spam is still 80 percent of the traffic.”

A New Kind of Control

Controlling multiple messaging platforms in organizations is a challenge that messaging vendors are working to address. “Malicious activity and user popularity for Facebook, Twitter and other social media is causing many vendors to add functionality to keep up with the specific demands of getting into a social network” comments Judge. “Understanding the applications and going beyond allowing or blocking, but being able to control specific features within the application. It’s making the [messaging] industry evolve a little bit.”

That request for flexibility in controlling messaging within organizations is being echoed everywhere. “Facebook is being used by a lot of companies as part of their marketing effort, and you can say the same about Twitter, and YouTube,” points out Helming. “Companies are looking for ways to not just say no to Twitter, Facebook and You Tube, but to manage the way those applications are accessed.” He also notes that beyond legitimate business use of the applications, IT is asking for ways to limit features or how features are accessed. “A company may want to allow the games during the lunch hour, or allow the games, but only a small amount of bandwidth, so if people want to play FarmVille for example, it is going to be really slow.”

Gain Visibility

Most all experts agree that one of the best first steps in controlling a number of messaging platforms within an organization is understanding what’s in use and putting a policy in place regarding them. “The policy might not be a simple no, nor about enforcement. It is about auditing and visibility,” explains Helming. “A lot of times what I hear from our customers or prospective customers, is: ‘I don’t want to just enforce a policy, I want to see what is going on. In a lot of cases, I do not even want to block it, I just want to know who is doing what.’ It is not a formal tagline for WatchGuard, but it is a description conveyed in what we do: Our products don’t just defend they illuminate. They give that kind of visibility into what is going on in a network. Having a report on who is using what application or where the bandwidth is being used — is just about the most valuable thing an IT person can have.”

Obtaining visibility into messaging multi-platforms within the organization is helpful not only for internal controls, but also for external compliance. It is an exercise worth doing.

For Messaging, RSA Conference Focuses on Email, Web and Mobile Security

Stephanie Jordan — Thu, 17 Feb 2011 08:25:12 +0000

The RSA Conference held in San Francisco’s Moscone Convention Center this week offers a glimpse into the hopes of a post-recession IT boom. Very debatable that the recession is actually over, but to me this year was characterized by more foot traffic than in recent years, the return of bigger booths and promotional stunts including knights in shinny armor, blue girls, and pirates.

When it came to messaging, common discussion points included malicious activity on social media sites like Facebook and Twitter, the increase in interest and adoption of email encryption, the rise of hacktivisim, the decrease in spam levels (and the various theories as to why), and the cloud among other topics.

While the show runs an entire week, the first half of this week has seen a variety of news announcements for the messaging space. Here are a few highlights as of press time:

Barracuda Networks Inc. re-announced its Barracuda Web Security Flex, which unifies SaaS, appliance and remote filtering deployment options under a single management and reporting portal.

Cisco announced its new SecureX Architecture, which enables context-aware security enforcement, and that the first to offer the context-aware firewalling and policy enforcement is the Cisco Adaptive Security Appliance (ASA).

GlobalSCAPE announced its new hosted MFT (managed file transfer) solution in its GlobalSCAPE’s cloud MFT suite. GlobalSCAPE Hosted Enhanced File Transfer Server is a service that expands the company’s cloud-based Managed Solutions, launched in July 2010.

M86 unveiled M86 MailMarshal 7.0, a complete overhaul and re-architecture of its software-based email policy management solution that boasts support for Microsoft Exchange 2010.

Messageware offered a demo of its new software solution, OWA (Outlook Web Access) Guard for Exchange Server 2010, an endpoint security software enhancement that is designed to protect both businesses and their employees from unauthorized access to corporate information. (The product is in beta and expected to be released next quarter.)

Solera Networks demonstrated its recently announced Solera OS 5.0, a major update to its network forensics platform, which offers real-time and historical views of everything on the network, think surveillance camera.

SRA International, Inc. announced the launch of its SRA One Vault Messenger, an encryption solution for SMS text messaging for BlackBerry smartphones, the latest addition to the SRA One Vault suite of products released in 2010.

ValidEdge unveiled its new Network Malware Security, a combined hardware and software solution, that monitors critical networks for any suspect code intrusion, performs instant analysis and issues alerts for IT personnel.

Voltage Security, Inc. announced v4 of Voltage SecureMail, an email encryption solution. The new version offers enhanced end-user experience and business features for global enterprises.

Websense offered a demo of its new Mobile DLP capability that uses Websense DLP technology to prevent the loss of confidential data on iPads, iPhones, Android, and other mobile devices.

ZixCorp announced a new product, ZixMobility, for the email encryption market that aims to enhance ease of use for encrypted email on a number of major smartphone platforms including Android, BlackBerry and iPhone.

Zscaler, Inc. unveiled Zscaler Mobile, which works in tandem with Zscaler’s existing Web and email cloud security services, to enforce the same policy for users wherever they go, across all devices.

There is always so much to see and learn at RSA. I always leave wishing I had more time for more meetings, more introductions and more lectures. This year proved to be no different!

New Features Added to Barracuda Spam and Virus Firewall

Stephanie Jordan — Thu, 01 Jul 2010 19:15:14 +0000

The Barracuda Spam & Virus Firewall is an integrated hardware and software solution that offers email servers anti-spam, anti-virus, anti-spoofing, anti-phishing, anti-spyware, and Denial of Service protection. Yesterday Barracuda Networks Inc., announced new features that extend the Barracuda Spam & Virus Firewall’s capabilities. The enhancements ensure that confidential or sensitive information is not distributed outside the organization.

“It is crucial for organizations, especially within highly regulated industries, to have the ability to protect intellectual property and other sensitive information from being distributed,” says Stephen Pao, vice president of product management for Barracuda Networks. “The new Barracuda Spam & Virus Firewall extends our powerful content scanning features and makes it easier for customers to manage both inbound and outbound email filtering from the same appliance.”

How it works: the new Barracuda Spam & Virus Firewall allows administrators to define policies to prevent confidential or sensitive information from leaving the organization. For example, hospitals and other healthcare organizations that must comply with HIPAA policies that mandate the confidentiality of sensitive patient information, such as social security or credit card numbers, as well as personal health information, can now apply pre-defined dictionaries to outbound email scanning to ensure compliance. In addition, administrators can set up separate rules for inbound and outbound filtering, and review the outbound email quarantine for any policy violations before delivery.

The company also announced administration enhancements that include increased granularity of its roles-based administration interface, enabling assignment of sender and recipient policies on a per-domain basis. The product is used by small organizations, as well as large organizations with as many as 200,000 employees. The enhancement is especially targeted to these larger organizations that need to delegate administration across different divisions and for service providers offering granular policy controls directly to their end customers.

The Barracuda Spam & Virus Firewall firmware release 4.1 is available now.