tag:blogger.com,1999:blog-33001527844345387662024-03-12T22:48:51.235-04:00Systems and TechnologyPaul Nowakhttp://www.blogger.com/profile/02060430701439440143noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-3300152784434538766.post-23477293311525723522012-01-12T14:51:00.003-05:002012-01-12T15:51:26.726-05:00Managed Physical Security ServicesFor many years, the IT world has been migrating to 'cloud' computing, and managed services are an excellent offering for many organizations. Among the various types of services, managed security services is a viable option. For a monthly fee, a third party can manage many levels of security services at a far greater cost than a single employee, and also by having multiple specialists a managed security company can provide defense in depth to subscribers.<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpgsTNVL9kycNTtB2j3VRdN_tB642dJKeDGV-1DOyY4FfcjIDx0QQA9VXh8wccUCXgykUbM1J0GSho2e0bE6Dzov-sRgcVbX8PD1KoqZW3bPI9ZZG5GbSyuK5-1LT-3BIR7e6ha5U3NS43/s1600/security+services.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpgsTNVL9kycNTtB2j3VRdN_tB642dJKeDGV-1DOyY4FfcjIDx0QQA9VXh8wccUCXgykUbM1J0GSho2e0bE6Dzov-sRgcVbX8PD1KoqZW3bPI9ZZG5GbSyuK5-1LT-3BIR7e6ha5U3NS43/s200/security+services.jpg" width="200" /></a>This kind of service is now gaining acceptance as a opportunity for managed physical security. Many organizations would rather not have a security solution that requires a server that needs to be managed, training and retraining of personnel and the other sometimes cumbersome duties of having a world-class security solution. And, compromise on physical security is an accident waiting to happen so that is a painful option. For many organizations, having a physical security vendor that provides a service to outsource many of the maintenance headaches is an attractive alternative.<br />
New employee? Send the information via email and get the credentials created and access assigned. Problem with the system? Technical staff will see the problem and take remediation steps immediately. Reports required to document an event? Simply email and have the report generated for you.<br />
These types of systems also allow for the end user to connect to their management interface through a secure webpage and administer the system themselves. Many items such as unlocking doors, setting timed events and irregular closings happen on a regular basis. The customer can tend to these matters personally, or have the security provider administer them as well.<br />
These systems have been around for quite some time, and there are some successful building management companies providing this service. Up until very recently, these providers used their completely proprietary systems. This solution can be problematic, as once the system is installed, the customer is stuck with that one vendor for the life of the system. Now more competition has entered the field by bringing non-proprietary systems into the workplace. <br />
The more attractive solution of using readily available parts, and systems that have wide acceptance give the end user more power over their security choices. A customer can choose the product that is best suited to their needs, without locking themselves into 'one vendor, one solution' traps. The local hardware can be serviced by a number of integrators, and if your desire for better customer service becomes great enough, switching vendors does not require the expense of a new system.<br />
This solution only requires that the vendor of choice has very strong networking personnel. The solution runs over the internet, and problems that arise are most often a connectivity issue. Only well trained and experienced network engineers can make these systems perform at the highest possible function. This is the best way to ensure utility, continuity and essential interaction.<br />
<div class="zemanta-related"><h6 class="zemanta-related-title" style="font-size: 1em; margin: 1em 0pt 0pt;">Related articles</h6><ul class="zemanta-article-ul"><li class="zemanta-article-ul-li"><a href="http://www.prweb.com/releases/prwebSymmetry/SAS-70/prweb4797804.htm">Symmetry Corporation Attains SAS 70 Type II Certification for SAP Managed Services</a> (prweb.com)</li>
<li class="zemanta-article-ul-li"><a href="http://www.prweb.com/releases/AFCOSystems/Resource-Manager/prweb2872954.htm">AFCO Systems Introduces Rack-Level Physical Remote Access Security for Datacenters via Resource Manager Monitoring and Management Platform</a> (prweb.com)</li>
<li class="zemanta-article-ul-li"><a href="http://www.forbes.com/sites/richardstiennon/2011/09/21/when-should-you-outsource-security/">When should you outsource security?</a> (forbes.com)</li>
</ul></div><div class="zemanta-pixie" style="height: 15px; margin-top: 10px;"><a class="zemanta-pixie-a" href="http://www.zemanta.com/" title="Enhanced by Zemanta"><img alt="Enhanced by Zemanta" class="zemanta-pixie-img" src="http://img.zemanta.com/zemified_e.png?x-id=43d8ed3a-1d48-417f-a3e8-85d4593d0a43" style="border: none; float: right;" /></a></div>Paul Nowakhttp://www.blogger.com/profile/02060430701439440143noreply@blogger.com7tag:blogger.com,1999:blog-3300152784434538766.post-69327648775434114162010-12-07T11:17:00.001-05:002012-01-12T11:54:09.607-05:00Video PostThis video is a bit long, but in it, I discuss several points about physical security providers and the technologies that enable security integration, and where some of this is going.<br />
<br />
It takes a while to load, and the quality is that of a quick webcast.<br />
<br />
<br />
<div class="MsoNormal"><span style="font-size: 10pt;"><a href="https://securityanswers.webex.com/securityanswers/ldr.php?AT=pb&SP=MC&rID=14152827&rKey=90a2f8f0f327247c">https://securityanswers.webex.com/securityanswers/ldr.php?AT=pb&SP=MC&rID=14152827&rKey=90a2f8f0f327247c</a></span></div><br />
Thanks for watching. <br />
<br />
<br />
<br />
<div class="zemanta-pixie" style="height: 15px; margin-top: 10px;"><a class="zemanta-pixie-a" href="http://www.zemanta.com/" title="Enhanced by Zemanta"><img alt="Enhanced by Zemanta" class="zemanta-pixie-img" src="http://img.zemanta.com/zemified_e.png?x-id=153b3e0c-983b-4f9b-a668-6559e6043542" style="border: medium none; float: right;" /></a></div>Paul Nowakhttp://www.blogger.com/profile/02060430701439440143noreply@blogger.com0tag:blogger.com,1999:blog-3300152784434538766.post-65671993102691986782010-07-22T07:11:00.002-04:002010-07-22T07:15:47.091-04:00You are only as good as your last backup.<div class="zemanta-img separator" style="clear: right;"><a href="http://commons.wikipedia.org/wiki/File:Backup_Backup_Backup_-_And_Test_Restores.jpg" style="clear: right; display: block; float: right; margin-left: 1em; margin-right: 1em;"><img alt="Backup Backup Backup - And Test Restores" height="289" src="http://upload.wikimedia.org/wikipedia/commons/thumb/e/ee/Backup_Backup_Backup_-_And_Test_Restores.jpg/300px-Backup_Backup_Backup_-_And_Test_Restores.jpg" style="border: medium none; font-size: 0.8em;" width="300" /></a><span class="zemanta-img-attribution" style="clear: both; float: right; margin-left: 1em; margin-right: 1em;">Image via <a href="http://commons.wikipedia.org/wiki/File:Backup_Backup_Backup_-_And_Test_Restores.jpg">Wikipedia</a></span></div>Those are commonly used words, but think about it for a second. Is your backup timely, available and worthwhile? When catastrophe strikes, what is on the backups you have? Do you have off-site plans, so that in case your servers are destroyed, your business is not? Have you ever backed up and then restored onto a new machine? Have you implemented a process where you regularly test your backups to see if you can use them?<br />
<br />
Backups are like a nuclear bomb; unless you have run a successful test, you don't have one.<br />
<br />
I am often called to work at company locations where the servers have dust collected over the last decade, tape media which has been used over the life of the machine without getting rotated out, and nothing off-site. As I am looking in horror at the task ahead of me, the principals of these companies re telling me how critical the systems are to their business. This is also true of many enterprises, where although backups abound, they have not been tested on a regular basis.<br />
This problem, like many technology solutions has no one right answer. The answer depends upon the criticality of the data, your acceptable level of downtime, and the cost and complexity that you are willing to accept for the solution. The rule of thumb for any organization, as long as they use computers and software, is to have one regular backup on site, and another one at a remote location. <br />
Local or onsite backups can either go to a disk array specifically for backups or to a tape, where data is backed up on a regular basis. The first step in any backup is to do a full backup, which copies down everything as it is onto backup media. This is not a once-and-done type of backup, and should be performed regularly. Monthly, or quarterly full backups are acceptable, but doing an annual full backup, while fine for non-critical information, is not recommended for your most critical data. Your accounting database, any operational software, and email data is usually the most sought after subsequent to a system crash and therefore is generally the most critical.<br />
After a full backup is performed, then differential or incremental backups can follow. Differential backups will look at the data and see what has changed since the last backup, and then only back up the changes. An incremental backup is roughly the same, except that when restoring you would first restore the full backup and then the incremental backups sequentially. There are many other differences besides that, but I’m trying to keep this as a blog for the masses, not just for geeks.<br />
These backups also need to be done to a remote location, often a hosted backup service. There are quite a few vendors out there for this, one of them has famous commercials where people put their laptops in the microwave or get hit by falling satellites. Many larger organizations have this policy in place where there is a remote site that backs up the data and serves as a data repository or redundant data center. The insurance policy that this buys for a company is worth every penny. The onsite backup procedures are helpful when a file is lost, something gets corrupted or a server crashes. But what if the physical location of the server area is inaccessible or destroyed? Without a reliable offsite backup, your company may never recover. <br />
The key to backing up your data is to test a restoral of your data regularly. Until you do that, you cannot be sure if everything is working correctly. Depending on your company’s tolerance for risk, this could be done monthly, quarterly or at worst annually. If this is done as a policy regularly, then good procedures about how to get systems back online will be easily developed, and in a time of crisis you will have assurance that at least the systems can come back up. <br />
<div class="zemanta-related"><h6 class="zemanta-related-title" style="font-size: 1em; margin: 1em 0pt 0pt;">Related articles by Zemanta</h6><ul class="zemanta-article-ul"><li class="zemanta-article-ul-li"><a href="http://www.brighthub.com/computing/smb-security/articles/14800.aspx">Online vs Offline Data Backup: Part 1</a> (brighthub.com)</li>
<li class="zemanta-article-ul-li"><a href="http://eon.businesswire.com/news/eon/20100719005253/en">City of Ettlingen Chooses "Hassle-Free" Virtualized Backup and Restore from Vizioncore</a> (eon.businesswire.com)</li>
</ul></div><div class="zemanta-pixie" style="height: 15px; margin-top: 10px;"><a class="zemanta-pixie-a" href="http://www.zemanta.com/" title="Enhanced by Zemanta"><img alt="Enhanced by Zemanta" class="zemanta-pixie-img" src="http://img.zemanta.com/zemified_e.png?x-id=f63b509b-62ed-4c36-a0d2-cfab30fa147a" style="border: medium none; float: right;" /></a></div>Paul Nowakhttp://www.blogger.com/profile/02060430701439440143noreply@blogger.com0tag:blogger.com,1999:blog-3300152784434538766.post-69608960246094668672010-07-16T10:34:00.000-04:002010-07-16T10:34:40.196-04:00Risk AssessmentRisk management, or really risk mitigation, is a relatively new science, but one that has real value if handled properly. The goal of managing risk is to ensure that the confidentiality, availability and integrity of your assets is intact regardless of the situation. The fundamental first step in managing risk is to first thoroughly identify what all of the risks are, without turning a blind eye to anything through a risk analysis. There are many aspects to performing a risk analysis for your assets, and one of the most widely used methods that can capture those aspects in a meaningful way is to perform a qualitative risk assessment. This method is scenario driven, and ranks the seriousness of risks and also the sensitivity of assets into easy to understand classes or grades. <br />
<br />
<br />
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse; width: 507px;"><col style="width: 58pt;" width="77"></col> <col style="width: 64pt;" width="85"></col> <col style="width: 92pt;" width="122"></col> <col style="width: 167pt;" width="223"></col> <tbody>
<tr height="41" style="height: 30.75pt;"> <td class="xl63" height="41" style="background: none repeat scroll 0% 0% black; border-color: black -moz-use-text-color -moz-use-text-color black; border-style: solid none none solid; border-width: 0.5pt medium medium 0.5pt; color: white; font-family: Calibri; font-size: 11pt; font-weight: 700; height: 30.75pt; text-decoration: none; width: 58pt;" width="77">Score</td> <td class="xl63" style="background: none repeat scroll 0% 0% black; border-color: black -moz-use-text-color -moz-use-text-color; border-style: solid none none; border-width: 0.5pt medium medium; color: white; font-family: Calibri; font-size: 11pt; font-weight: 700; text-decoration: none; width: 64pt;" width="85">Damage</td> <td class="xl63" style="background: none repeat scroll 0% 0% black; border-color: black -moz-use-text-color -moz-use-text-color; border-style: solid none none; border-width: 0.5pt medium medium; color: white; font-family: Calibri; font-size: 11pt; font-weight: 700; text-decoration: none; width: 92pt;" width="122">Trigger Time</td> <td class="xl63" style="background: none repeat scroll 0% 0% black; border-color: black black -moz-use-text-color -moz-use-text-color; border-style: solid solid none none; border-width: 0.5pt 0.5pt medium medium; color: white; font-family: Calibri; font-size: 11pt; font-weight: 700; text-decoration: none; width: 167pt;" width="223">Potential Impact</td> </tr>
<tr height="41" style="height: 30.75pt;"> <td class="xl64" height="41" style="border-color: black -moz-use-text-color -moz-use-text-color black; border-style: solid none none solid; border-width: 0.5pt medium medium 0.5pt; color: black; font-family: Calibri; font-size: 11pt; font-weight: 400; height: 30.75pt; text-decoration: none;">High</td> <td class="xl64" style="border-color: black -moz-use-text-color -moz-use-text-color; border-style: solid none none; border-width: 0.5pt medium medium; color: black; font-family: Calibri; font-size: 11pt; font-weight: 400; text-decoration: none;">Critical</td> <td class="xl64" style="border-color: black -moz-use-text-color -moz-use-text-color; border-style: solid none none; border-width: 0.5pt medium medium; color: black; font-family: Calibri; font-size: 11pt; font-weight: 400; text-decoration: none;">Minutes to Hours</td> <td class="xl64" style="border-color: black black -moz-use-text-color -moz-use-text-color; border-style: solid solid none none; border-width: 0.5pt 0.5pt medium medium; color: black; font-family: Calibri; font-size: 11pt; font-weight: 400; text-decoration: none;">Loss of life, failure of business, legal charges</td> </tr>
<tr height="41" style="height: 30.75pt;"> <td class="xl64" height="41" style="border-color: black -moz-use-text-color -moz-use-text-color black; border-style: solid none none solid; border-width: 0.5pt medium medium 0.5pt; color: black; font-family: Calibri; font-size: 11pt; font-weight: 400; height: 30.75pt; text-decoration: none;">Medium</td> <td class="xl64" style="border-color: black -moz-use-text-color -moz-use-text-color; border-style: solid none none; border-width: 0.5pt medium medium; color: black; font-family: Calibri; font-size: 11pt; font-weight: 400; text-decoration: none;">Disruptive</td> <td class="xl64" style="border-color: black -moz-use-text-color -moz-use-text-color; border-style: solid none none; border-width: 0.5pt medium medium; color: black; font-family: Calibri; font-size: 11pt; font-weight: 400; text-decoration: none;">Hours to Days</td> <td class="xl64" style="border-color: black black -moz-use-text-color -moz-use-text-color; border-style: solid solid none none; border-width: 0.5pt 0.5pt medium medium; color: black; font-family: Calibri; font-size: 11pt; font-weight: 400; text-decoration: none;">Bad PR, loss of customers,loss of prestige, loss of income</td> </tr>
<tr height="41" style="height: 30.75pt;"> <td class="xl64" height="41" style="border-color: black -moz-use-text-color black black; border-style: solid none solid solid; border-width: 0.5pt medium 0.5pt 0.5pt; color: black; font-family: Calibri; font-size: 11pt; font-weight: 400; height: 30.75pt; text-decoration: none;">Low</td> <td class="xl64" style="border-color: black -moz-use-text-color; border-style: solid none; border-width: 0.5pt medium; color: black; font-family: Calibri; font-size: 11pt; font-weight: 400; text-decoration: none;">Moderate</td> <td class="xl64" style="border-color: black -moz-use-text-color; border-style: solid none; border-width: 0.5pt medium; color: black; font-family: Calibri; font-size: 11pt; font-weight: 400; text-decoration: none;">Days to Weeks</td> <td class="xl64" style="border-color: black black black -moz-use-text-color; border-style: solid solid solid none; border-width: 0.5pt 0.5pt 0.5pt medium; color: black; font-family: Calibri; font-size: 11pt; font-weight: 400; text-decoration: none;">Requires workaround, reduction in output</td> </tr>
</tbody></table><br />
It is important to assign a subjective assessment of risk to specific assets. To do this, a group should participate in the process, and the person responsible for maintaining the asset should be involved. This can be conducted through meetings, brainstorming sessions or a thorough questionnaire that can help protect anonymity and therefore enable complete openness. <br />
<br />
Basic steps for performing an assessment should include;<br />
1. List all of the organization's critical assets in a spreadsheet.<br />
2. Specify threats and vulnerabilities for that asset.<br />
3. Develop a consistent exposure severity scale to cover all assets <br />
4. Organize the list based on the priority of most critical to the least.<br />
5. Prioritize funds to mitigate risks based upon the critical nature of the asses and threat.<br />
6. Ensure that the assets achieve a much lower exposure.<br />
<br />
Often, it seems easier to handle events as they arise, since the frequency of negative events is very low and does not seem to justify the costs. The value proposition here is to reduce the possibility of impact to the business. If is helpful to avoid situations by understanding;<br />
-What is at risk<br />
-The value that is at risk<br />
-The kind of threats that could occur and their annualized financial consequences<br />
-What can be done to reduce risks and the acceptable costs of doing so<br />
<br />
Risk assessment also enables a strategic approach to risk management, and could produce critical decision support information when changes or upgrades to the existing infrastructure are being considered. Only when the risks are fully understood can mitigation of risk take place. It is possible to put in safeguards that can protect against more than one threat, but the best safeguards cannot be accurately chosen without careful analysis of the challenges and threats.<br />
<br />
<div class="zemanta-related"><h6 class="zemanta-related-title" style="font-size: 1em; margin: 1em 0pt 0pt;"> Related articles by Zemanta</h6><ul class="zemanta-article-ul"><li class="zemanta-article-ul-li"><a href="http://www.slideshare.net/Samuel90/model-for-evaluating-value-at-risk-for">Model for evaluating value at risk for</a> (slideshare.net)</li>
<li class="zemanta-article-ul-li"><a href="http://www.slideshare.net/Micheal22/risk-management-risk-management-outline">Risk Management Risk Management Outline:</a> (slideshare.net)</li>
<li class="zemanta-article-ul-li"><a href="http://blog.deurainfosec.com/it-risk-assessment-frameworks-real-world-experience">IT risk assessment frameworks: real-world experience</a> (deurainfosec.com)</li>
</ul></div><div class="zemanta-pixie" style="height: 15px; margin-top: 10px;"><a class="zemanta-pixie-a" href="http://www.zemanta.com/" title="Enhanced by Zemanta"><img alt="Enhanced by Zemanta" class="zemanta-pixie-img" src="http://img.zemanta.com/zemified_e.png?x-id=dd713693-71f1-43e1-a75c-259b8aef1745" style="border: medium none; float: right;" /></a></div>Paul Nowakhttp://www.blogger.com/profile/02060430701439440143noreply@blogger.com0tag:blogger.com,1999:blog-3300152784434538766.post-53920671775445080262010-07-09T16:18:00.000-04:002010-07-09T16:18:11.490-04:00The Human FirewallSocial engineering is an attack on your greatest asset, defense and weakness; The Human Firewall. There are people who practice this as a means to bypass all of the electronic defenses that have been put in place to stop someone from coming into the network through the internet. All of the time and money and effort to put the logical and physical perimeter defense can be for nothing. It's also the most insidious attack, since it is targeted specifically against one company, or even one person in particular.<br />
Most attacks take time, since the social engineer has to do some homework before expecting to gain access or having a successful breach. The ease of doing the recon phase has also been greatly aided by technology. Google maps, social networking sites and even your company's website can provide valuable information to an attacker. The social engineer can then gain further insight by learning employee's names from their badges at local restaurants or coffee shops. Also from late night calls into the company, where they can learn a great deal more information from the messages on employee's voice mail message.<br />
Eventually, they can learn enough to pose as a repairman from one of your vendors, a fictitious appointment, or even could drop a targeted USB key or CD/DVD from a vendor where it could be run from inside the company. There are also many more attacks, but this is a blog about prevention, and I would be more than happy to discuss those offline. The best way to defeat the attack is before it can get all the way in.<br />
The key to thwarting any kind of attack is to keep the human firewall updated. Good education alone is a huge help, but not enough. Like any good plan, it needs to be tested so that corrections can be made to what you are doing. Also, making policies and procedures for people to follow make it very easy for employees to understand some basic guidelines of protection. This is great for the employee personally, since protecting their privacy is in their own best interests as well. Privileges for individuals should never be more than is required to do their job. The Director of Finance, Receptionist and Warehouse Manager all need access and data access rights to do their jobs, which is all very different from each other and should be set up that way.<br />
Social engineering is not always obvious, since it is meant to be very subtle and play on emotions and habits that people strive to have. This isn't an automated attack that is run from a distance against your network, but is meant to facilitate a technological breach up close and in person. Social engineering attacks take time to set up, develop, and execute. Like most criminals, when faced with a system that is defending well and the risk of getting caught is high; the social engineer will eventually lose patience and move on.<div class="zemanta-related"><h6 class="zemanta-related-title" style="font-size: 1em; margin: 1em 0pt 0pt;">Related articles by Zemanta</h6><ul class="zemanta-article-ul"><li class="zemanta-article-ul-li"><a href="http://r.zemanta.com/?u=http%3A//www.cbsnews.com/8301-501465_162-20003198-501465.html&a=16985915&rid=fd552be2-b610-4e44-ace6-68665a50434b&e=0df47eba1d311ab9a9ea64c17ebf9f41">For Cyber Gangs, Fooling Google Isn't That Hard to Do</a> (cbsnews.com)</li>
<li class="zemanta-article-ul-li"><a href="http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=225702834&cid=RSSfeed_IWK_ALL">Phishing, Spam Containing Malware Increase</a> (informationweek.com)</li>
<li class="zemanta-article-ul-li"><a href="http://www.zdnet.com/blog/security/hi-im-a-security-researcher-and-heres-your-invoice/6786">Hi! I'm a security researcher, and here's your invoice</a> (zdnet.com)</li>
</ul></div><div style="margin-top: 10px; height: 15px;" class="zemanta-pixie"><a class="zemanta-pixie-a" href="http://www.zemanta.com/" title="Enhanced by Zemanta"><img style="border: medium none; float: right;" class="zemanta-pixie-img" src="http://img.zemanta.com/zemified_e.png?x-id=fd552be2-b610-4e44-ace6-68665a50434b" alt="Enhanced by Zemanta"></a></div>Paul Nowakhttp://www.blogger.com/profile/02060430701439440143noreply@blogger.com0tag:blogger.com,1999:blog-3300152784434538766.post-20651492141037845972010-07-05T14:20:00.008-04:002010-07-06T17:43:30.543-04:00What in the world is a Bot?<p class="zemanta-img separator" style="clear: right;"><a href="http://commons.wikipedia.org/wiki/File:Botnet.svg" style="margin-left: 1em; margin-right: 1em; display: block; float: right; clear: right;"><img src="http://upload.wikimedia.org/wikipedia/commons/thumb/c/c6/Botnet.svg/300px-Botnet.svg.png" alt="How a botnet works: 1. A botnet operator sends..." style="font-size: 0.8em; border: medium none;" width="300" height="232"></a><span class="zemanta-img-attribution" style="margin-left: 1em; margin-right: 1em; clear: both; float: right;">Image via <a href="http://commons.wikipedia.org/wiki/File:Botnet.svg">Wikipedia</a></span></p>The computer vernacular has given us many terms, but Botnet describes something that everyone should be aware of. Also known as Ghostnets or Zombie Farms, Botnets are used for malicious activity, the types of which this blog usually talks about. Individual computers are infected with a virus that is under a command and control structure, turning them into 'Bots', short for robots. This virus can be as simple as in an email or code on a website, and once installed can be very difficult to detect and eradicate. The bot is then grouped together with other bots to perform malicious activity, such as sending out spam email or 'Denial of Service' attacks.<br />
Now while all of this seems harmless, consider what is happening. Someone with bad intentions owns your machine more than you do, and uses it to attack the livelihood of others. These people can rent out their botnets to other criminals to send out spam, or use them for direct attacks on companies as they demand ransom. These endeavors can be lucrative, so the practice continues.<br />
Also consider that sometimes it can be state sponsored terrorism or spying. The attack on the Dalai Lama started out among supporters of Tibet through an email hack and wound up infecting over 12,000 computers in many different countries' embassies and consulates. The Dutch police found a 1.5 million node botnet, and the Conficker virus created over 10 million bots around the world. Many of these networks have scaled back to elude detection to below 20,000 machines, but big networks still exist and operate.<br />
Aside for the things such as spam and credit card fraud that these systems are often used for, there are other implications which also bear looking at. The attack on the Pentagon in 2007 created immense collateral damage to machines around the world, mostly here in the US as botnets ramped up and attacked the firewalls of the Pentagon. This created an immense slowdown of the internet as vulnerable systems were converted into soldiers in the attack. The spike in traffic went well over the normal 60TB of data that is moved on the internet each day, creating a global slowdown and disruption of everything from commerce and banking to every other use the internet has. <br />
These can be avoided quite simply for now with some basic maintenance to the average computer and user:<br />
1. Patches and Updates. Seems simple, but so often either overlooked or just not done.<br />
2. Firewalls (Hardware and Desktop) are configured correctly and monitored.<br />
3. Anti-virus is everywhere.<br />
4. Policies, guidelines and procedures, and then education about those same items. It is helpful to write in a manual that a user should not pick up a found USB key and insert into their company desktop. It's more helpful if the employee is instructed that the policy exists and why.<br />
Another simple fix is to outsource your security. Many of the attacks that are well documented are inside jobs. Rio Tinto in 2009, Societe Generale in 2008 were both billion dollar losses because the people inside the company had access, knowledge and privileges. By finding a trusted partner to handle either the total security defense, or to provide oversight of the internal resources, a savvy businessman can ensure that all threats inside and out are being carefully handled. <div class="zemanta-related"><h6 class="zemanta-related-title" style="font-size: 1em; margin: 1em 0pt 0pt;">Related articles by Zemanta</h6><ul class="zemanta-article-ul"><li class="zemanta-article-ul-li"><a href="http://www.theatlantic.com/magazine/archive/2010/06/the-enemy-within/8098/">The Enemy Within: What is Conficker's Botnet For?</a> (theatlantic.com)</li>
<li class="zemanta-article-ul-li"><a href="http://www.theatlantic.com/magazine/archive/2010/06/the-enemy-within/8098/1/">The Enemy Within (Conficker Worm)</a> (theatlantic.com)</li>
<li class="zemanta-article-ul-li"><a href="http://go.theregister.com/feed/www.theregister.co.uk/2010/06/10/mexican_botnet_auto_destruction/">Tequila botnet auto-destructs</a> (go.theregister.com)</li>
</ul></div><div style="margin-top: 10px; height: 15px;" class="zemanta-pixie"><a class="zemanta-pixie-a" href="http://www.zemanta.com/" title="Enhanced by Zemanta"><img style="border: medium none; float: right;" class="zemanta-pixie-img" src="http://img.zemanta.com/zemified_e.png?x-id=a784c706-5454-4b02-af87-22930aa71c23" alt="Enhanced by Zemanta"></a></div>Paul Nowakhttp://www.blogger.com/profile/02060430701439440143noreply@blogger.com0tag:blogger.com,1999:blog-3300152784434538766.post-52719583976846147652010-06-08T14:31:00.004-04:002010-07-06T17:47:57.518-04:00IT Security BreachesI took some time this week to look at data breaches for this blog, and am completely amazed at the commonplace happening of data exposure. AT&T, NYC Department of Education, and many other big names have been in the news just within the last month. 222 million records were breached in 2009. Many of the people affected have still not been notified of the breaches concerning their data. <br />
Data breaches have become all too common, and what was once enough of a scandal to bring down the company that had a breach is now looked at as just news. Data privacy is one of the most important goals of IT security. Financial malfeasance such as robbing banks is the number one crime, but the theft and loss of Personally Identifiable Information, or PII, should be second only to this crime in scope and importance. The loss of this data can cause such havoc to the people affected by a breach is very real and of major value.<br />
The combination of breaches, such as taking one list and comparing it to one or more stolen lists is the nightmare scenario for any consumer. If matches are found, which is an inevitable occurrence, the consequences of having all relevant PII about a collection of individuals is very real. The problem that so many people and organizations fail to realize, is that just a fraction of these ARE fully or partially exploited, and the cost is easily in the billions of dollars for the combined group affected. Without getting into too many details, criminals or foreign agents could in effect completely become another real person, or at least access the wealth, savings and credit of that person. No one person is above this risk, since from the richest to the poorest, everyone is on thousands of electronic lists.<br />
Right now it is estimated that fully two thirds of the companies in America lack a database security plan. Many of these do so at their peril, by putting too much faith in the firewall, or other singular methods of security. The resulting scandal from a small local business is much worse than for AT&T, which has a prepared legal and PR team at their disposal. They also do it at our peril, since the data that gets taken often is of a deeply personal nature.<br />
Remedies are not easy, cheap, or fast. They are necessary.<br />
1. Practice security-in-depth. Look at the physical security, firewall, internet filters, anti-virus programs and policies as one unit working together. Enforce tough policies across the organization, harden the systems, and deal with shortcomings honestly and as a priority.<br />
2. Have a regular review of your security posture, at least annually, to ensure that the evolving nature of the threat doesn't advance beyond you.<br />
3. Test your procedures. Hire someone to test you defenses, and see what happens. This could be done in-house, but it's only truly been tested if someone outside your organization tries.<br />
<br />
When I looked at data breaches this week, I could also tell how seemingly small a problem this is to be reported on. Most breaches flare up on the news channels, but the bigger companies hunker down and weather the days of bad publicity. Soon something else will comae along like the Gulf of Mexico tragedy to put the average American into overload. A culture of prevention and security needs to surround this part of our lives. I have tried to avoid sounding like a full-on advertisement on this blog, but this should be a driving force to get security professionals involved. With concerted effort, and corporate buy-in, much of the problems could be avoided. With enough of a defensive posture in place, large scale attacks on multiple systems can be detected and thwarted. With enough mechanisms in place, small business can be spared the agony of getting wiped out through scandal, litigation and remediation after losing all of your customer records. <br />
<br />
Sounds like it's worth it to me.<div class="zemanta-related"><h6 class="zemanta-related-title" style="font-size: 1em; margin: 1em 0pt 0pt;">Related articles by Zemanta</h6><ul class="zemanta-article-ul"><li class="zemanta-article-ul-li"><a href="http://r.zemanta.com/?u=http%3A//www.telegraph.co.uk/technology/apple/7820660/FBI-to-investigate-ATandT-iPad-data-breach.html&a=19335884&rid=0a060c9e-eeef-4cc3-a178-6a6f40db93aa&e=fe7a5d9033ac97f12ef276797daa70a5">FBI to investigate AT&T iPad data breach</a> (telegraph.co.uk)</li>
</ul></div><div style="margin-top: 10px; height: 15px;" class="zemanta-pixie"><a class="zemanta-pixie-a" href="http://www.zemanta.com/" title="Enhanced by Zemanta"><img style="border: medium none; float: right;" class="zemanta-pixie-img" src="http://img.zemanta.com/zemified_e.png?x-id=0a060c9e-eeef-4cc3-a178-6a6f40db93aa" alt="Enhanced by Zemanta"></a></div>Paul Nowakhttp://www.blogger.com/profile/02060430701439440143noreply@blogger.com0tag:blogger.com,1999:blog-3300152784434538766.post-3057362928408879232010-06-04T15:02:00.005-04:002010-07-06T17:45:40.976-04:00DNSSEC<p class="zemanta-img separator" style="clear: right;"><a href="http://commons.wikipedia.org/wiki/File:Ams-ix.k.root-servers.net.jpg" style="margin-left: 1em; margin-right: 1em; display: block; float: right; clear: right;"><img src="http://upload.wikimedia.org/wikipedia/commons/thumb/f/ff/Ams-ix.k.root-servers.net.jpg/300px-Ams-ix.k.root-servers.net.jpg" alt="A Cisco 7301 router, part of the AMS-IX mirror..." style="font-size: 0.8em; border: medium none;" width="300" height="225"></a><span class="zemanta-img-attribution" style="margin-left: 1em; margin-right: 1em; clear: both; float: right;">Image via <a href="http://commons.wikipedia.org/wiki/File:Ams-ix.k.root-servers.net.jpg">Wikipedia</a></span></p>DNSSEC stands for DNS Security Extensions, and is designed to add security to the Domain Name System. As of May 5th, the last root server went through a a transitional milestone in the deployment of this protocol across the root DNS servers. As a resultall root servers are now serving up longer responses for DNSSEC requests. Full implementation of this new and major upgrade to the security of DNS at the root server level is expected to be finished by Mid-July. This will protect the DNS function from certain attacks, and all major DNS systems will be required to provide full or partial DNSSEC functionality within the next few years.<br />
Specific functions that take place between a multi-campus company, or business transactions that use HTTPS(SSL), can now provide more security and integrity to transactions that take place using DNSSEC. It can provide for better origin authentication, data integrity, and authenticated denial of existence. One of the easy transition methods is the deployment of a DNSSEC appliance, which serves as a DNS signer for DNS zones. This can be a large, several thousand dollar appliance; or as inexpensive as a several hundred dollar, more portable device like a card or USB token.<br />
<br />
In addition to accelerating DNSSEC compliance, These devices, known as Hardware Security Modules (HSM) provide support for other applications as well.<br />
<br />
The applications are many, but are commonly deployed for such things as <br />
1> Card Payment Systems<br />
2> PKI Environments<br />
3> Automated Teller Machines<br />
4> POS Terminals<br />
<br />
For these and other types of systems, the HSM provides an aid to securely encrypting data in a relatively unsecure database, verifying the integrity of the data in a database, and aids in verifying digital signatures.<br />
The HSM provides FIPS 140-1 and 140-2 validation, and uses widely accepted algorithms for the most part. It is much more preferable to find a system that does not use a proprietary algorithm, so that the HSM can provide proven functionality for all necessary functions. <br />
<br />
This is just one of many types of systems that can aid in an overall security solution. Providing that proper security processes, such as risk analysis, testing and careful administration of the device can ensure a better security posture for mid-sized businesses or greater integrity for financial transactions.<div class="zemanta-related"><h6 class="zemanta-related-title" style="font-size: 1em; margin: 1em 0pt 0pt;">Related articles by Zemanta</h6><ul class="zemanta-article-ul"><li class="zemanta-article-ul-li"><a href="http://www.v3.co.uk/v3/news/2265571/network-firms-join-verisign">More network firms join VeriSign's DNSSec initiative</a> (v3.co.uk)</li>
<li class="zemanta-article-ul-li"><a href="http://www.readwriteweb.com/archives/dnssec_adds_security_to_urls.php">DNSSEC Adds Security to URLs</a> (readwriteweb.com)</li>
</ul></div><div style="margin-top: 10px; height: 15px;" class="zemanta-pixie"><a class="zemanta-pixie-a" href="http://www.zemanta.com/" title="Enhanced by Zemanta"><img style="border: medium none; float: right;" class="zemanta-pixie-img" src="http://img.zemanta.com/zemified_e.png?x-id=00cb39e0-2988-4053-a69c-c453e624f2cc" alt="Enhanced by Zemanta"></a></div>Paul Nowakhttp://www.blogger.com/profile/02060430701439440143noreply@blogger.com0tag:blogger.com,1999:blog-3300152784434538766.post-45138869168519977152010-06-01T16:37:00.000-04:002010-06-01T16:37:26.843-04:00"Likejacking" Takes Off on Facebook<a href="http://www.readwriteweb.com/archives/likejacking_takes_off_on_facebook.php">"Likejacking" Takes Off on Facebook</a>Paul Nowakhttp://www.blogger.com/profile/02060430701439440143noreply@blogger.com0tag:blogger.com,1999:blog-3300152784434538766.post-21259361408320612592010-05-31T09:24:00.003-04:002010-05-31T10:18:22.659-04:00Remote AccessI love remote access. It lets anyone from a company connect from anywhere with an internet connection and access company resources. It enables a workforce to tend to business matters without coming into the office. In my opinion and experience, this is one of the greatest things from IT that makes people's lives better. The manager is happy because his work is getting done, the worker is happy since they can finish projects without a care to the time of day, where they physically are at that moment or the weather outside. I live just outside Philadelphia, where the snow can be deep sometimes, especially last winter. Remote access enabled me to keep working, right after I shoveled out.<br />There are some distinct security benefits and drawbacks to a workforce that uses remote access, and if it is properly implemented could create a happier, and more productive workforce.<br />Some of the drawbacks include greater difficulty managing patches and updates, and the opening of a portal through the firewalls into the heart of the organization. And although it is completely necessary to let systems administrators connect remotely for maintenance and administration, this is where the greatest security hole is, when someone with intrinsic back door access connects to critical machines.<br />For benefits, the workforce is enabled to work with more flexibility for time to time, and will often spend more hours working than if they were in the office every day. The company can maintain a smaller office with a mobile workforce, and doesn't need to have dedicated workspace for every worker. From a security standpoint, remote access gives great resiliency in the event of a disaster, since many processes are location neutral and the workforce just needs a connection to perform their duties.<br />I think about the benefits from my own experience working on the road, and I'm a huge fan of properly implemented remote access. <br />1. Management must support the reality of workers connecting from on the road. Sometimes the amount of backlog on paperwork (virtual, of course) or other work gets so great that I would sequester myself in my office at home to catch up. If a worker can do that from home or on the road, not only will their happiness and morale improve, but so will their mobile workforce's productivity if management supports this kind of activity, and ultimately this leads to greater profits. <br />2. The workspace must be viable. The home worker needs to have their configuration verified by the IT department to ensure some level of security. The workspace must also be free from distractions. I have been working at home for so long now that my children leave me alone, but it took time and effort to get that aspect of remote access from home solid.<br />3. The security process must be included from start to finish. User verification, secure connection protocols, patch management, virus protection updates and notifications, and access control all have to be implemented and managed for successful remote access to be truly effective. What's the point of having people connect from hotels in several different cities if one of them brings havoc to your core systems.<br />4. Regular review must take place of the time that users spend working from home and their effectiveness. Logs of connection times can serve as great records to verify production. Most workers will not take advantage, and the ones who will are often kept in line by a procedure that keeps them on the right path. <br />5. Training on time management and discipline should be given on a regular basis. Most of your workers will do just fine from home, and this kind of regular support is often welcomed. I personally am a fan of tricks and tips to help me manage my time since I apply them across the board. <br />If properly deployed, remote access can offer some serious improvements to the lifestyles of the workers as well as great benefits to the company.Paul Nowakhttp://www.blogger.com/profile/02060430701439440143noreply@blogger.com0tag:blogger.com,1999:blog-3300152784434538766.post-74518247015350504502010-05-25T16:21:00.001-04:002010-05-25T16:21:31.345-04:00Internet Speedtest Results Going Public - PCWorld Business Center<a href=http://www.pcworld.com/businesscenter/article/197068/internet_speedtest_results_going_public.html>Internet Speedtest Results Going Public - PCWorld Business Center</a><br /><br />Posted using <a href="http://sharethis.com">ShareThis</a>Paul Nowakhttp://www.blogger.com/profile/02060430701439440143noreply@blogger.com0tag:blogger.com,1999:blog-3300152784434538766.post-11254198332628600242010-05-25T06:27:00.004-04:002010-07-06T17:38:05.474-04:00Virus Defense for Small BusinessI still remember clearly the morning the first virus got through. It was a pain, having to hit every machine and eradicate the infection, but it was also an alarm that our network security posture had to improve immediately. That particular virus had a payload which deleted pictures, and at the time the company I was working for used pictures heavily on the sales side to help with quotes. The viruses that attack now are much more malicious, and are intended to gather information, take over your PC or network and send information back to the source. I have tracked some attacks to some former eastern bloc countries, but many times there are computers relaying information and instructions so it can appear as if the attack is a mile away.<br />The threat has evolved, and if you have not taken this into account when looking at your small business then disaster awaits. Not IF, but WHEN, and usually quite soon. Back when I had Comcast, I decided to hook a PC straight to the internet, without a firewall, just to see what happened. Within 10 minutes the PC was rendered unusable. I also watched, while it still worked, the probing of the machine and was amazed at how many different sources were attacking. Automated programs use lists of IP addresses for Comcast and relentlessly try passwords, ports, and various techniques to try to gain entry. If your machine were to get infected, sometimes the only thing it would do is run the automated programs and further the infection, and your PC or server just became a 'zombie.' As far as you could tell, your laptop just seems to run slower.<br /><br />Basic defense against this type of attack is simple, and very cost effective. <br /> 1. Implement a firewall solution. Get a good firewall that does Intrusion Prevention (IPS) right at the edge. This allows for most attacks to be stopped before they take root. Some large companies use layers of firewalls and other techniques so that traffic is filtered several times, both entering and leaving the enterprise.<br /> 2. Implement a good Anti-virus solution on every machine in your enterprise, and make sure updates are regularly applied. Automate as much of this process as possible so that you don't have to remember to update. Many threats can be stopped before they affect you just by having up-to-date virus signatures.<br /> 3. Keep current with Microsoft patches, and other patches for your applications. Often, viruses and malware exploit vulnerabilities in code, and software manufacturers are constantly updating their programs. There are methods of automating this for any business, and this process should be regular in nature.<br /> 4. If your company has the resources, then an Intrusion Detection System (IDS) is also something to consider. These types of systems watch for threats to show up, or watch for activity that indicates a breach.<br /> 5. Educate your employees. If someone calls on the phone looking for the IT department and asks a ton of questions about your infrastructure, make sure that they don't give freely all of the information. Make sure your employees don't use their business email as their sole email for all things personal and private, and that they should not click on everything in their inbox. (people still do it!) This training needs to happen in a formalized setting, and be a part of the policy handbook, new employee training, and reiterated on a regular basis. Many, many times the virus will come in because of user error.<br /><br />The cost of the IT department running around fixing the problems on every machine was just one part of that original infection. Also was the lost data and time for sales that now needed to replicate their efforts, and put together quotes based on memory or hand drawings alone. Now the threat could sneak in and take all of your customer information, credit card numbers or any of the other 100 or so proprietary types of data that you safeguard, and use that information in ways that it is not intended. Once you have been breached, and this information is leaked, then permanent damage to your business is certain. Your customers trust you, and aside from all other civil and criminal ramifications of a breach, if their information is exposed that trust will never come back. Many large name companies are no longer in existence after the scandal, because their customers took their business elsewhere.Paul Nowakhttp://www.blogger.com/profile/02060430701439440143noreply@blogger.com0tag:blogger.com,1999:blog-3300152784434538766.post-34883357724420990522010-05-24T08:40:00.002-04:002010-05-24T08:45:55.199-04:00Burglar looks good on cameraExample of IP video quality.<br /><br />http://bit.ly/aYV5zDPaul Nowakhttp://www.blogger.com/profile/02060430701439440143noreply@blogger.com0tag:blogger.com,1999:blog-3300152784434538766.post-14202274629754635342010-05-23T11:17:00.000-04:002010-05-23T11:33:15.751-04:00First PostIt has occurred to me on more than one occasion that the digital video revolution in CCTV technology has just opened up the ability to have a very sophisticated video solution is now within reach of almost anyone.<br />For many years, CCTV technology meant a huge investment upfront, constant maintenance and a gerat deal of staff to monitor and review after incidents had occurred. This is fine if you're a Fortune 500 company and have the resources, but smaller companies had a need as well. The smaller company had to pick and choose amongst features, which were often very expensive, and were often left with a less than desired solution.<br />Now that IP video (network-based) has taken over the CCTV market, and now that the Fortune 500 has adopted many of the early incarnations, the prices have been driven down for excellent solutions, available at less than the cost of traditional security offerings. Also, since the cameras and recorders are network-based, and use the standards and protocols that are almost universally accepted among IT departments; maintenance and upkeep have been taken away from boutique or specialty security vendors and are deliverable at a greatly reduced cost from IT vendors.<br />Features that many small businesses would love to have, such as Object Removed, Motion Based recording and alarms, and POS integrated video can make a difference not only when your business is closed, but can also watch the flow of cash into your registers. These types of features turn your passive video system into an active partner that watches for changes and alerts you immediately of problems.<br />Most of this uses off-the-shelf products, so service and upgrades are not proprietary, thereby freeing the small business owner from being locked into a situation of loving the product but having to deal with the vendor.<br />It's the most exciting thing to happen in surveillance, ever.Paul Nowakhttp://www.blogger.com/profile/02060430701439440143noreply@blogger.com0