The Potential Problems:
In this now merged network we can see employees, visitors/guest with tablets, cell phones, pcs, etc.. We need a way to corral, protect, and prevent. The access point may be a Gateway in a bad way; it could be a "rogue access point". Organizations need to determine how to allow access to the network for known resources while blocking those the company does not want to have access. It's a relationship that goes both ways because devices need "protected" status access to and from the network. The APs should be set up so that no malware should be sent or received, a strong password is established for guests and the guest account password needs to change and be easy to convey. Much has been written about simple passwords for account access. Those simple passwords have found their way to access points as well.

The Solution:
Start with the who, what, where and how list.
Ask yourself:
Who needs access? Employees, contractors, guests, those people slowly driving by in their car?
The answer:
Employees get WPA-*.* tied to their Ldap Account which equals authentication, encryption, and allowed destinations. Contractors may have a temporary account linked to another SSID with a similar set up as employees.
Guest and those who are just driving by: What do they get? We know the new 802.11n standard registers some impressive distances.

What needs access?
PCs, tablets, wifi enabled-phones

Where do they(s) need to go?
Printers, Servers, the Internet (with or without filtering). Those guests might need access back to their corporate network.

How are they going to be allowed?
Through Firewall Rules,Web Filter, AV filter, etc.,

So with this short list you can plan, design and execute a Wifi policy that make sense and is enforceable. In our audit required world we need to prove the policy through logging and reporting as well. But that is a subject for another post.

If everyone has access through these networks than it’s probably not that secure. Who then bares the responsibility of securing the customers? I believe the responsibility is shared with the business offering the Wi-Fi connection and the customer who would like to frequent said establishments. From a business side, selecting the right security network device is essential as is selecting the right Wireless Access Point.

Business can look at many security solutions. When looking to secure your Wi-Fi network, I would look at solutions that can service my perimeter, internal and Wi-Fi network. Security companies such as Fortinet, and Astaro (now a Sophos company) provide secure wireless. For instance, Astaro provides a Unified Threat Management (UTM) System that can protect your business from the perimeter all the way down to your internal infrastructure then to your Wi-Fi Network. Astaro has access points, an AP10 and AP30, that directly connect to your Astaro Security Gateway. The Astaro access points can create up to 8 SSIDs. Businesses can then create a wireless security zone for themselves and a separate security zone for their customers. Everyone that connects to these access points, communication over-the-air is encrypted. The access points are directly connected to the ASG so traffic is always inspected coming into or out of the Wi-Fi Network.

Consumers must also be aware of security threats to their personal and financial files stored on their Smartphones. If you have an unlimited data plan, then why turn on your wi-fi? For those who don’t have an unlimited plan, make sure you do have some security software on your Smartphones. Companies like Symantec, Sophos, and Norton offer such protection. They will help you be secured with antivirus software clients to prevent the loss of data and services to malware. This will be important for those of you consumers checking your bank accounts on your mobiles this holiday season.

The evolution of online attacks seems to mirror the progression advertising has taken. In the beginning, hacking was done for fun and hackers were driven by a spirit of adventure. However, some hackers soon realized the potential for personal financial gain their hacking created. Thus the birth of Trojan Horses, keyloggers, and malware distributed via spam messages. Much like television commercials of old, these attacks were broadly distributed; the strategy being to hit as many people as possible in the hopes a small percentage will download the malware.  In general this shotgun type strategy was successful as unsuspecting victims would click on malicious links and had their account information, passwords, or identity sent to a hackers developing databases.  Black-hat hackers could focus on quickly creating simple, and often times, low quality malware and due to the sheer distribution volume this method was profitable.

Just as we are seeing an increase in personalized targeted advertising, we are now seeing the rise of targeted attacks.  In the past this method of hacking was considered unprofitable as it took too long to create a targeted attack, thus reducing the profit margin.  With the lowering cost of producing high quality malware, large customer database breaches, coupled with the surge in hacktivism means we will begin seeing more targeted attacks in the future. 

While the goals of criminal gangs and hacktivists may differ (profit vs. issues awareness), they are using similar tactics – malicious code designed for a specific targeted attack.  The reason for the coming rise in targeted attacks is twofold:
1) targeting certain types of businesses has become a profitable endeavor and
2) social issues are once again spurring hackers into action.

Why is it now profitable to target specific account when it once was not considered a lucrative strategy?  One reason may be the success security professionals have had with educating employees and technology users regarding online threats. It isn’t that the creation of high quality malware has become easier, it is that getting users to fall for their scams has become more difficult, making broad based attacks less profitable. As a result, hackers are finding it more profitable to target a specific company or organization with an attack designed to steal data.  These attacks are harder to defend against as they often involve rather sophisticated social engineering approaches and often times are harder for common email spam scanners or content filters to detect. They depend on SQL injections and the infection of web applications or common social media sites such as Facebook rather than spam or malicious websites.

On the other side of the spectrum are hacktivists who are targeting a specific organization, not for profit but for social awareness. These socially minded hackers know that a high profile security breach can damage the reputation of a socially irresponsible organization or bring down the network of a company the hacktivist feels is responsible for some injustice. It is the technological equivalent of protesting outside of the organization’s office and even more effective as it can quickly generate a global media buzz online when successful.

The number of targeted attacks will only increase in 2012 as users become more aware of broad based threats, hacktivists become more active and black-hat hackers create more sophisticated malware.  For the general consumer and business watching for these new approaches and taking control of your security policy enforcement should be a focus for your New Year’s resolutions.

Resolution No. 1: I will not access the Internet without up to date malware protection and an installed firewall and antivirus

Why? Last year150,000 malware attacks were registered* daily! If only everybody would install sufficient security software, this threat would be minimalized.

Insider-Tip: Complete home network protection doesn’t need to cost big bucks. Secure your own network for free with our software!

Resolution No. 2: I will not click on tinyURLs, hyperlinks or links of unknown origin without investigating first.

Why? Even if you think you know the sender or the site, this won’t guarantee your safety. 80% of these URLs stem from former legitimate pages, which were either hacked or infected.

Insider-Tip: Computer and security threats made easy! Learn more about what is out there in our threatsaurus! (PDF)

Resolution No. 3: I will update my security software package regularly and with a watchful eye!

Why? Fake antivirus software and SEO poisoning are the number one way malware is spread. Therefore stay alert and don’t blindly install updates, make sure they are from your provider. Otherwise, you are opening the door for new security breaches.

Insider Tip: Take the threat detection test. Download our free computer security scan!

Resolution No. 4: I will not wait until my laptop is stolen or lost before I encrypt data!

Why? Loss or theft of hardware makes up 30% of all data loss scenarios. Do your best to physically protect your hardware, but also make sure information is encrypted in case these precautions fail.

Insider-Tipp: Quick and easy encryption for all your data. Download our free tool here!

Resolution No. 5: I will stop using “password” as my password

Why? In 2011, passwords such as “password”, “123456”, “qwerty” and “abc123” were still topping the most used passwords list*. Moreover, 67% of all mobile device users haven’t installed any password protection at all. A secure password can go a long way towards protecting your data.

Insider-Tip: Simple tips for better security. Take a look at this video about the perfect password! 

* Sources: Sophos Security Threat Report Mid-Year 2011, Data Loss DB, TNS

Hidden dangers of free expression

Social media sites have created a wide awareness of world events and changes, beyond that available from the typical media news outlets. With these new outlets, however, come many hidden dangers for political parties, businesses and individuals, as access to their websites, online profiles, Twitter feeds, contact lists, and business Facebook sites allow for another type of expression by discontented and tech-savvy users. These users, who portray themselves as social advocates for justice and change in society, practice what is called “hacktivism.”

Although many individuals see hacktivism as a relatively benign form of political expression on the Internet, no different than a common street protester holding a sign in front of city hall, the actual act of hacking a user’s account or site is in fact a criminal offense. And the organization affected can suffer dramatic reputation losses, due to negative perceptions by their clients or other companies about their lack of security.

Public relations nightmare

Security for a business’s social media accounts is generally regarded as a low priority for many companies. Access to Twitter feeds or Facebook sites is often given to a marketing team or the new intern who understands the power of reaching customers with these sites.

The danger of these sites, however, is that having access to all of those customers means that communication with them can be greatly affected by the loss of a simple password. Once an account has been compromised, the online presence is quickly tainted by a hacker’s chosen political or social message. These messages, unlike a typical attack against a web server or individual user’s email account, are wide-open and immediately known by the online community, creating a public relations nightmare exercise (after the account is reclaimed) on calming users regarding the security of their data. After all, if you can’t keep your marketing team’s password secure, how secure can you keep users’ accounts and credit card information?

Protecting your accounts and servers

Mitigating exposure of your accounts and systems to hacktivism (or hacking in general) should always be part of a comprehensive security strategy. A few important parts to this strategy:

• Access to social media accounts such as Facebook or Twitter feeds via your corporate account should be limited to specific personnel and governed by a policy of password enforcement and rotation.
• To limit downloading of malware (such as key loggers or password grabbers) from your users, a web content filtering system should be used. Such a system will enforce safe website access as well as scan for malware and viruses that could give a hacker account information or remote access to a user’s system.
• Always ensure that web servers and public-facing portals are protected behind an active intrusion-prevention system or web application firewall that actively scans content uploaded or downloaded from your websites.

An effective security policy, with centralized enforcement through the use of a Unified Threat Management system such as the Astaro Security Gateway, will help your organization to avoid becoming a targeted political victim.

Firewalls, routers, intrusion prevention systems, web content filters, mail gateways, application servers, authentication servers, host-based intrusion prevention, end point client software.

The list of devices and applications that generate security logs already seems endless, and yet the list continues to grow as new security tools are used in response to the ever-evolving threat landscape. These logs often produce enormous amounts of information and are delivered in a variety of formats making it very difficult to gather useful information or troubleshoot a problem.

Making the situation even more difficult is the fact that many organizations now have remote offices and workers with equipment and logs of their own. These systems and applications must also be monitored to ensure you have consistent security across your organization, and that your remote users and networks aren’t a security weak point that could lead to exploits. Managing, maintaining and making sense of all this information is a daunting task for any organization, but can be especially challenging for smaller organizations with limited budgets and IT resources.

Despite these challenges, an effective log management strategy is a critical piece of any organization’s IT security program, and used properly, log management can help you make better decisions relating to IT resources, purchasing, and the overall security and health of your network.

The enormous amount of information that IT systems generate can be used to fix issues, provide audit trails and baselines, and proactively prevent problems. This information can also be used to maintain or achieve compliance, and storing logs for long periods is often a requirement. How to do so properly is one of the major concerns for any organization implementing a log management program.

Organizations that wish to implement an effective log management strategy need to first define their goals and requirements. Is the goal compliance, problem analysis, network monitoring, IT security? If your goal is just to monitor network equipment and/or troubleshoot security issues, then having IT staff handle log management may suffice. However, if your goal includes all of the above, you may need to split up log management responsibility across different departments or teams to ensure that the proper resources have the information they need.

Once you’ve defined your goals and understand what information is needed and who should be responsible, you can confirm which types of logs are available to fit these needs and what may be missing. This will help you determine if another solution or perhaps some specific information is needed to achieve your goals. Perhaps HR needs to monitor web usage by user name, but that information is not currently available on your web filtering device. It may be that a fairly simple configuration change is needed to gather this information, or it may be necessary to re-evaluate the product you’re using.

Understanding what information is needed will also allow you to start thinking about how much storage space is needed for these logs, and whether it’s acceptable to overwrite old logs once a certain time period has passed.

The next step is to determine what will be done with these logs, how long they’ll be stored, and if there are any special requirements such as encryption. Many logs contain sensitive information such as user names and sometimes even passwords, so securing these logs is a very important consideration. If you’re gathering logs from different locations you’ll also need to ensure that this information is protected while in transit. Once you have the logs, will they be actively monitored for events or should they be stored in case they’re needed? If storing logs for future analysis, thought needs to go into how easily archived information can be gathered.

Once you’ve figured out your goals, responsible parties, and what information is needed, you can start to determine which type of log management solution is best for your organization. Fortunately, there are many different options out there for companies developing their log management infrastructure. A variety of open source and commercial applications can help aggregate and parse logs from different vendors and systems, and new cloud-based solutions can offload tasks such as data security and storage and provide redundancy to protect your data. Choosing the right solution will depend on many factors such as cost, complexity and features, but understanding your goals and needs will help guide you in the decision-making process.

As with any IT initiative, support for an effective log management infrastructure must come from the top, so that everyone in the organization understands and supports the goals. This can help avoid log management becoming the afterthought for an overworked IT staff and can help add real value to the organization.

We've also seen 19,000 new malicious URLs each day in the first half of this year. This makes a new internet threat every 4.5 seconds. Even worse, 80% of those URLs are legitimate websites that were hacked or compromised. Another focus of the survey is the fast growing usage of mobile devices, whose security risks are commonly underestimated by now. Speaking of accessing company resources via mobile devices, Blackberry is number 1 with 73%, Windows (63%), iPhone (57%), Android (48%) and iPad (47%) are following. However, only 69% of the companies have published usage guidelines for company owned mobile devices. Even more alarming is the number as far as private mobile devices of the employees themselves go; Only 31% of the companies publish a proper guideline for this very common scenario.

More information can be found here (You can download the whole report after submitting your name and email address).

While increasing the number of doctors in rural regions is the ideal solution, there are alternatives to solving this pressing issue. One such solution is implementing Telemedicine or telehealth facilities. A recent study from UMass Memorial finds that telemedicine can help improve ICU patient care.

Given the need for rural doctors and the potential for improved patient care telemedicine presents we would think more and more hospitals would jump at the chance to implement telemedicine policies and procedures. However, like any new idea there are barriers to this possibility. According to Dr. Jeremy Kahn who was quoted in a recent blog post by Boston.com’s Liz Kowalczyk, “while telemedicine programs have exploded in the past decade, studies of the benefits, especially in ICUs, have produced disappointing results. Policy-makers have questioned whether this expensive technology is useful at all, if it just drives up health care costs without showing a payoff of improving care.”

As with all industries medical organizations face challenges when choosing and deploying the technology that is ever more relied upon to diagnose and care for patients. These new solutions come with the burden of new training, integration hurdles, and of course have a price tag that organizations are increasingly concerned about in these trying financial times

The key here seems to be “expensive technology”. If we can lower the costs of the technology needed to connect healthcare facilities, secure patient data and monitor patients’ statuses remotely then telemedicine becomes more of a reality than wishful thinking. Unfortunately the technology necessary to create secure connections can be costly, especially when it comes to managing the technology. What good is a remote monitoring tool if it needs a full time IT administrator to make sure it stays connected?

The technology industry needs to partner with the healthcare industry to find realistic ways of connecting remote/rural healthcare facilities to doctors in more populated areas. This way we can ensure all patients are getting the best care possible. It may not be as ideal as recruiting doctors to practice in these rural areas, but it is the next best thing.

While Telemedicine programs are unique to the medical field, the criticisms and concerns are all too common when it comes to technology, and the challenges faced by administrators and IT staff can be found in most businesses today. How do we provide secure business critical services while being cost conscious.

One solution may be to use a configuration-less device such as Astaro’s RED which offers simple ‘plug n play’ connectivity which can allow remote medical professionals the ability to help care for patients while not being physically onsite. These solutions make it possible to set up a remote healthcare facility and monitor patients from afar. Solutions like Astaro RED, along with the proliferation of broadband and electronic medical records may make telehealth a reality.

For the past ten years Astaro has grown and developed to become one of the leading network security companies in the market. This growth is in part due to our strong product line and singular focus to provide easy-to-use security solutions, but it is also due to our involvement in the security community.

For the past several years, Jack Daniel has pushed Astaro to be more involved in the security community first as a Support Engineer and then as our Community Development manager.

Jack initiated our involvement with organizations such as NAISIG and the Security BSides un-conferences. He helped drive our social media initiatives on Twitter and was a frequent visitor and contributor to our Up2Date blog and Astaro Security Perspectives blog.

When Jack informed us that he would be leaving Astaro, it was clear this decision came after much thought and contemplation. The position that awaits him at Tenable Network Security will offer new opportunities and challenges and we respect his decision. We are disappointed to see Jack leave, but we are excited for the opportunity that awaits him in his new role and understand that sometimes great people are hard to keep – no matter how hard you try. It is no surprise that another company recognized Jack’s abilities.

Astaro will continue to participate in the Security BSides conferences as well as the other programs Jack worked on. We are still committed to the security community and look forward to interacting with Jack during these events. His direct contributions to Astaro will be missed, but as long as he is involved in the security field we all benefit from will knowledge and perspectives.

Goodbye, Jack, and good luck.

Properly deployed for appropriate purposes, cloud computing can be fantastic. I have moved most of my lab systems to a cloud environment and it has provided a huge improvement in my ability to test systems and deliver demonstrations. Astaro uses cloud systems to deliver content and services for partners and customers more effectively that we could with internal resources. But, cloud computing is not for everyone, or for everything. You just need to research, plan, and migrate wisely.

There are a handful of very good cloud computing security documents out there, here are ones I recommend (some are pretty big PDFs):

Start with the NIST definitions doc, it is only seven pages, and only the last two have the actual definition. It is not “security specific”, but is sets a common terminology for the rest. Download it here (PDF).

My new favorite cloud security reference is from the Australian Defence Signals Directorate; their Cloud Computing Security Considerations is great resource and a great conversation starter for those considering a move to cloud computing. (It is 19 pages and an easy read, too). If you read only one, read this. And share it. Download it here (PDF).

For more meaty discussions of cloud security, it is hard to beat the documents recommended for those preparing to take the Cloud Security Alliance (https://cloudsecurityalliance.org) CCSK (Certificate of Cloud Computing Knowledge https://ccsk.cloudsecurityalliance.org) exam:

CSA’s own “Security Guidance for Critical Areas of Focus in Cloud Computing V2.1” (download the PDF here) is not a light read, and is enterprise focused, but has a lot of good information. The other study document is the ENISA “Cloud Computing Risk Assessment”. It is also not a quick read, but has more small- to mid-sized business focus (reflecting its European origin).

Speaking of CCSK, it is an interesting certification. I’ve recently passed the exam, and heartily recommend the study material- but the certification is probably of limited value to most people until “cloud” is better understood. As you would expect, CSA has an enormous amount of information on their site, covering a myriad of cloud concepts.

A couple more references for those of you who want a broader understanding:

NIST also has a “Cloud Computing Reference Architecture” (download the PDF here) which needs some help in the area of readability, but is a good resource, especially for the discussion of cloud computing roles.

OpenCrowd’s Cloud Taxonomy (http://cloudtaxonomy.opencrowd.com) is useful for help in categorizing cloud products and services and for understanding the categories.

This is by no means a complete, or even exhaustive list; but it is a good set of resources which should be helpful to those considering a move to cloud computing (or to those already in the clouds, but afraid of heights).

LinkedIn
Possibly the most ‘professional’ of all the social media sites, LinkedIn offers VARs some unique ways to reach your target audience. One way would be to start a professional group within LinkedIn that encourages members to initiate discussions and post news about that particular topic. For example, there is a marketing professionals group on LinkedIn where members share ideas about new marketing techniques, share stories and even pose questions about their own ideas and ask for opinions or suggestions for improvement. Creating this type of group would position your company as an expert in your area. If a group already exists which is a good match for your company; join the group and become an active member. Have a designated person start discussions and respond to others. It will only help elevate your company’s profile.

Facebook
Many business people view Facebook as the toy of the social media world. However, even business to business organizations like VARs can use Facebook as a marketing tool. Facebook is widely popular so why not use a tool that people are already using?

One way is to start a “fan page” that Facebook members can “like”. Then post links to industry news, post company news and events and again start conversations about topics you customers would find interesting. This keeps your company connected to your customers, potential customers and industry enthusiasts. Your company can also “like” the fan pages of the vendors you work with so your information is linked to theirs, increasing your exposure.

A second way to use Facebook is to create highly targeted pay-per-click ads. These ads work much like Google AdWords but instead of targeting keyword search terms they target a person’s profile information. So if you sell network infrastructure technology you can have your ad shown only to people who have IT in their job description. If you only operate in a certain area you can add qualifiers to better target your demographic using information supplied by the potential customer. Ads are relatively inexpensive and can run as long or a short a period as you desire. You can use Facebook to drive registration for an upcoming event or advertise a new product that you now offer.

Twitter
Many businesses have a difficult time finding the appropriate way to use Twitter. The character limitations along with its social nature lead some to believe the tool is better left to celebrities and teenagers. Once again, with a proper strategy Twitter can be successfully used for marketing and PR campaigns. The key is to use key terms people are following or trending terms.

For example, if your company is attending a tradeshow, tweeting about what is going on at your booth and using a hash-tag (#) along with the name of the conference will alert people looking for information about the conference you are there.

As your company’s account gains followers you can post links to new blog posts, promotions, news stories and so on. As long as your twitter feed doesn’t become overly promotional people will continue to follow you.

YouTube
At one point 75% of all searches on Google brought back video results from YouTube. These videos are often entertaining but they can also be informative. Posting short videos about your company’s services or products they offer can be a great way to get to the top of the search pile for a particular term. Also, you can link to these videos in marketing materials and embed them in your website create a more interactive experience for those looking for information about your company.

One caution: many companies salivate at the idea of creating a viral video and hold focus group and brainstorming sessions to come up with the corporate version of “squirrel on a skateboard” video. This is against the nature of viral videos, they tend to be spontaneous, entertaining or even gag inducing. If you are trying to make a viral video that is really an advertisement ask yourself if this is something you would normally forward to your friends.

With a little creativity, patience and thought any VAR can use these tools to help improve their marketing and increase their organization’s visibility.

Here are 6 easy tips on how to do that - whether it is a home or business WLAN:

Use WPA2 encryption – Older security options like WEP can be broken in moments without special equipment or techniques using something as simple as a browser add-on or mobile phone application. WPA2 is the latest security algorithm which is included with virtually all wireless systems, and should be selected from the configuration screen.

Have a password longer than 10 characters – Even newer encryption schemes like WPA2 can be compromised using attacks which employ an automated process to try billions of possible passwords. Longer passwords don’t need to be hard to remember. Using a phrase like “makemywirelessnetworksecure” instead of a shorter, more complex password like “w1f1p4ss!” offers far more security, as the computing power to test and break such a long key cannot be realized.

In your password, add numbers, special characters and use upper and lower case characters – Complex passwords increase the amount of characters which must be considered when performing password cracking. For example, if your password consists of 4 digits and you only use numbers, there will be 10 times 4 (10,000) possibilities. If you additionally use the alphabet in only small cases, you will get 36 times 4 possibilities (1,6 million). Forcing a cracking program to choose from 104 characters times 11 digits results in 15,394,540,563,150,776,827,904 possibilities. This increases the time needed to crack such a password from seconds to millions of years.

Don’t use standard SSIDs – Many wireless routers ship with a default wireless network name (also known as the SSID) like “netgear” or “linksys” which most users do not bother to change. This SSID is used as part of the password by the WPA2 encryption. Not changing this allows hackers to prepare password look-up lists for common SSIDs (rainbow tables) which speed up the password cracking process drastically, enabling them to test millions of passwords per second. Having a custom SSID drastically increases the work and time needed to attempt to compromise your wireless network.

Leave personal information out of your SSID – You don’t want to give hackers a way to know that your network is worth trying to compromise. Putting “John’s House” as the SSID provides information which might be useful to a nosy, tech-saavy neighbor or someone targeting your business. Don’t give hackers a way to see whether a wireless network is yours, or the one of the shop around the corner, use something vague which doesn’t identify you or your location.

Tune the range of the radio – Modern access points have multiple antennas and transmit power, letting their signal reach far beyond the walls of the places they are providing access to. Some products let you adjust the transmission power of the radio using menu options. This provides a way to limit how far outside your location someone can pick up your wireless signal and work on compromising your network.

For companies, however, the tips above are a good start, but of course they have a greater challenge to master and business oriented wireless security solutions are generally still inflexible, expensive and complex. It would be fatal though to fall back on consumer products as they naturally provide a much lower level of security than enterprise solutions! If you are searching for a wireless networking solution for your business that is secure and easy to deploy, check out Astaro Wireless Security.

Train yourself, or get trained
All vendors should offer courses to partners to get them up-to-speed on their products and services. These trainings can be a combination of in person, on demand, videos, or even full day courses. These training session can help you better understand the products you are now offering and in some cases offer advice on how to attract particular types of customers that you may wish to target. Whatever the vendor offers you should take advantage of it.

Talk to other members of partner program
When joining a new partner program it is wise to get to know the other members of the program. They will offer insight into the vendor’s practices and policies as well as tips on how to be successful with this vendor. If you chose your partner program wisely the vendor won’t be over distributed so other partners won’t view you as a threat or as competition. Instead you will be able to collaborate with other partners on a consistent basis and work with one another for mutual success. Start getting to know other partners when you first join the program and you will make valuable business contacts that will help your business thrive in all different aspects.

Become an expert on how products serve particular vertical
It is not enough to understand how a product works; successful partners also know how the products solve specific problems. If your company already has a specific vertical expertise, ask the vendor if they have messaging or information about their product satisfying the needs of that vertical. Customer success stories are another great resource. Ask if they have any customer stories that can be shared and talk to the partners you are developing relationships with to determine if they have any customer references you can talk to so you can understand their needs and how this product satisfied them.

Take advantage of marketing dollars and resources
And finally, once you join a partner program ask to set up a meeting with the marketing department to discuss what kinds of programs they offer. Events, email marketing campaigns, co-op dollars and other programs designed with you in mind will only serve to help you find more customers. Take advantage of these opportunities and watch your business grow faster.

Nick’s focus is on helping organizations communicate effectively with law enforcement when they suffer a breach or have other reasons to turn to law enforcement. Making the leap from traditional police work to investigating and prosecuting computer crime isn’t easy, and both sides of the conversation could often use some help- that is what Nick is trying to facilitate.

Adrien’s objective is more broad, he is trying to drive creation of a Canadian response team or teams to help organizations deal with a variety of computer incidents, and to foster information sharing.

At some level, both of these goals boil down to “who do you call when things get ugly?” which in turn really boils down to “who do you trust?” The time to ask (and more importantly, answer) these questions is not during a crisis. If you are in a large enterprise, internal security and incident response teams should already have contacts in the corporate legal office as well as in regional and national law enforcement. In smaller organizations, you may not have anyone who knows who to turn to if (when) something bad happens.

Where can you turn to start building your web of trust so you know who to call in a crisis? Every organization and situation may be different, but here are some suggestions.

1) Start with your existing personnel, ask who has resources and recommendations, and share the information. If your organization uses an external incident response company, ask them for advice.

2) Think about the groups and organizations you belong to (or should). Local ISSA, NAISG, InfraGard or other groups are great places to start this discussion. The groups may be Information Security related, or may be specific to your industry. You may also meet people at conferences or other industry events who can help you. Just make sure you solidify contacts before a problem happens, sending an email to a mail list trying to find “that guy I met in Las Vegas- we talked about data breaches” is not the best way to react to a crisis. Keep in mind that your organization’s management and legal counsel should be consulted before you take any action or set policies.

Don’t wait until you have a crisis to think about who you can turn to. And make sure others in your organization have the information, too- because emergencies may happen when you are not available.

Note: if you are interested in either of the projects mentioned above and you would like an introduction to either Nick Selby or Adrien de Beaupre, please send a message to me at jdaniel at astaro.com and I will be happy to connect you.

Layered Defense

Firewalls and IPS systems still have their place and can help guard against simple exploits and Denial of Service attacks. To properly protect valuable web application servers though, an actual Web Application Firewall should also be used. A WAF works by examining the application layer to protect against common web server attacks such as cross site scripting and SQL injection attacks. These types of attacks are not caught by standard firewalls and IPS solutions, and most WAF's also function as a reverse proxy. This has the added benefit of making sure traffic from the Internet is not just 'passed' through to your servers, but is instead stopped at the WAF where a new connection is made on its behalf. This has the additional benefit of allowing for other advanced features such as malware scanning, and SSL offloading. Note that if credit cards numbers are processed on your web server you probably fall under PCI regulations, and may be required to have either a Web Application Firewall, or a code review to ensure you're not susceptible to common exploits.

In addition to having a WAF you can also try to protect your web servers using a few other techniques such as:

Separation of resources
Install web application servers in a protected DMZ which has no access to the local LAN or internal users. This prevents opening up the entire organization to threats should a successful exploit occur.

Know your network and how it appears to others
Review what information is available to would be attackers. The less unintended information available, the better. Review public DNS records to ensure only valid corporate information is available and no personal employee information is listed. Attackers may use public information about an organization and its employees to help launch a socially engineered attack. Check web server responses to make sure information about Operating System, application used, etc. are not available. Review error pages to ensure no useful information is given out such as local machine name or directory structure.

Limit responses to probes/errors
Eliminate bad requests instead of just responding to them. This cuts down on the information provided, and helps to avoid filling up logs which could result in a resource issue or downed server.

Vigilance
Monitor logs and reports for signs of anomalies, attackers, etc... Are the same IP's constantly probing your system? Do you constantly see the IPS reporting ISS exploits? Knowing what others are doing is important so you can ensure your defenses are sufficient. It may also help you spot things you missed in your network review.

Active Review
User NMAP and other tools ensure only allowed ports are available. Understanding what ports are open on web servers, and what IPs are visible via the internet is important in understanding your environment. Ideally you want to deny all traffic and only allow specific ports/applications to and from your servers.

Honey-pots/Misdirection
Another tactic may be to use probing information to your advantage. Using decoy names and information in public records and for error messages are 2 examples. If you find someone trying to contact that fake name or attacks are launched based on that misleading info, it can confirm when someone is probing your defenses. Deploying a honey-pot is another method so that you can further analyze intrusion attempts. Be careful with this method though as it may invite more aggressive attacks when attackers find out they've been fooled.

The term hacker is difficult to describe as it has so many different meanings and connotations. It was first used at MIT (Massachusetts Institute Technology), which held the first courses in computer programming and computer science. A group of students started to call themselves hackers because they were able to create code that made computer programs perform actions that were not originally intended. In the beginning, hackers were driven by something like a spirit of adventure. There was this new technology, this World Wide Web evolving quickly, and people wanted to discover what was possible. They wanted to test their own limits, create chaos or simply destroy property. The reason to do something was “because I can”. The first malwares crashed PCs, deleted hard disks and let Pacman appear on the screen. Their victims helplessly watched as the hackers demonstrated their abilities by inflicting damage while staying incognito, at least outside the hacker scene. This was the era of script-kiddies using simple malware coded by others in their bedroom.
But soon, the motivation for hackers started to change. What began as a recreational activity was then and still is driven by commercial goals as hackers realized that they could actually make money with their abilities and knowledge. A real market had developed, offering several ways of making money. Depending on which way they chose, hackers can be classified in several categories. The best known classification refers to classical western movies: the white and black hat.

A white hat hacker uses his know-how for non-malicious purposes, for example by working as a penetration tester within a contractual agreement or by searching for vulnerabilities in operating systems or applications and selling them to the vendor. On the other hand, black hat hackers break computer security or use technology like a computer or a mobile phone for credit card fraud, identity theft, piracy, or other types of illegal activities that earn them money.  Or they offer their method for renting or leasing, e.g. if they “own” a strong botnet and have others pay for spam floods or targeted denial of service attacks, which is also often preceded by blackmailing.

The most important difference between the money earning hacker of today and the script kiddie in the past is that the former does not want to be noticed. Back then, hackers wanted fame (for their hacker alias). They felt their capabilities should be recognized or even feared. Today, hackers attempt to stay invisible and want their hacks to remain unnoticed as well. Often weeks or even months go by until their victims realize something is wrong. Modern malware is installed unnoticed and works in the background of a system. The reason is: The longer it takes to detect an infection, the more money can be earned.

We are now at the edge of a third evolutionary step. In summer 2010, the term cyberwar became popular in the media, and the discussion was fueled by the discovery of Stuxnet, the first known worm that spies on and reprograms industrial systems. The actions of hackers now have a new motivation besides the longing for fame or money: Political motivation. There are hackers that follow their own political interests and views, like the hacker Jester, who claims to be responsible for the DDoS attacks on wikileaks that brought down their internet connection – Jester stated that wikileaks endangered “the lives of our troops, ‘other assets’ and foreign relations”.

Other hackers sell their abilities and resources like botnets to political players, whether they are political organizations or even governments. Some nations are suspected to have set up dedicated departments for cyber espionage or sabotage, while other nations are known to have set up dedicated departments to defend themselves against this new threat, e.g. the Pentagon’s Cyber Command (Cybercom) that is responsible for safeguarding the American military network. It is easy to imagine that those departments hire hackers– hackers, who see themselves as kind of cyber mercenaries, working for the political party that pays the most, or who dedicate their skills to a cause in which they believe, and operate in stealth. It is rumored that Stuxnet was a first shot in the dark by an unknown party, aiming at sabotaging not only production plants, but even nuclear power plants.

But still, there are also the good guys:  The security industry, engaged software vendors, white hats and non-profit organizations like CERT, SANS or MITRE and more. There are and always will be hackers that deliberately put on the black hat, for fun, money or politics, but there are and always will be those wearing the white hat. As the bad guys develop, so do the good guys. This is a cat-and-mouse game, with no model or theory telling us that there will be a final winner instead of an ongoing race.
 

Within the Astaro Security Gateway (the Astaro flagship product) come efficient but granular policies that restrict or allow access to network resources. This starts with packet filtering rules and IPS, continues with security and productivity settings for e-mail (think about spam!) and ends with elaborated settings for web security. This also includes remote offices connected via RED as well as mobile clients connected via WLAN.

For example, let’s choose "wikileaks" (http://twitter.com/#!/wikileaks), a web site which has existed since 2006, but which has just recently gained massive attention.

There are people who think wikileaks is a criminal, or even a terrorist organization. Others praise it for releasing classified documents of governments, institutions and associations that try to keep them secret and non-public for various reasons, therefore increasing transparency.

The ASG gives you the option to make your own choice. For example, if wikileaks is classified into a blocked category within your profile, you are able to disagree by doing one of the following:

• Clicking in Version 8 on Unblock URL (will be logged) and authorize yourself to get access
• Adding  "wikileaks.*" to Web Security >> HTTP/S >> URL Filtering >> Always allow these URLs/sites
• Creating a new exception list under Web Security >> HTTP/S >> Exceptions, adding "wikileaks.*" and marking URL Filter as check that shall be skipped
• Adding "wikileaks.*" to Web Security >> HTTP/S Profiles >> Filter Actions >> Always allow these URLs/sites, if you manage different profiles

For every rule, there is at least one exception. It is up to you to make the choice!
 

Most businesses these days recognize the value in using web proxies to protect their users and to scan and control web content. These tools and procedures protect users from malware, SPAM, and other types of threats, and protect business owners from financial loss which could result in liability issues relating to stolen data or inappropriate content. Business owners understand that investing in web security tools is necessary to protect both their users and their businesses from the many threats on the web today.

As an integral part of the business Web servers deserve at least the same level of protection due to the sensitive information they often hold such as credit card numbers and customer data. Protecting valuable resources like web servers is often done through a combination of location (a secure DMZ), firewall rules and IPS scanning. These tools help guard against some attacks, but may not be sufficient protection against sophisticated attacks such as SQL injections, cross site scripting, and may not protect a site from malware and viruses.

These types of attacks are increasingly seen in the news, and it’s not only small companies with overworked technical staff that are affected. High profile attacks on companies such as AT&T, and Heartland payment systems show that all types and sizes of businesses are vulnerable, and the results can range from bad publicity (which can scare away potential customers) to loss of market share and lawsuits. Nothing spoils the holiday season like finding out that your credit card number was used to buy someone else’s nice gifts. While there is never a good time to suffer a web server breach, the holiday shopping season is a particularly bad time as this is when most consumer shopping is done.  You don’t want people to be wary about shopping on your website because of a past breach.

Properly defending a web or application server is best done by using an actual Web Application Firewall which can act as an inbound proxy, and which prevents clients from directly connecting to your web servers. This separation not only provides protection, but can also provide application load balancing and SSL offloading.  Common security tools such as malware scanning can be augmented with advanced protections such as URL hardening and cookie signing, and these tools can help protect even an improperly configured web server against attacks.

Online commerce is serious business and so it requires serious protection. Until recently these tools were available only to larger organizations which had the technical knowhow and financial resources to implement them correctly. New offerings from many UTM providers (such as Astaro) are making these invaluable tools available to businesses of all sizes.

So as the holiday shopping season begins don’t let your web server fall victim to an attack or you may find your online revenue shrinking when it should be growing.
 

More information about this can be found here: http://www.scmagazineus.com/astaro-security-gateway-v8/review/3348/

Daniel is an active participant in the organization, planning and promoting the BSides events throughout the United States and Canada. This is the first Security BSides event to take place in Canada and will feature prominent Canadian security experts.

For more information about the event, please see the official press release.

Stuxnet uses four previously unknown exploits in Windows, not all of which have been patched by Microsoft to this day. To find even a single flaw in Windows requires immense know-how, time and effort, and hackers will happily invest their free time in these projects since such a Zeroday exploit is estimated at a quarter of a million Euros on the black market. The fact that the developers of Stuxnet detected four previously unknown exploits at once shows that we are not dealing with recreational hackers, but with people who have know-how and resources at hand – a dangerous combination.

The control systems in question that are targeted by Stuxnet are often not or insufficiently protected, as they have no connection to the Internet and work independently. Today however, we have to act on the assumption that any computer can be infected. Even if a computer has no direct access to the internet, as is often the case with control computers for production plants, it is still part of a network and connected to other systems. What is really clever with Stuxnet, is that the Trojan enters the corporate network at one point and then spreads further through its own initiative via the network using different methods. This process continues until it locates a computer that has installed the required software - in this case the WinCC.

A further problem is that manufacturers of industrial plants are on the same level in terms of security as Microsoft was ten years ago. Back then, Microsoft hardly paid attention to security. For industrial plants, their focus is on uninterrupted operation and security is secondary. An example: Even after learning about the Stuxnet infection, Siemens advised its customers not to change the default passwords in the system, as this could affect the ongoing operation of critical systems.

The security of a company is only as strong as its weakest link. Since divisions and sub networks are interconnected, it is not enough to look at parts of a company or to introduce different measures for different segments. For example, a minimum requirement is a company-wide password policy, which forbids the use of default passwords for the current operation.
 

Google data collection scandal reveals careless approach to security at WiFi access points 

The news that Google saves unencrypted content from WiFi networks as it collects data for its Street View mapping service is creating an uproar among the public. More and more data protection specialists are leveling harsh criticism at the company. Wrongly so, what is so alarming about the Google WiFi scandal is not the fact that data was collected. The central problem lies elsewhere. There are numerous unprotected WiFi networks in the United States and the Google issue has made people aware of how carelessly they treat their data on a day-to-day basis. The fact is Google did not ‘hack into’ any of these networks, nor did it access this data through illegal methods. The Street View cars simply collected data that was, metaphorically speaking, ‘floating around in the air’ already. In any case, the company did no more with this data than save it. Anyone with a reasonable grasp of technology can collect WiFi data these days!

Easier for private households
It is not difficult to protect wireless access points. In recent years, many manufacturers have marketed secure consumer solutions aimed specifically at private households, which can be configured at the touch of a button. However, it is not so simple for businesses. They have different requirements and enterprise wireless security solutions are generally still inflexible, expensive and complex. As a result, companies either forego WiFi altogether, despite its business benefits or they rely on cheaper consumer solutions. This can be dangerous, as these versions naturally provide a much lower level of security than enterprise solutions.

One size doesn't fit all
An enterprise solution should be able to do more than manage an access point centrally, for example. It should also be able to support strict authentication in relation to Active Directory, for instance. Secure, convenient guest access is also a standard feature of an enterprise solution. If a company opts for a consumer product, there is no guarantee that it can be securely integrated with the operating environment and the security policy. It is particularly important to ensure that a WiFi security solution fits seamlessly into the security infrastructure in place, including features such as the firewall, VPN, and content filter.

There are means of securing WiFi access points. The next few months will see major progress in the development of simple, affordable enterprise solutions. For instance, in the third quarter, we plan to release Astaro Wireless Security, a plug-and-play WiFi security solution that is quick to install, can be managed centrally, and provides all the necessary security functions.

From a security perspective, it is less important to ask whether Google was right or wrong to collect data. Instead, WiFi users should ask themselves whether they wish to continue to leave their poorly protected or even unencrypted data ‘lying around’ or whether they would rather take action to prevent others from accessing it.

Some employers are still resistant to allowing their employees to work from remote offices – far from the eyes of management. For many managers the concept of telecommuting conjures images of employees in their pajamas doing dishes and laundry and only periodically checking email so they appear to be working. For companies with managers who have this point of view, remote working will never become a reality.  

While telecommuting may be a bonus benefit for some employees, there are some professions where working from home isn’t a benefit or even a privilege but a requirement above the normal 40 hour work week. Doctors, attorneys and other professionals who put work a full week in the office often have to take work home with them in order to keep up with flow of work. Doctors do paper work at home so they can see more patients during the day and lawyers are judged on how many billable hours the work so they often work even when at home. 

Just like organizations that allow employees to work from home as a perk, healthcare facilities and law offices must provide doctors and lawyers with a secure connection to the office. For the occasional telecommuter a VPN connection is sufficient.  However a simple VPN connection may not be enough o connect and secure a doctor’s or lawyer’s home. Actually, one could argue that it is even more important for these professions to have secure connections due to the sensitive and private information they work with. As educated and intelligent as most doctors and lawyers are, many of them do not have the technical expertise or the time needed to set up and then manage a Unified Threat Management device at their home. They simply aren’t security experts, nor should they have to be.

This is where products like Astaro RED come in. South Carolina Law Firm Turner Padget Graham & Laney was able to overcome the challenge of having lawyers connect from remote locations to the main office by using Astaro RED. You can read more about this here.  

To learn more about Astaro RED and other product from Astaro (like Astaro Mail Archiving, Astaro Wireless Security and Astaro Security Gateway) visit booth #629 at Interop.

The resulting interview can be heard here: www.astaro.com/webinars/data-integrity-podcast.mp3

As a result support teams at many technology companies have scored poorly on customer satisfaction surveys. Why? Because they end up only interacting with customers when they are having a problem and are angry. Here are some ways support departments can

Focus on education first
I hate to say it, but a lot of times the issues our customers are having are not because our products didn't work correctly. It is because they were not properly trained on how to set up, configure or maintain the product. This is the support team's responsibility Just as much as it is the sales team or the customer's. Support teams that create ways for customers to educate themselves have a better chance of having customers that rate the support team favorably.

One way Astaro is doing this is by creating a Knowledge base for customers and partners. This Knowledge base will house articles about Astaro product written by Astaro's support team and partners. These articles will explain how to overcome common issues, ways to configure Astaro products and more.

Communication is key
Of course part of education is communication. Support teams should communicate any issues the company's product is having, along with the solution quickly and accurately. Additionally, when product upgrades or enhancements are made, the vendor should create alert systems for the customers along with links to information about the new features.

Like most organizations Astaro has had issues where we needed to communicate to our entire customer base at once. Unfortunately, there wasn't a system in place to do this quickly outside of email. As a result we began developing a unique alert system for our partners using SMS messages. The system is still in the works but we foresee it being a helpful communication tool

Empower your customers
Another way to improve Support services is by empowering them. Make your customers feel as if they have the power to solve their own issues without support, and can to help solve the problems of others. Astaro has a user forum where customers, partners and Astaro employees can discuss issues they are having, talk about unique applications of the product or answer the questions of others. This forum is open to user regardless of their support level status and has a very active community. Even some of Astaro's executives respond to questions from time to time.

Why is this important? It makes your customers feel heard and respected. It also gives them an opportunity to share they knowledge they already have. And when Astaro's Vice President of Product Management responds to your query it lets you know the company is listening.

Keeping these concepts in mind will help organizations understand that if they use their support team for more than just speaking with customers in need of assistance the entire organization will be better off. Support should be a proactive department, just like any other department in your organization.

During my career as a channel manager and director I've encountered partners who were reluctant to create a professional relationship with a woman simply because they assume women are not as adept with technology as men. While this assumption is unfair, it is a reality all women in technology must deal with an overcome. Here are some tips for creating strong professional relationships with your organization's partners - no matter what your gender.

Earn respect
No matter what your gender is, if your partner doesn't respect you, your relationship is doomed to fail. They won't return your calls promptly, they'll marginalize your advice and basically the partnership won't work. To earn your partners' respect begin by behaving in a professional manner upon your first meeting. Demonstrate your knowledge of the market they operate in and your company's technology. This will show your partner that you know your stuff and that you have advice worth listening too. Be sure to dress professionally to project your professionalism by your appearance. And of course speak confidently, even if you are feeling self conscience - remember the old adage, 'fake it 'til you make it". Even when you feel you aren't being respected behave as if you should be.

Deliver on promises
When you are discussing margins, marketing ideas or any other topic be sure to know what you can actually deliver for your partner. It will take just one failed promise to make your partner distrust your advice or worse, you in general. If you promise your partner additional margins if they sell a certain volume or your product, be sure they receive it when they deliver on their end of the bargain. Failure to do so will mean they will distrust your promises in the future and stop working hard for you. Let's put it this way, if a friend told you they would give you $10 for picking their child up from school and then never paid you, would you be as willing to pick up their child again? In the end it isn't about the $10, it is about being respected. If your partner feels you don't respect them, they won't respect you.

Listen more than you talk
What do you partners need to succeed? What do they hope to get out of this partnership? What are the challenges they are facing? If you don't know then you aren't asking enough question and you aren't listening enough. Creating a successful relationship requires you to understand your partners but you can't do that if you aren't listening to their needs. So ask questions, find out how you can help and once again deliver.

Keep it professional...
Your partner doesn't need to know about your wild weekend in Vegas or your fight with your mother. They come to you for technical, business or sales advise and believe you are incapable of helping them if they see you as a party girl, immature or just plain crazy. The more they know about your personal life the harder it is to get them to respect you as a professional.

But be sure you get to know your partners
That being said, you have to have some level of familiarity with your partners. Relationships, even business relationships are about people. No partner wants to feel like they are working with a robot and no one can be all business all the time. So ask them about their family, talk to them about your weekend at the zoo with your niece and chit-chat about vacation plans or the weather. Short friendly conversations will foster a friendly relationship and a sense of trust. And if your partner likes you your relationship will be stronger.

Know when to bring in the reinforcements
No matter how professional, how confident and how knowledgeable you are, some men will still have a hard time taking a woman in technology seriously or showing her respect. This problem only gets worse if you are young or appear young for your age. So don't be too proud to bring in a trusted colleague to help the conversation progress. At first it may seem like you are deferring to older male co-workers but if you trust your colleague then over time the respect your partner automatically grants him will slowly transfer to you and the relationship will become your own. It may not seem fair, but by slowly gaining respect this way, you will potentially change the attitude of your partner towards young, professional women forever.

To hear the full PodCast interview with Jack Daniel, click here.

Here is the recording of their converstation about Astaro's partner program and the security industry.

URL:  www.astaro.com/podcasts/astaro-insider-frances-poeta-interview.mp3

Follow this link for the full article: http://www.mpls-experts.com/blog/

A great deal of scrambling and a few short weeks later, Security BSides Las Vegas happened during the week of BlackHat and DefCon, and it was amazing. A core group of people, assisted by a large group of volunteers, speakers and sponsors put together a two-day event which offered great presentations on a wide mix of topics, a fun environment, and encouraged conversation and participation. Before Security BSides Las Vegas ended, plans had begun for Security BSides San Francisco, to run parallel to the RSA Security Conference, and the BSides phenomenon took off from there. Security BSides conferences are about the community, they are run by and for the participants, and provide a venue for talks and presentations which might not "fit" in other venues. BSides events are also free to attend, so they are a great way to get security education on a tight budget. Each BSides event has its own feel and style, some run parallel to larger events, others are stand-alone, and most are run by members of the local security community. As it says on the Security BSides website:

"Each BSides is a community-driven event built for and by information security community members. The goal is to expand the spectrum of conversation beyond the traditional confines of space and time. It creates opportunities for individuals to both present and participate in an intimate atmosphere that encourages collaboration. It is an intense event with discussions, demos, and interaction from participants. It is where conversations for the next-big-thing are happening."

There have now been BSides events in Las Vegas, Mountain View (CA), Austin and Boston. There are several BSides events happening this summer and fall:

• June 18 BSidesDenver "Mile High Security"
• July 28-29 BSidesLasVegas - coinciding with Black Hat / Defcon
  • This will be a huge event, the venue is amazing: http://www.2810vegasestate.com
  • The speaker lineup will include both "headliners", and new speakers, covering a wide variety of topics- many that you will not hear anywhere else.
• September 17 BSidesKC (coinciding with an InfraGard supported Cyber-RAID CyberWarefare event)
• September 24-25 Brussels, Belgium, coinciding with BruCon
• October 8 BSidesAtlanta
• TBD BsidesChicago
• November 6 BSidesDFW "Don't mess with Security"
• November 12-13 BSidesOttawa

BSides events are not just a place for experienced speakers, due to the friendly and helpful nature of the community BSides are great places for new or less-experienced speakers to deliver their message in a comfortable environment. The events also strive to provide comfortable spaces for side conversations, or to continue a discussion after a presentation. If you are going to be near any of the upcoming events, please register, attend, and participate.

Why am I writing about BSides events on the Astaro Security Perspectives blog? Well there are a couple of reasons. The first is that education and open discussion is a critical part of securing networks and improving technology in general. How can we solve issues if we don't talk about them? BSides events foster this kind of open and honest communication that mainstream conferences just aren't able to accommodate. Astaro is a supporter of this type of open communications as well as the Bsides conferences and I thought members of our community would be interested in this type of event.

As good as this scenario sounds there are other trust relationships which must be considered:

• Your employees trust you to provide a safe work environment, free from hostile or objectionable materials. This can be difficult when even the most innocent Internet searches can return obscene or otherwise offensive content.
• Your customers, business partners, and employees trust you to protect their confidential data. The proliferation of web-hosted malicious software has turned web browsing into a dangerous activity, putting your systems at risk of infection or compromise, which in turn puts the information stored on and accessed by those systems at risk.
• An ever-increasing number of laws and regulations require you to protect your employees, to protect sensitive data, and to report any data breaches. This magnifies the importance of protecting your employees and your data.

Web content filtering does not need to be overly restrictive to be effective. And there is no need to threaten the trust an organization has fostered with their employees in order to protect your organization, your employees and your clients from malicious content. A strong web content filtering solution will allow you to filter content based on your organizations acceptable use policy so that you can continue allowing your employees free access to the Internet with the exception of inappropriate and dangerous sites.

The devices can cut the cost of securing and administering a branch office's security by up to 80% by eliminating the need for IT staff and additional security products at the remote office.

More information can be found here: www.astaro.com/news-events/press-releases/astaro-red-simplifying-branch-office-security

Trips to computer labs to conduct research, type papers or for other educational purposes often dissolve into game time or involve non-school related web-surfing. The popularity of social networking sites like MySpace and Facebook only add to student's temptations, making it harder for them to remain focused on their lesson or assignment when they have free access to these sites. It is partially the responsibility of educators to monitor student Internet usage during school hours and on school computers.

Implementing guidelines for Internet usage can be affective in curbing access to distracting or inappropriate sites while at school, but these policies are difficult to enforce because students are technology are able to hide their actions well. Often times administrators are unaware what sites are being accessed until after the fact, then it is too late to determine who accessed the site and when the damage is already done. So now that the challenge of keeping students focused during school hours has become even more difficult, what can educators do to ensure their students aren't updating their Facebook page during class time or chatting with friends via an instant messaging service during a lecture?

Perhaps not surprisingly, the answer to helping students avoid the distractions technology create is ... technology. Many educational institutions have some sort of firewall or security gateway to protect their network from malicious content. However, few realize that these products can also help enforce Internet usage guidelines and eliminate the potential for students to be distracted. One such functionality that can help reduce distractions is content filtering technologies.

These tools allow educational institutions to block access to websites that are distracting to the educational processes. This means when a teacher brings students to a computer lab for a lesson they can be confident the students aren't spending the time on Facebook, checking their personal email or chatting with friends online. Higher end security products don't require educators or school network administrators to block each distracting site individually. Instead they can block types of sites such as "social networking sites" "instant messaging programs" or even "game sites" keeping students focused on the lesson or assignment.

Content filtering tools have the added bonus of protecting students and the school's network from inappropriate or malicious content - even when the visiting of these sites is accidental. Almost anyone who has done an Internet search has experienced clicking on inappropriate materials inadvertently and then being shocked when the content was displayed. In this case, even a student who is aware and respectful of the school's Internet usage policy wouldn't be protected from this unsuitable content as they did not intentionally access the website. The potential for accidentally accessing inappropriate sites is magnified the younger a student conducting a search is - as is the potential for parental complaints or even lawsuits. Blocking sites that students should not have access to or that have known malicious content prevents students from even accidently viewing content they should not see.

It is often the case that students are more Internet savvy than most of their teachers. They have grown up with technology and they can figure out most programs almost intuitively. Because of this, some students are aware of programs that circumvent content filtering tools. Again, the more sophisticated tools are aware of these programs and block them as well. But what if students, with their deep understanding of technology, are able to somehow access a distracting website when they should be paying attention to their teachers? Content filtering technologies that are implemented as part of an information security solution also provide reporting tools so that administrators are made aware of attempts to access these sites. This allows administrators to immediately enforce their Internet usage policy and reiterate the policy to students who attempt to distract themselves from their lessons. Sometimes, the types of sites that can create distractions for students can provide educators with valuable teaching tools.

A great example of this is YouTube. YouTube is home to videos about dogs on skateboards and music videos, content that can be very distracting to students. However, it is also home to some educational content. In a history class, for example, a teacher can access clips from documentaries or videos created during a particular time period. These materials can be very engaging for students, elevating their classroom experience. However, students should not have access to YouTube as it is not only distracting when not used appropriately, but it also has content which should not be accessed in schools or by young students in general. To help work around this issue, some content filtering technologies offer educational institutions the ability to set up user groups and filter content according to each groups' needs. So, for example, computers in a computer lab will not have access to YouTube, while teachers' personal classroom computers will. This makes it possible to take advantage of the educational opportunities the Internet presents while continuing to protect students from inappropriate content and keeping them focused on their lessons. The Internet can be a valuable educational tool, but it can also be a great distraction for students.

While content filtering technologies cannot guarantee students will not daydream in class or become distracted in other ways, they can help educators ensure their students aren't focused on web surfing when they should be focused on a lesson, lecture or specific assignment. They also protect students from accidentally accessing websites that are inappropriate for student viewing. Security solutions can do more than just protect your network from viruses; they can keep your students focused.

The very nature of PCI regulations means it will affect organizations with multiple locations, like franchises, retail and wholesale stores, banks, credit unions, as well as restaurants and other consumer facing businesses, because they are the organizations most likely to touch credit card data. It is not enough for these organizations to create security policies and compliance procedures for their main offices or flagship store. These businesses must also circulate these policies, guidelines and efforts among all their branches and then update each branch's policies when a change is made. This can be very time consuming, especially when it comes to PCI compliance.

Adding the headache of keeping all of an organization's branch offices compliant to the already confusing and complicated task of creating PCI compliance rules for an organization makes PCI compliance almost unbearable. It is unrealistic to expect an organization such as a bank or retail store to have dedicated IT staff, let alone a security expert, at each locations. The costs associated with doing so are too high and despite its complexity there aren't enough tasks to sanction having an IT employee at every retail store. Additionally, PCI standards require organizations to regularly "test security systems and processes" as well as "track and monitor all access to network resources and cardholder data". With store fronts and office locations spread across countries and continents regularly testing systems may take a backseat due to budget constraints.

Despite this, all branches must be PCI compliant or they risk a myriad of penalties, the worst of which is losing their ability to accept credit cards as a form of payment - effectively making it impossible to run a business. With ignoring the standards no longer an option, there are two remaining options these organizations have for dealing with PCI standards. The first is to roll out individual security products at each location. This requires sending IT staff to each location to set up and configure the devices. Then each time a new security policy is created, the IT expert must travel to all the sites and reconfigure each device. Of course the business could elect to hire an IT professional at each site for the sole purpose of managing the site's security, but again, in many cases this is not an economical solution.

The second option would be to manage all security through a centralized point (i.e. headquarters) using a single security device and connection points at each office. The challenge there is connecting all branches to the central office -no small task when some offices may be oceans away. Even a distance of a few miles would make connecting the branch office to the headquarters difficult without the right technology.

The right technology will connect and secure the remote locations and provide the IT staff at the headquarters or central office to control PCI related policies as well as all other security policies. This tool would have to be simple to set up so that any employee at a retail store or credit union branch could install the device themselves, eliminating the need for IT staff travel.

The Best of Interop winners will be announced on Wednesday, April 28 during Interop Las Vegas, happening April 25-29 at the Mandalay Bay Convention Center.

For more information visit: http://www.bestofinterop.com.

Most mobile phones get a signal from the carrier which is pretty good, and sometimes we can rely on our computers, but only "sometimes". When it comes to our computer systems, many people get away with default configurations in Windows and just set the time on various bits of network gear- and it works acceptably most of the time.

Active Directory authentication works as long as the clients and servers are within a few minutes of each other, and many administrators are content with that- at least until something goes wrong and they start trying to compare logs between different systems to correlate events. Even if you are fortunate enough to have a SEIM (Security Event Information Management system) gathering all of the information for you, the time on the individual devices needs to be consistently accurate. For those situations when "close enough" isn't, and "sometimes" isn't acceptable, we need a better system of timekeeping.

Thankfully we have a variety of tools based on NTP, the Network Time Protocol to help us manage timekeeping and synchronization on our systems. The NTP folks also maintain a list of NTP servers you can use, details are at http://www.pool.ntp.org/en/. For most users, getting updates from one of the NTP pools is the best configuration. Simply select the closest regional pool from the list at http://www.pool.ntp.org/zone/@ (for the US, it would be us.pool.ntp.org), this will resolve to an up to date list of servers in your area. Simply enabling automatic time updates isn't enough, however, some thought needs to go into the hierarchy of the network. In simple networks, enabling NTP services on a perimeter device such as router or firewall is probably adequate, the device can retrieve updates from Internet servers and client systems can be configured to retrieve NTP updates from the gateway device. For a little extra redundancy, you can add Internet NTP servers as secondary time sources on your clients, but if you only have a single path to the Internet and it is down, that will not help.

For larger or more complex networks, you will need a distributed NTP infrastructure with some redundancy and fault tolerance built in. If you have multiple Internet access points, configuring routers, firewalls, or other gateway devices on each connection as both NTP clients and servers is a good first step to provide redundancy. Internal servers and network devices can then also be configured as both NTP clients and servers, retrieving updates from a list of gateway NTP servers, and answering NTP queries from client systems inside the network. At the client end of your NTP network, configure client systems to query at least two of the closest internal servers or network devices.

With this configuration, all of your systems should be synchronized and able to maintain synchronization through isolated network outages. In some situations even more may be required, dedicated NTP time sources, peering of local NTP servers, or multi-layer hierarchies, but the above should give most networks stable and reliable timekeeping. NTP is a stable and low network impact protocol, so once set up there should be very little maintenance required.

This translates into billions of hours logged onto sites like Twitter. With so many people spending so much time on social media sites these sites have become the most dangerous part of the Internet. Or at least that is what many security bloggers or reporters would have you believe. We read stories about Facebook users being targeted with spam and Social Media as a tool for Phishers and that most breaches now originate from social media. We are also told that we need new methods for combating this problem. But I ask why? While social media has made it possible to easily connect with and follow the daily actions of your best friend from kindergarten, it has also made us complacent. We assume that because a link was posted by a "friend" that the link must be safe.

We assume everyone on Twitter has good intentions and that the information we post online won't be used against us. Of course, none of this is true, but this does not mean we need new technologies or new tactics for keeping our computers and networks safe from malicious content on social networks. What we need to do is treat social media like email - albeit very public email. Almost everyone with an email address knows not to click on the link sent by a Nigerian prince. They know not to open files that are sent from people you don't know and they know they should not use 123456 as their email password. People, of course, still do, but at least most people are aware they should not. Yet somehow, when they log onto Facebook all this common sense disappears.

The person who wouldn't dream of opening an attachment in an email from an unknown source is suddenly downloading games off of Facebook. Bill Brenner of CSO wrote some great tips to "Smarten Up" about social network sites. While the tips about not posting when you are going on vacation are unique to social networking, they are also unrelated to network security and focus on personal security.

However, there are some great tips for avoiding a security breach as well so it is worth posting here. When it comes to network security the best way to stay safe is to treat social media sites like they are your email accounts. It is estimated that somewhere between 80%-90% of all email messages are actually spam and we all know many spam messages can be dangerous. I would argue that many of the postings on social media sites are also spam. How else would you classify a complete itinerary of someone's day, or the lyrics to the song which best describes how sad a person is about a recent breakup?

While this isn't dangerous it still falls in the bucket of spam. So when you see a message on a social media site about making $500 a week working from home assume it is spam - even if your "friend" posted it. The threats and tactics aren't new - it is just the medium that is different. So continue to use the same common sense you use when opening emails, and the same content filtering you use to block sites with known malicious content, and you'll be fine on social media sites - as long as you don't post the times and dates of your next vacation.

Because this form of time wasting was highly visible employees were forced to self-limit the amount of time they spent socializing at work or risk having their supervisors labeling them a slacker. Among the many activities the Internet has made easier is wasting time at work. Employees can now spend as much time as they want surfing the web and because they are at their desks looking at their computer screen any passerby would believe they are working. With the Internet the only thing stopping most employees from spending hours online wasting time is their own work ethic and sometimes, pressing deadlines. Boston.com published a list of the Top 9 Time Wasters at work. Of the nine activities employees engage in during the work day instead of working five of these activities involved using the web. Here is a brief summary of what the Boston.com article included:

• Number 1 - Internet Use Respondents to a survey indicated they spend more than two hours a day simply surfing the web instead of working.
• Number 3 - Shopping online During the holiday season the average employee planned to spend the equivalent of two full work days shopping. The survey also said that one in ten employees sinks as much as 30 hours a year into online shopping.
• Number 4 - Social networking According to a 2009 study from Nucleus Research, productivity drops 1.5 percent when workers are able to access Facebook at work. This study also states that 61 percent of employees use the site at work for an average of 15 minutes a day.
• Number 6 - Email Basex, a New York Consulting firm, reports that half of all workers receive 50 or more email messages a day and 55 percent respond or read the messages immediately. With more than 80% of messages being spam this is a huge time waster.
• Number 8 - Looking for jobs One in four employees with a computer admits to searching for jobs while at work.

So with all these time wasters damaging employee productivity what can an organization do? As we've stated in past posts - employee productivity can be improved using the same tools organizations use to protect their networks from Trojans, botnets and other malicious content. First of all they can reduce the number of emails employees receive by deploying a spam blocker. This way the emails they receive will at the very least be (mostly) work related. Next, the value of content filtering tools cannot be understated. To preserve employee moral while protecting productivity companies can create Internet usage policies using this very same technology.

Instead of banning social networking and news sites all together you can allow employees to access these sites at certain times (at the beginning of the day, during lunch etc.) This way, employees still get the break from work they need to recharge without over doing it. If blocking access to websites isn't your organizations "style" these tools can be used to monitor web-usage instead. Then the administrator can talk to only those employees who abuse the right to surf the web freely, or even create a user group of just these employees.

Today this has all changed. Technology has made it possible for businesses of all sizes to have multiple locations throughout the world. This means employers can hire the best employees regardless of their location. Also high gas prices and the desire for a flexible work environment has caused many organizations to offer flex spaces and create connected work policies. As a result, we are seeing a more distributed workforce in companies large and small. The ability to have employees work from anywhere has been beneficial to most organizations.

According to a recent study done by Link Resources, allowing employees to telecommute or work out of remote offices closer to their homes can improve productivity by up to 20%. Factors such as increased flexibility, reduced stress resulting in sick days, and the fact that minor health ailments will not impact an employee's ability to work are all contributing factors to the increased productivity. When working from home or at an office closer to their home employees tend to add the time they would have spent commuting to their work day, increasing the number of hours they will spend working a week and thus increasing their output. Connection is only first step - then you need security So what is the catch to this distributed workforce? - ensuring connectivity and security.

Basic technologies such as a telephones, instant messengers (with or without video capabilities), email and mobile devices allow your employees to stay connected to the office no matter where they are. However, in order to make having office locations worthwhile it is critical for each location to be secure. Deploying separate security devices at each office location can ensure each office is secure, however this creates a huge administrative burden. I know of one company that has eight offices with a combined workforce of less than 100 employees. The time it would take the network administrator to install, maintain and update eight separate security appliances would negate many of the benefits of having a distributed workforce to begin with.

Despite the simple set up and configuration of some security products it is still necessary to have an individual with a technical background manage the initial deployment. With a distributed workforce this means extensive travel just to connect an office, creating a financial hurdle to having remote offices. There are only two ways to avoid spending valuable dollars on travel to connect and secure remote office: 1) don't open remote offices or 2) select security products that can be deployed by anyone - even non-technical employees. This still leaves management as an issue.

This can be combated if the network administrator is able to maintain or update the security solution remotely or from the central office. Having multiple offices in spread out locations is a reality of the business world today but so is the need to secure your network. When an organization's network is distributed across multiple locations it can be a challenge to ensure their security but new technologies are making this possible. An example of this type of technology happens to be from Astaro. Information can be found here: http://www.astaro.com/landingpages/en-worldwide-innovations-2010

Astaro RED is the first security solution to offer complete and centrally managed Unified Threat Management for branch offices. It empowers organizations to connect their remote locations to a central location (headquarters) within minutes and without onsite technical expertise. For more information about Astaro RED watch this short video here: http://www.astaro.com/landingpages/2min-explainer-red

Astaro Mail Archiving is a hosted service that is set up within 15 minutes. The service provides unlimited storage and users can find archived email quickly and easily through a convenient Microsoft Outlook plug-in. For more information about Astaro Mail Archiving watch this short video here: http://www.astaro.com/landingpages/2min-explainer-ama

Astaro Wireless Security offers secure and uninterrupted WiFi signal throughout an office location through secure plug & play thin access points (802.11n). Astaro Wireless Security allows users to create guest Internet access without complicated configuration. Security is managed centrally with the Astaro Security Gateway web interface. For more information about Astaro Wireless Security watch this short video here: http://www.astaro.com/landingpages/2min-explainer-wifi

In addition to the three new products, Astaro is currently developing version 8 of the Astaro Security Gateway. The new version will include support for IPv6, a reverse proxy - Web Application Firewall, admin change tracking and an updated interface.

Many of the new features found in version 8 were suggested on the Astaro Feature Request Site, a site that was developed by Astaro product management to receive feedback on current and future offerings from Astaro's partner community and customers. Find more information on the three new members of Astaro's product family on www.astaro.com/innovations-2010 and register for e-mail updates to receive latest information on them

Breach disclosure laws are old news, but 201 CMR 17.00 is different, it prescribes data protection specifics, and it is not limited to those in Massachusetts: "201 CMR 17.01 (2) Scope The provisions of this regulation apply to all persons that own or license personal information about a resident of the Commonwealth." Yes, all persons (which includes companies and organizations), regardless of where they are located, are covered if they: "Owns or licenses, receives stores, maintains, processes, or otherwise has access to personal information in connection with the provision of goods or services or in connection with employment."

This is a big deal, for two key reasons. First, it is leading the way in state regulation of the protection of data. There have been other regulations covering protection of data, but I believe this is ground breaking and will be followed by other states. Second, it has a very broad reach, it is not industry-specific, and it applies to a large number of organizations which have never had regulatory requirements on their IT system before.

Specifically, it applies to: "Person, a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof." There is an exclusion for Massachusetts government, but they are covered under Executive Order 504, which mandates similar protection of data for them. This regulation can put a significant burden on businesses which do business with Mass residents, and I believe that small businesses face the biggest challenges. (The burden is to do what they should already be doing, but are not; that doesn't mean it will be easy).

Small businesses are the least likely to have dealt with regulation before (except in specific regulated fields), and they are the least likely to have the knowledgeable personnel and financial resources required to comply. Those organizations in the 40-200 user size are probably going to have the hardest time (as they often do), they're too big for doing everything manually, and not big enough to justify the enterprise tools to help manage some of the tasks at hand. You can find a PDF of the regulations at: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

This model is designed to better meet the needs of our partner community and our end-users. Below you will find the details of the new licensing model. We rearranged the former Base License: Out of the advanced network security features we created a dedicated subscription called "Network Security" while our free "Essential Firewall" contains basic networking and network security features. We also adjusted the maintenance and support.

We decided to update our licensing model to create a more flexible licensing; now customers can buy exactly what they need. With this new model the clustering and user upgrades processes are much easier. This new model also includes a more competitive price point for smaller appliances. This will make it easier for our partners to initiate conversations with prospective customers with smaller budgets.

Additional information can be found here: http://www.astaro.com/news-events/press-releases/astaro-redefines-utm

There are hazy details about the case. I don't want to take sides on the litigation, but I do want to point out that both parties could have prevented the actual breach.

Bank's fault
There was one detail that I picked up on. PlainsCapital did not issue a statement, but there does appear to be a memo that was made public. In this memo it outlines the details of the intrusion as reported by Sam Roark, vice president of delivery channels. The bank uses some common methods of authentication in order to gain access to the system and make transactions. Specifically, you need to know your username (public information) and your password (private information). Once you sign in, it will send an email to you before you can make any transactions and you must then click a link. The memo states the following about this process: "This is known as multifactor authentication." It is not my intention to pick sides. In fact, I would place most of the blame elsewhere.

However, I would like to use this example to make the concept of multifactor authentication clear. Multifactor authentication uses a combination of something that a user knows, something that a user has and something that a user is. In order for the multifactor authentication to be more secure than single factor, you need at least two of the three categories. Think about your ATM authentication for instance. You must insert your card and enter your pin.

This is something you have and something you know. The bank uses two instances of something you know (your username and password and then your email account's username and password). This is not any more secure than single factor and indeed is not considered multifactor authentication. If this was a phishing attack from the intruder, then the user could unwittingly give up both pieces of information and the attack would be successful because the attacker doesn't need to kidnap (something you are) or steal a physical item (something you have). It is incorrect to say that the Bank was using multifactor authentication for this reason. Had the bank really been using multifactor authentication (with a secure token or something similar for instance) then this attack would not have been successful. Banks should consider this in future litigation and policy making.

Customer's Fault
The customer is the actual target of the attack. The customer is responsible for the privacy of their security credentials. Unfortunately, these credentials have been known to be easy to leak. There is no detail about how they were leaked but there are a couple of possibilities. The most obvious is a phishing attack. A user within the bank was simply asked to give the attacker the information that he was looking for. Probably believing that the attacker was a trustworthy individual, the user gave the credentials. After this and the lack of actual multifactor authentication there was no barrier to a successful attack. The way that the customer could have prevented this is to make sure that anybody that has access to the banking information is well aware and vigilant not to give the credentials to anybody. This is user training and is often a goal of any security strategy.

The more sophisticated route would be a fully technical breach. If the attacker(s) were able to gain access to an internal system that had the authentication credentials in an accessible place, then this is all that is necessary for the attack to work. There are mitigations that give you a reasonable expectation you are not going to be breached, but these technologies are never 100% effective. There are always 0-day attacks and obfuscation techniques to hide the presence of a breach. Technologically, the customer would have to make a risk based assessment as to when enough security is enough. This attack may have been more sophisticated than the security measure put in place. Currently, Hillary machinery has not released information about the measures they have in place. It is entirely possible that the state of their network security was woefully insignificant. However, the assumption that it was insignificant cannot yet be made.

Put It Together
All in all, both parties had an opportunity to stop this breach. In the end, the customer is responsible for keeping their credentials secure. The bank should have policies in place that would stop a breach if credentials are stolen, though. Neither party is fully responsible for the breach but neither party can claim that they aren't responsible. Of course, this is now a legal issue, and we'll have to see how the legalities work out.

These events will feature information regarding Astaro's product roadmap, the security industry, competitive messaging information and technical demonstrations as well as an opportunity to network with other members of the Astaro partner community. The first two events will be held in Miami and Orlando on March 10th and 16th respectively.

We encourage all partners in the area, as well as those considering joining the Astaro partner community, to attend an event. For more information about dates, times and locations and to register for an event click here. We hope to see you there!

The webinar, titled: "Products To Leverage For Your Own Economic Recovery", discussed pitfalls to avoid in the economic recovery, product financing support for IT companies ramping up for the recovery and basic business advice for 2010.

The webinar featured a guest speaker, Astaro partner Dean Wescott, CMO of Kincaid Network Solutions. During his segment, Dean discussed his experiences leveraging the Astaro Security Gateway Essential Firewall Edition and how it will help VARs and managed services security providers gain momentum in 2010.

In fact, if you look at the technology as a whole, virtualization can be thought of as macro-sandboxing - that is, making sure that one set of processes (the guest) cannot interact with another set (another guest). Virtualization has taken off and now sandboxing is headed towards stopping individual processes from communicating with things it shouldn't.

The Theory
Sandboxing is not a new idea and is a simple idea. Basically, if you limit the access that a running computer process has, then it limits both good and bad things. If you design a program to work properly under normal circumstances while limiting the access it needs to other data, then you have created a sandbox. Then, if this program is used in a manner which was not intended, the effects are also limited. On top of this, the portions of the program that are intended to interact with other resources (such as the operating system or other processes) are hardened with the most strict security practices possible.

The end result is a recipe for success.

Harbingers of technology
Google's Chrome browser is already sandboxing itself. According to Google's Chromium Blog all of the Javascript and HTML processing is sandboxed in what is known as the renderer class. Each plug-in is separate from the renderer. As a result, Chrome runs in several OS processes, one for each tab and plug in. On top of this, the renderer is hardened using the most stringent OS security. If there is a vulnerability in one of these processes, it cannot interact with other processes, including your hard drive. This is unlike other browsers that have no separation.

If there is a vulnerability in older-style browsers, it can still interact with anything running in the current single browser process, including crashing your entire browser session or interacting with other system resources.

Just Web Browsing?
This does not limit itself to browsers. This method applies to all processes running on the system. If there is a process that is allowed to interact with other processes, then it stands to reason that it can be used for malicious purposes. Enter another utility: Sandboxie (http://www.sandboxie.com/). Sandboxie is a great utility that allows any process to run in a sandbox. If there is a vulnerability or crash in the process that Sandboxie is running, it acts in a similar manner to Chrome's renderer, it won't interact with other processes to cause wider damage.

You can close the Sandboxie process along with the misbehaving process and start over. With this (lack of) power, it is no wonder that developers are leaning on this technology to help make computing safe for the masses again. It won't be impossible to mount a successful attack, but it will be much more difficult. The downside? Look for phishing to become more popular as it will be easier to use it as a tool than to exploit the actual system. What do you think about Sandboxing when it comes to creating programs?

But there are other ways to make sure you are protected from these hard to identify scams. The simplest way is to make sure your software is up to date. I am not taking about your security software (but keeping that up to date makes sense too). I am talking about the regular software you use every day. The Waldec virus, a virus that spreads through fake new years' e-cards, attacks known vulnerabilities in programs like Adobe Flash, Adobe Reader and Internet Explorer. How can they successfully attack known vulnerabilities?

It isn't that Adobe and Microsoft ignored the vulnerabilities and didn't create patches. Instead, the Waldec virus depends on the fact that many people do not update their software with the latest patches and more often than not this is the case. So, one important step towards protecting your computer and your network is to update your software when new patches come out. If the company that created the software is aware of the vulnerability, you can be sure cybercriminals not only know about it, but already created a program to exploit it.

Which brings me to a secondary tip - Do not open e-cards or emails if you don't know the source. You can spot fake e-cards because they typically have subject lines like "a friend sent you an e-card" while real e-card services will personalize the subject line to say something like "Bob send you an e-card". Microsoft security patches can be found here: http://www.microsoft.com/security/updates/bulletins/default.aspx Adobe security patches can be found here: http://www.adobe.com/support/security/

A security breach at a retail, wholesale or consumer goods organization damages the organization's reputation and could cause customers to shop elsewhere. Additionally, government, and trade organization regulations such as PCI standards require these organizations to secure this data to prevent the loss of data and indentify theft. Because these organizations often have multiple locations in addition to a corporate headquarters securing data can be a difficult task.

One solution is to deploy an information security product that at each location that allows for central management at the home office. This will reduce the amount of time it takes to administer these products will protecting the entire network. Protecting an organization from external threats is crucial; however, retail, wholesale and consumer goods organizations need to protect themselves from internal breaches as well. The majority of breaches originate from accidental downloads of malicious content by employees.

Content filtering capabilities allow organizations to block access to websites with malicious content and prevent threats from being downloaded in the first place. If a computer on the network somehow becomes infected, a strong information security product will provide proactive notifications and quarantines of network traffic breaches and infections so network administrators at retail institutions can react to breaches before infections spread to the entire organization - protecting customer data and your organization's reputation.

Here are some examples of how retail, wholesale or consumer goods companies have protected their networks: Kauffman Tire Hannoush Jewelers

I disagree with this theory and believe the only people who won't shop online because of these attacks are the people who aren't shopping on line anyway, thus ecommerce will not feel a significant impact from these threats. The trends seems to be moving towards doing more and more business online rather than in stores and banks.

Many banks offer incentives for "going paperless" and for setting up automatic bill payments. Reports of these attacks may hurt smaller online shops that have sites full of ads, but for the average consumer, they will continue to trust name-brand sites like amazon.com or even ebay. Most educated consumers don't care about privacy issues, web hacks, or even user ID theft. They know their credit card companies protect them from fraudulent claims and are even willing to risk having their credit card information stolen on sites they haven't heard of before for the right price. If their information is stolen they will just call their credit card company and have the charges removed.

I am curious if my opinion was on track with others so we are conducting an informal poll on our Facebook fan page. We asked: Are you less likely to shop online because of reports of data breaches (like the Heartland breach)? Respond to the survey by visiting Astaro's Facebook fan page (http://www.facebook.com/business/dashboard/#/pages/Astaro/107041096353?ref=mf) and leaving a comment, or leave a comment on this blog post.

We will post the results on our blog after the new year.

While there are plenty of "black-hat" hackers engaging in criminal activity for their own gain, the term hacker has an entirely different meaning. . A hacker is simply a programmer for whom programming is reward enough. They tend to be curious individuals who test the limits of what is possible in computing. Unfortunately, the term has become synonymous with "cyber-criminal" and now that this image is etched into the conscience of American society there isn't much this unorganized group of people can do to restore their reputation.

Articles like this one also make it difficult for ethical hackers to shed this image. Strict interpretations of DMCA, EULAs and other laws or regulations have made criminals out of white-hat hackers whose only goals are to test the bounds of computing. The truth is we need hackers. Hackers are some of the most computer savvy individuals and their unique knowledge can be helpful in all kinds of scenarios. For example, an organization can hire a hacker to find possible vulnerabilities in their network, or a network security company can hire a hacker to help create a more secure firewall or other security devices. While hiring true cybercriminals to may not be advisable in all cases, to say that someone who was convicted of a cybercrime could never be trusted is laughable. Criminals reform, and these cybercriminals posses knowledge that possibly no one else has.

Why not use their expertise to create a safer Internet environment? Other countries understand the distinction between cybercriminals and hackers. Some even create college programs that teach hacking techniques. Why? Because at the very least those who develop our network security solutions should understand how cybercriminals operate on a practical and technical level.

While recognizing the need for security is a positive step, many of these organizations are missing out on an opportunity to improve their business operations by using these same tools. The most useful security products aren't simply roadblocks for hackers; they also help contribute to an organization's bottom line. Here are some ways security solutions can help improve business operations by improving productivity.

Spam Filters
Employee productivity can be difficult to measure but is an important part of creating a successful business. All organizations want their employees to be as productive as possible, but constant distractions sap productivity. Employees are bombarded with email all day long, and many of these messages are useless (and dangerous) spam messages. In fact, it has been reported that, depending on the source, somewhere between 80% - 90% of all emails can be classified as spam. Also spam costs the average medium sized company upwards of $185,000 a year in lost productivity - and that doesn't even include the costs of cleaning off a network if the spam message has malware, spyware or a virus on it. With so many messages to wade through, classify and then delete manually, spam has a significant impact on productivity. Security solutions that posses strong spam filtering capabilities eliminate the majority of spam in employees' inboxes, preventing the productivity drain.

Content filtering
Content filtering capabilities prevent lost productivity due to inappropriate or excessive web surfing. It also helps reduce the risk of being labeled a hostile work environment by preventing employees from accessing sites that are considered offensive. Properly filtering content can help keep your business's network safe from spyware as malicious sites are blocked from the network. This also preserves your networks performance as it isn't bogged down with spyware or malware, nor is bandwidth being eaten up by non-work web usage.

Working from home
Offering your employees the ability to work from home can increase employee morale and productivity. Employees who have access to the network from remote locations are more likely to work outside the office, and to contribute to the business outside regular business hours. As more and more businesses offer work at home policies and have mobile workers, remote access to the corporate network from any location will become a business staple. Setting up VPN clients on individual machines his a huge administrative hurtle to offering VPN connectivity.

Internet security products do more than just protect your network from viruses and other malware. They improve productivity and increase

You'll want an engine, four tires, power windows, anti-lock brakes etc. Now what if all you did was find a car that had all these features? You might end up with an engine that floods, tires that go flat, windows that don't work when it is cold or brakes that have cracked brake pads. Of course when you are looking for a car you are going to look at the quality of each feature not just if the feature is present.

Why then do IT administrators simply use a simple feature check list when purchasing a security (or other technology) solution? When evaluating any purchase, be it a car or a network security product, customers should try to understand the depth or quality of the features each prospective purchase has. What is the best way to do this? Sticking with the car analogy here are a few ways to evaluate a security product effectively. Industry reports/news items When you begin your search for a new car one of the first things you should do is look for news items related to the industry.

Have there been any serious recalls or safety problems? Is there a new model of a brand you like? You can do the same when searching for a security product. Google "network security" and look on the news pages and press release pages of the products you are short listing. This will give you an idea of what is going on with the companies and products you are looking at. Customer References Next you should talk to others you know who drive the type of cars you are interested in buying. Finding customer references may be easier with cars than with security products as you can easily determine what someone drive (just watch them get in their car), but companies don't advertise the security solution they are using on their website.

Ask other IT administrators you know what they use and what their opinion of this product is, look on network security forums to see what people are saying and check out the companies web page - more than likely they have a library of customer success stories telling you how the product solved the customers problems. Awards and Certifications Car companies know awards matter.

This is why so many car ads include information about what awards they have earned. Industry awards and certifications normally have clear guidelines for who will be recognized so if having a strong IPS is important to you, look for companies that have received awards for having a high performing IPS. Test Drive Of course all the research in the world can't replace a test drive.

Once you've seen the awards, heard the customer success stories and read the industry or analyst reports you'll want to test the product yourself. If the vendor doesn't allow for a free trial ask yourself why? What are they hiding? A company that is confident in their products' feature depth as well as its breadth should have an issue with you testing their product for a given amount of time. How else would you know if you will like how the product drives?

The newest version of the free central management tool includes updated and new functions that enable Astaro partners to offer managed security services. To register for a personal license key of the Astaro Command Center version 2.1 visit: http://www.astaro.com/download/acc

More information can be found here: http://www.astaro.com/news-events/press-releases/astaro-command-center-version-2-1 And here: http://up2date.astaro.com/2009/11/astaro_command_center_21_relea.html

If the computer happens to be connected to a business' network then the infection can cause a serious data breach, slow down the network connection hurting productivity or even crash the network. Most of us know about these risks and we or our employers take the necessary precautions to protect the networks we use. However, there are still organizations and individuals who neglect security. When a business decides to forgo security products it is often because they feel their network is too small to be a target. When an individual decides to go without security on their computer it is because they feel the worst that can happen is their credit card information is stolen.

When this happens they just call their credit card company's fraud department and the fraudulent charges are dropped. What these individuals don't realize is the consequences of not properly securing a network and a computer can be much worse than some fraudulent credit card charges. David Kernell, the alleged hacker who gained access to Sarah Palin's personal email account learned this the hard way.

Kernell's defense claims his computer was infected by a virus that took control of his computer and he was unaware it was being used to reset Sarah Palin's password and steal personal information. In other more serious cases, malware has been used to download child pornography on an infected computer so the hacker can view the illegal material and the victim is framed as the offender.

There have been cases where innocent men and women are convicted and spend time in prison simply because the virus wasn't found in time to clear them of the offense. Even after they are cleared their reputations are sullied and their lives turned up-side down. As the Examiner article points out, there have been cases where the "my computer was infected with a virus" defense has succeeded, but is this a chance you are willing to take?

Only time will tell if Kernell is an innocent victim himself or if his claims are false, either way he will have to go through a lengthy trial will potentially cost him thousands of dollars and his personal reputation. It isn't enough that Internet users and businesses have to worry about identity theft and the loss of sensitive data, now we all have to worry about being framed for a serious crime. With the right Internet security solution innocent victims could avoid the frustration of being falsely accused of a crime.

Even last year, at the beginning of the economic collapse, IT budgets were expected to rise, albeit only slightly. With IT budgets continuing to tighten, what does this mean for technology partners? On the surface it appears that technology vendors and their partners are in for a tough year. However, TechTarget also reports that only 13% of those surveyed plan on reducing overall spending. This indicates a move towards spending on strategic initiatives as well as necessary items (new laptops etc.).

What to look for in a partner
To set your organization up for success in 2010, VARs should look to partner with companies that offer technologies that are considered must haves. Even with tight IT budgets, organizations in all verticals will need network security. The myriad of phishing attacks, botnets and, spam and other Internet threats means the risks of going without network security outweigh the potential costs. As long as cybercriminals continue to make money from these attacks new and more sophisticated attacks will be developed. Because of this, organizations of all sizes, in all industries will continue to purchase network security products to protect their networks.

Which security product/which vendor?
VARs searching for a potential partners will find that there are many network security vendors to choose from. Which one is the right one? They key is to find a security company whose products offer a balance between functionality, ease-of-use and reliability. End-users will look for products that provide more than network protection. They will want a product that helps improve productivity and even helps save money. The best way to determine which vendor will offer you the best sales case you should read customer testimonials and talk to other VARs. The best indicator of whether or not a company's product will create a good opportunity for your organization is how happy current customers are.

Do they talk about time and cost savings? Happy customers that can point to specific metrics on why they are pleased with a product will help you demonstrate the product's value to potential customers. Having this information before deciding which vendor to partner with will help you make a solid decision that will help your organization be successful in 2010 and beyond. It is becoming clear the economy is starting to turn around. Despite this, IT budgets will remain tight.

When trying to determine which vendors to partner with look beyond factors such as margins. High margins are important but so are a demand for the product, a product that helps save time, and a vendor who has a personal relationship with each of its VARs. When looking for a vendor to partner with, don't just look at the normal metrics. Think about what types of products will be in demand and then for the most reliable vendor in that space.

Astaro was named a finalist in three Reader's Choice categories and as an Excellence Award finalist for the Best SME Security Solution category.

For the full list of finalists visit: http://www.scmagazineus.com/scawards2010-finalists/section/1309/

Attacks on smart-grids, government agencies and local municipalities demonstrate the vulnerability of government networks. In addition to protecting themselves from cybercriminals, government organizations also require technologies that allow IT administrators to create VPN connections and set up content filtering rules. Often times these organizations are understaffed, thus they require technologies that are easy-to-use and cost effective.

Benefits of security for government institutions
No government agency or municipality can afford to overlook network security. As security breaches become more common it has become even more critical for government agencies to secure their networks using network security technologies. Government agencies should look for products that protect while enhancing employee productivity.

Because government agencies tend to operate on a small budget compared to private companies it is important for these institutions to look for integrated, easy-to-use network protection, web filtering, and email security for protection from service attacks, port scans, worms, Trojans, botnets, and application exploits.

Protecting government institution from external threats is crucial; however, government organizations also need to protect themselves from internal breaches. The majority of breaches originate from accidental downloads of malicious content by employees. Content filtering capabilities allow government organizations to block access to websites with malicious content and prevent threats from being downloaded in the first place.

Having a product that also provides quarantines of network traffic breaches and infections will help network administrators at government institutions as they can react to breaches before infections spread to the entire organization.

These stories make headlines because they are exciting and somewhat shocking - how could a company that large be hacked? - we ask ourselves. However, the articles often leave out an important fact: In most cases, cyber-criminals don't target specific companies because they are large and well recognized; these may simply be the most publicized incidents. This would be way too time consuming. The hacker would have to spend weeks or even months circumventing the organization's firewall and other security solutions. This reduces the amount of return on the attacker's investment (of time and effort).

Instead of dedicating all their time looking for a way into a single specific network, hackers create programs that spread out across the Internet in search of security vulnerabilities. Once a weakness is found, the program exploits it, and then uses that network as a jumping point to infect other networks. If these trolling, malicious programs are able to periodically infect the networks at large companies, imagine how much more often smaller companies (who have less resources) are infected - and we never hear about it?

It is important for small and medium sized companies to secure their network just like large companies. Your security breach might not make headlines, but I am sure it will cause just as many headaches as a larger company's.

Partnerships are about more than sales
While the ultimate goal of any business partnership is creating sales opportunities, there is more to a successful partnership than sending potential leads to your partners. Vendors should know that developing a knowledgeable channel and providing support are a key part of creating a successful partnership.

Offer training
Ensuring your partners possess a deep understanding of your company's products is crucial, yet not enough to create a successful partnership. They need to understand the industry, the specific needs of target markets and how your technology solves those needs as well as know the differentiators between your products and your competitors'. Most companies provide new partners with basic product information, collateral and some key facts that will aid in the sales process when organizations become a partner but this initial education is not enough. Vendors should create periodic product and sales training sessions to ensure partners have a deep understanding about changes in the industry, products and even competitive messages. Among these training sessions should be a session regarding the sales processes and tactics. The sales training sessions should discuss tactics for selling to particular industries as well as responses to common objections.

Offer REAL support
In addition to sales training, marketing and public relations support will help foster a successful partnership. Many partners do not have the resources to dedicate towards creating collateral, marketing emails, press releases and other marketing/public relations materials. The vendor organization can help their partners be more successful by offering marketing and public relations services.

Of course offering such services is mutually beneficial. For example, if the vendor was to issue a press release about a new customer a partner signed this would benefit both the partner and the vendor by providing name recognition and demonstrating that the product the partner is trying to sell is used by organizations in a particular industry. The same goes for marketing materials. Providing partners with emails to be used in marketing efforts allows the partner to focus on selling products rather than marketing them.

In the end providing these services is win-win. The vendor should also provide dedicated partner sales support. When the partner is having difficulty closing a deal or needs information to help initiate a conversation with a potential customer they should be able to call the vendor and speak to an individual they have an ongoing professional relationship with. This will create a better relationship and thus a more successful partnership.

Open source solution providers, particularly those in the security industry, face tough challenges combating some of the common misconceptions and myths surrounding this highly adaptable and effective development method. Astaro published a white paper dispelling the myths associated with open source.

Check it out - it may help when dealing with push back about open source. http://www.astaro.com/content/download/3208/28303/file/AstaroOrangePaper_OSS_Myths_en.pdf

The leaks were discovered during a Congressional investigation (Moscaritolo, 2009) and have prompted lawmakers to consider prohibiting these programs from not only all government owned computer systems, but also from all computers used by government contractors and telecommuters. P2P applications are just one of the new challenges that network administrators face, and controlling them with older security equipment can be difficult or impossible. P2P programs allow users to connect to other remote P2P computers and share files which can lead to legal as well as security issues. Copyrighted material, malware, and sensitive information can all be transferred by these programs without the administrator being aware.

Additionally, these P2P programs often have little or no security and if incorrectly installed could result in users sharing their most sensitive documents without their knowledge either. P2P programs are often designed to go undetected and will use sophisticated protocols as well as encryption and tunneling to create connections through firewalls. These design features make it difficult for network administrators to detect the usage of these programs which of course means that they're unable to stop them. These issues combined with the new P2P bill could spell trouble for organizations that do not have the proper security equipment in place. Companies that want to do business with the government will need to show they can identify and stop these programs from transferring files.

To do this they will need to use special P2P aware application controls such as the Astaro Flow Classifier (AFC) which is found in the Astaro Security Gateway. The AFC allows for the detection and classification of the protocols these programs use, and provides administrators the ability to block their usage and identify machines that have them installed. This new bill highlights the need for a flexible security solution that can be adjusted to meet the changing needs of business. Organizations of all sizes need the proper tools to not only provide security but also to remain compliant with new laws and standards. Bibliography Bain, B. (2009, November 18). Bill would make P2P software a no-no for fed systems.

Retrieved from Federal Computer Week: http://www.fcw.com/Articles/2009/11/18/Web-federal-P2P-ban-bill.aspx Moscaritolo, A. (2009, October 05). Army Special Forces document leaked on P2P network. Retrieved from SC Magazine: http://www.scmagazineus.com/army-special-forces-document-leaked-on-p2p-network/article/151309/

The regulatory framework that affects all financial institutions makes it essential that privacy is protected and that the security of network transactions can be demonstrated and verified. In the US FFIEC guidelines require online banks to have a minimum level of security, and many other countries around the world have similar guidelines in place. The fully integrated approach of the Astaro Security Gateway ensures single-point administrative control and accountability for network transactions an essential requirement for ensuring compliance with financial regulations No financial institution can afford to overlook network security.

As security breaches become more common, the public and to some extent the government has begun holding banks accountable for these breaches. Financial institutions need network protection, web filtering, and email security as well as Intrusion Prevention Protecting financial institution from external threats is crucial; however, financial organizations also need to protect themselves from internal breaches.

The majority of breaches originate from accidental downloads of malicious content by employees. Content filtering capabilities allow financial institutions to block access to websites with malicious content and prevent threats from being downloaded in the first place. If a computer on the network somehow becomes infected. Proactive notifications and quarantines of network traffic breaches and infections allow network administrators at financial institutions to react to breaches before infections spread to the entire organization.

If you suspect an infection (slow computing experience, "strange" network behavior, etc...), the first thing you should do is simply unplug any network connection. Then, scan the PC with your anti-malware scanner of choice. Once you are confident that you are not infected or that you have disinfected successfully, reintegrate the system onto the network. Of course, this doesn't work if you never suspect a system of infection. If this is the case, then you have to look at some proactive controls.

First, You will want to make sure that you have a tuned IPS/IDS on your network. The IPS system will alert you to any suspicious activity. Make sure that it is tuned, though, so that when you get an alert, you know that it is not likely to be a false positive. Then you can investigate any alerts that you receive and it will assist with bot hunting.

Second, you will want to ensure that your firewall is blocking outbound traffic that is not necessary to business continuity. Often, an administrator will assume that any outbound traffic is ok and makes a wide-open rule to allow all traffic to travel outbound. This is how command and control systems will update the zombie computers, so make sure that you aren't assuming too much about your outbound traffic.

Finally the ubiquitous security mantra, "update, update, update". An updated system does not give you extra security, per se, but it does reduce the attack vectors available to an attacker. A skilled attacker will likely have some experience in gaining access to systems that are up to date. However, the not-so-skilled will have a much more difficult time as they rely on previously disclosed and well understood security holes. If your system is up to date, the chances of a known security hole existing that a not-so-skilled attacker can use is very limited. Reduce the attacker pool and the likelihood that you will be attacked by updating.

Although they were happy with the Astaro's performance they decided it was better to test the Astaro against a competitor to ensure they had the right product for their network. "As a financial institution we can't take any chances with our security so although we felt the Astaro Security Gateway was effectively protecting our network we wanted to make sure," said Mike Thompson, Compliance Officer at Logansport Savings Bank.

When the test results came back it was apparent that the Astaro IPS was able to keep Logansport's network secure and that they had made the right chose when selecting the Astaro Security Gateway.

For more information about this test, please read the press release here: http://www.astaro.com/newsroom/press_releases/astaro_security_gateway_s_ips_successfully_blocks_attacks Or the case study here: http://www.astaro.com/references/case_studies

You can see the video here: http://www.tmcnet.com/tmc/videos/default.aspx?vid=1723

You can download the podcast here: http://www.astaro.com/content/download/6774/59877/file/Astaro-Podcast-Essential-Firewall.mp3

Last year sales spiked 15% on Cyber Monday and Forrester predicts that despite the poor economy and less shopping going on in general that online shopping will increase by 8% this year on Cyber Monday. Declare November 30th a holiday! No, that won't help anything as this will only move Cyber Monday to Cyber Tuesday. One reason employees wait until the Monday after Thanksgiving to shop online is precisely because they are at work.

They are sitting in front of a computer with high speed Internet access. The temptation is just too great. So it may seem like there is nothing your organization can do to plug the productivity drain from online shopping that will begin on November 30th and go all the way until December 24th at midnight - but there is something these organizations can do. If the company already has security products in place the first thing you should do is to reexamine the company's content filtering rules. Make sure retail sites such as Amazon.com and other popular Cyber Monday websites are blocked so access to these sites is prohibited.

This will be an unpopular move as many people are probably planning on shopping on Monday, but who is going to complain - to do so would admit you weren't planning on working much today. However, it may be a good idea to allow some online shopping to avoid an all out mutiny. Some content filtering tools (like tools from Astaro) allow you to create time based filtering rules.

Not only can you block inappropriate sites all the time, but you can select blocks of time (ex: lunch time, first thing in the morning, after hours etc.) where select sites such as shopping sites can be accessed. Providing some time where these sites are available will create good will with your employees while protecting your organization's productivity during the weeks before the holidays.

Botnet is the term used for a group of malicious software that runs autonomously and automatically. Infected machines create a network of zombie computers that can be controlled by the botnet creator, or bot-maker. These bot-makers use the zombie machines to infect additional computers and take advantage of vulnerabilities in other networks. They often sell the rights to this "dark cloud" of zombie computers to cyber-criminals who then steel personal information from individual users or customer data from business networks.

How to avoid a botnet
The best way to avoid accidentally downloading malicious content on your network is to have a properly configured firewall and spam-blocking technologies. Another technique would be to remember to never download anything if you don't know what the source is - especially if you received a file or item in your email. Spam is the most common way for viruses to spread. We cannot completely stop the spread and creation of botnets - it is too profitable a business - but we can protect our networks with strong network security tools.

Word processing tools, accounting software, payroll software and security software are all necessary to operating a successful business. Many small businesses chose to use software or tools designed for home users in place of enterprise technologies in order to save money. They use excel spreadsheets to keep track of their bills or instead of using payroll software they simply write checks and keep track of their finances using a basic spreadsheet. This can be a dangerous practice. As a business starts to grow it becomes more and more difficult to keep track of their finances using a basic spreadsheet and it becomes necessary for these organizations to upgrade from the technology meant for home use.

Nowhere is this truer than with security products. A company may be able to get by with an excel sheet for their accounting, but simple virus scanners and security solutions meant for home use will not protect a business network properly. Business networks may not be any more vulnerable than home networks because hackers tend not to target specific networks (instead they create botnets or viruses that look for any vulnerability and take advantage of it). However, business networks have more users and more to lose from a security breach than home networks.

If a home user has a security breach on their network they may lose some personal information or even have their computer become a botnet zombie. I don't want to minimize the damage this can do to an individual but they can avoid these mistakes by not clicking on links from unknown sources etc. Also, the only one hurt is the individual and hopefully their virus scanner will eventually notice the problem.

Businesses on the other hand can lose customer data and a breach can severely hurt the organization's reputation, possibly forever. Also, they organization has more users on the network so the odds of an individual visiting a site with malware or accidently downloading malware are greater. Business networks need business level security. Virus scanners are not enough. These organizations need strong firewalls, content filtering capabilities and more.

The Essential Firewall edition includes basic, yet critical functionality that all organizations need to secure their networks and operate a successful business.

Features included in the Essential Firewall edition:

• Networking: Internet Router, Bridging, DNS server & proxy, DynDNS, DHCP server & relay, NTP support, automatic QoS
• Network Security: Stateful Packet Inspection Firewall & Network Address translation (DNAT/SNAT/Masquerading)
• Remote Access: PPTP and L2TP over IPSec support (including iPhone support)
• Logging/Reporting: Full logging on local hard drive, searching, real-time reports for hardware, network usage and network security, daily executive reports
• Management: Web-based GUI in local languages, setup wizard, configuration backup & restore, administrator notifications, SNMP support, centralized management via Astaro Command Center (also free of charge)

Astaro offers the Astaro Security Gateway Essential Firewall edition as an easy-to-install download:

• Software Appliance: www.astaro.com/en/essential_firewall
• Virtual Appliance: www.astaro.com/en/essential_firewall_vmware

For more information on this offering you can read the press release here: http://www.astaro.com/newsroom/press_releases/astaro_offers_free_edition_to_help_secure_business_networks

Depending on the type of technology, the organization may be able to get by without these tools, but there are technologies that no organization can do without. Because of the prevalence of viruses, botnets, Trojans and other Internet threats, networks security solutions are one of these essential business tools. Given that most network security breaches originate from employees' actions and most internal breaches are accidental it is logical to say that companies must have security solutions in place to combat the accident breaches.

Accidental or not, security breaches can do serious and sometimes irreparable damage to an organization's reputation, productivity and most importantly their bottom line. Security breaches at smaller organizations may not receive the same media attention as breaches at larger well known companies but they can still damage an organization's reputation. Many times it is necessary to send notices to your customers or clients that a breach has occurred and that their personal information was compromised.

Offering credit monitoring services or new account numbers only marginally mitigates the damage this can do to your organization's reputation. Smaller organizations are already perceived as less secure than their larger counterparts and news of a breach will only reinforce this perception causing some customers or clients to leave and possibly influencing the decisions of potential customers. Each time a virus or other infection makes its way onto your organization's network it saps productivity.

Employees must wait while individual computers are "cleaned" and IT administrators have to spend time disinfecting the machines instead of doing more productive, revenue generating activities. The risk of a network security breach can be minimized by implementing basic security functions, yet many small to medium sized businesses can't implement businesses level protection on their network. So, they either implement nothing or implement products meant to protect individual computers.

These consumer products are effective at protecting a home computer but cannot realistically secure an entire network. Small and medium sized organizations should begin to take a hard look at how they are protecting their networks and ask themselves if there is a better way. It may be tempting to save a few dollars upfront, but the overall cost of leaving their networks vulnerable will greatly outweigh these savings.

The RFG states that creditors and health care practices that hold "covered accounts" must detect and identify warning signs (or red flags) of identity theft. There have been regulations in place since 2003, but the US House of Representatives recently passed a new bill that amends the original law (H.R. 3763). This amendment will go into effect on November 1, 2009. The largest change to the rules is that exemptions have been put in place for some small organizations:

(A) a health care practice with 20 or fewer employees
(B) an accounting practice with 20 or fewer employees
(C) a legal practice with 20 or fewer employees
(D) any other business, if the Commission determines, following an application for exclusion by such business, that such business
i. knows all of its customers or clients individually
ii. only performs services in or around the residences of its customers; or
iii. has not experienced incidents of identity theft and identity theft is rare for businesses of that type.

This has huge implications on small firms. First, Small firms no longer have to shoulder the same burdens that larger firms do. This will allow your business to stay flexible and focus on growing. Small firms' owners should be ecstatic about this legislation as it will make any small firm much more competitive.

There is one key point that managers of the exempted organizations should keep in mind. If you don't take some initiative to ensure data privacy of customers, consumers will notice and choose a bigger business that is forced to do so. You may or may not be able to bring in business with claims of "just as secure as the big guys", but if you have one data leakage incident, you can't recover as easily as the big guys, if at all. Small businesses that are exempt should still hire a competent security expert to enter the business and give advice on the different options that are available.

Using a UTM with robust logging and reporting can handle the majority of the task and will still keep you competitive. Picking and choosing different parts of the UTM will also work. Take the time to fully understand the challenges that are unique to your business. Then make decisions accordingly. Your customers will thank you with more business.

More reading on the subject of Red Flag Guidelines:

• http://www.govtrack.us/congress/billtext.xpd?bill=h111-3763
• http://www.ftc.gov/bcp/edu/pubs/business/alerts/alt050.shtm
• https://www.hitrustcentral.net/blogs/ht/archive/2009/10/23/house-passes-bill-for-small-business-red-flags-exemption.aspx

Cyber-criminals are looking to infect as many machines as possible because this is how they create profit. It only makes sense that they would create viruses and other malware specifically designed for the Windows operating system. There are more Windows users, so there are more potential cyber-victims and more profit to be made out of attacking Windows users. But that tide seems to be shifting.

Depending on what source you read, Apple's market share has begun to grow. At the beginning of the year it was reported that Apple's market share was growing while Window's was declining and that Apple then had 9.93% of the market. More recently Net Applications, a company that tracks operating system and market share by looking at results from search engines reports that Apple's market share is now closer to 4.87%.

Either way, it is clear that Macs are gaining in popularity, and as their market share grows so will the number of attacks created for Apple's operating system. Already there are reports of hackers paying for hijacked Macs and one has to ask themselves why? We've already discussed why spam is so dangerous, and in this post my colleague Angelo explained that spammers (like all hackers) are playing a numbers game. Spammers know that only 1% of their messages will be opened and they will only be able to infect 1% of the people they send emails to. So to infect as many machines as possible they send out millions of messages knowing that if they send out a million messages with viruses they will infect approximately 10,000 systems.

These systems could then be exploited to gain access to personal information (including financial information) and spread the infection maximizing the criminal's profit. In the past it made sense to create viruses specifically designed to infect PCs because the majority of computers ran on Windows. Spammers, and cyber-criminals read the trends too, they know that Macs are becoming more popular. Not only that, I theorize that because Macs haven't suffered from the same onslaught of viruses and other malware that PCs have, Mac users aren't as vigilant at PC users and do not update their virus software as often. Also, demographics come into play. Macs tend to attract older and younger computer users because they are seen as hip or easier to use. These same demographics are more likely to be careless about network and Internet security.

I believe cyber-criminals are aware of this and are starting to create malicious programs targeted at Macs. If they are able to infect one Mac on a college campus (and the college doesn't have good network security technology in place that will quarantine an infection or block it all together), then there is a good chance the infection will spread. If Mac's popularity continues to rise we will see more and more viruses designed to infect Apple's operating system. Eventually, the lack of viruses will no longer be a differentiator for Apple.

WindowSecurity.com is the leading Windows Security resource site and bases its award solely on visitor's votes.

For more information you can read the press release here.

More information regarding their use of the Astaro Security Gateway can be found here and here.

By stealing information and cloning cards with it they drive a massive fraud machine that easily enters the billions of dollars each year. What used to be an exercise in if or how a botnet or worm could be created to steal data and grab the types of information they need, is now a dedicated business which evolves with new techniques and methods almost daily. Make no mistake; botnets are designed to make money, nothing more.

It's no longer about causing someone online-pain or hitting back a company, it's about getting the information they need to conduct their operations and turn a profit. Many of the comments left by readers indicated they feel it is people acting irresponsibly or to use their words, "as morons" which cause the breaches to be successful in the first place. While educating employees is a crucial part of keeping an organization's network secure, I don't believe it is employee negligence which is to blame for the success of this underground economy. This type of breach goes way beyond an individuals or consumers ability to solve - it goes to the core of technology, the way information is stored and what is done to secure cardholder data in the first place. Every credit card company has a fraud and identity theft department. These departments were created to help individuals who are victims of identity theft. Often these victims had their card lost or stolen, or their information was stolen by an individual who wasn't working on a mass scale.

These departments are exactly what victims of this type of identity theft require, but these departments are ill-equipped to handle the theft of thousands or even millions of credit card numbers from a single breach. To add to the complexity, the breaches rarely if ever occur at the credit card company's network. Instead, the cyber-criminals are able to hack the retailer or other vendor to steal the credit card numbers of their customers. So what do we do? Technologies such as the chip-pin technology coming out that seeks to apply an entry code when you use your credit card at a store may protect individuals have this card (unless of course they are shopping online but that is a different post all together) who but they do little to deter hackers.

On the type of scale that hackers are acquiring card numbers even if 10% of all the card numbers they obtain are unusable it is a small enough to deter the criminal efforts as they will still have millions of numbers at their disposal which can be used. PCI regulations are a step in the right direction for protecting small and medium sized business. Though it is slightly generalized, the updates and refinements to specifications and requirements will help to make this type of activity harder. While PCI and other regulations may help SMBs design more secure networks one other solutions for stopping breaches were mass amounts of customer data is stolen would be to centralize and consolidate information. Currently, vendors, often times small to medium sized businesses who traditionally do not have the resources to secure their networks as well as larger enterprises (like credit card companies), are required to save customer data for seven years.

This is where cyber-criminals obtain the credit card information - from the vendors. Instead of requiring the companies to save this information on their individual networks it may be more advantageous for all involved if the information was only stored at the credit card company. Credit card companies already collect and save this information, making vendors' information redundant. If we remove this redundancy we could make it more difficult for hackers to get this data. This approach would absolve vendors from having to hold all this data, but also avoid having to police them all individually with regulations ensuring it is done correctly. Since hackers are targeting the vendors not the credit card companies just think of how many breaches can be avoided if this method was in place. Some may argue that the cyber-criminals will shift their tactics and dedicate their time hacking the credit card companies' networks - and they may be right. But this goes against how hackers work in the first place.

They do not target individual companies, instead they create programs that look for any network weakness and then exploit it, regardless of network size or the value of information available. They can always use the small network they hacked to get into a larger network eventually. However, the lure of millions of credit card numbers and the potential profit they could make may result in a complete paradigm shift when it comes to cyber-crime. That is why all networks (small and large) should use network security technologies to make it more difficult (and in many cases) impossible to access the network through botnets, viruses, worms, spyware or other malicious code.

The new version of the Unified Threat Management product includes several enhancements such as an improved Intrusion Protection Engine, multicast support, and real-time bandwidth monitoring capabilities.

Many of the new features included in this new version were included in the release due to user feedback on Astaro's new Feature request site. More details about the new version can be found in the press release.

People also tend to make their passwords as short as allowed (4-6 characters). While this makes their passwords easy to remember it also makes them easy to figure out or hack. Instead of using a single word such as "Astaro01" for example some people believe they are clever and add a symbol into the mix making the password "Ast@ro01". This fools no one, and programs designed to figure out passwords are aware of this "technique". One suggestion for creating easy to remember yet hard to crack pass words is instead of using a single word, try using a short memorable phrase, for example you could use "the ASG 425 is a great Security product". This is a great example because (not only is it true) it has both letters and numbers, capital letters and lower case letters and is easy to remember. Some accounts will not allow you to use this many characters to create a password. In these cases use the first letter of each word so our example would become: "tA4iagsp". This method becomes even more effective if you then select a random symbol to replace a specific letter.

Some common examples are @=a or $=s but try using symbols that are not similar to the letter. So for example #=S making our password "tA4iag#p". Because this combination of letters and numbers seemingly stands for nothing, it is as effective as typing in a completely random combination of characters, but has the added benefit of being easier to remember. This makes the password essentially not possible to crack with a dictionary attack and brute force attacks will need to try for a long time when at least one numeric, alphabetic, one capital alphabetic and "special" character are used. And remember, the more characters you have, the more resilient the password is to brute force. You can also try another technique, called the offset technique. First, take a normal password that's easy to remember, say "Password1!". Normally this password is definitely not to be used. However, with the offset technique you can "offset by 1 left" or "1 up-left" or any other value you can think of.

For "1 left" you would take "Password1!" and shift one key on the keyboard to the left - for keys that don't have another functional key in the offset spot, just use the same key as the original password or wrap to the other side of the keyboard. "Password1!" becomes "Oaaaqies`~" if you use the same key for "a" or "P'aaqies`~" with wrapping. Just remember to check that the password you use has at least 1 of each type of character. These are just a few simple steps that can make your accounts and thus your personal and employer's network more secure. Of course, using a more effective password will not matter if you have spyware on your computer that logs key strokes.

This is why, despite your every effort to have effective passwords and to lock your computer, businesses must also have effective firewall, content filtering and other security products in place. This is just one method for creating effective passwords. Does anyone else have any suggestions for creating effective passwords?

Properly designing and maintaining a network to guard against these attacks can be a challenge to even the most seasoned admin. Fortunately there are some excellent network security appliances that are now available for even the smallest organization so that complete protection can be attained at the network perimeter. Newer 'all in one' appliances combine all the necessary protections into one device which can simplify administration and even reduce costs. One thing that all these sophisticated systems are unable to fully address though are employee actions. Internal users are responsible for many of the security breaches that organizations encounter these days and the results can sometimes be quite damaging. Some of these breaches are intentional but many are the result of well meaning employees who are unaware of the results of their actions.

Intentional or not the results can be devastating to an organization and can result in both financial losses and damage to reputations. Many of these issues are a consequence of employees not knowing that their actions may result in serious violations to the company security policy. A common example is an employee that Emails Company documents to a home computer so that they can get extra work done at night. Though they may have meant well this action could result in sensitive data being leaked and many times a copy will be left on the personal computer. This action could also result in malware attaching itself to the file or document and once brought back into the organization could result in a companywide outbreak.

Many security breaches are also the result of social networking scams where users are tricked into giving out sensitive data such as passwords which allow hackers to gain access to resources. Perpetrators of social networking scams often try to gain as much information on a target as possible and with the rise in social network sites this information is often readily available. Four out of Five adults with Internet access use social networks sites such as: Facebook, Twitter and MySpace while at work. Along with purely recreational sites there are also business oriented social networking sites such as LinkedIn.com which allow professionals to keep in touch with colleagues and develop professional networks. The very high volumes of traffic that these sites generate make them attractive to advertisers but also to phishers, SPAM'ers and malware providers.

The recent high profile attacks on Twitter and Facebook caused some businesses to reconsider whether or not they should allow employees to visit these sites while at work due to the risk of malware infection. Products that offer content filtering tools will allow businesses to block purely recreational sites such as facebook and myspace which will help guard against problems on those sites, but blocking these sites will not completely protect companies against malicious attacks since many times they're disguised as something else.

Similarly, technologies that offer Intrusion Prevention, Denial of Service protection, HTTPS scanning and other security functions are a giant leap toward protecting networks but will not entirely secure your network if the attacks are coming from within. Even with the most sophisticated network security products in place organizations are at greater risk unless they educate their employees on proper Internet usage and how to recognize the signs of a possible issue. Since most internal breaches are accidental it leads one to question whether or not individual common sense security practices are as common as we thought. Either employees are not aware of threats and how to avoid them or they believe their actions will not cause a breach. Perhaps powerful network security products have lulled them into believing their networks are impenetrable, but this is not entirely true.

Take, for example, the case of US Banking institutions being subject to phishing attempts via snail mail. It doesn't matter how powerful the banks' firewalls are or how effective their IPS are, if an employee inserts the CD into the CD-ROM then the network is infected. Employees at all banks (and for that matter all institutions) should be educated about this type of threat. Now that even trusted sites are hosts to malicious content it is even more important for organizations to educate their employees on safe Internet usage practices. Regular training sessions that highlight best practices are one way that organizations can help educate their employees. Having employees read and be aware of the organizations security policies can also be effective in highlighting computer do's and don'ts. Reviewing and updating these policies on a regular basis will also help to ensure that as new threats arise that the organization is aware and protected.

While none of these measures alone will completely eliminate threats they can help mitigate security risks if combined with the proper security equipment and a watchful network administrator.

First, read the regulation. All of it. Print it out if you need to or copy it into a form which is easy to mark up- and make notes and questions. Then read it again and polish your notes. After you have seen the requirements yourself and have your own highlighted and annotated copy it is safe to widen your scope. If the regulatory body has provided supporting documents read, highlight and makes notes on them. Note where the supporting materials clarify or contradict the regulations.

Only when you have reviewed the "official" documents yourself is it safe to start listening to the "experts". When you start dealing with consultants and contractors remember that they may come and go but the actual responsibility stays with your organization. If you spend money on your compliance project make sure you spend it wisely. If you disagree with a consultant or don't understand what they are doing (or why they're doing it) ask them. If a vendor makes a questionable claim make them explain themselves. (The phrase "automate compliance" is one which always deserves a challenge).

There is another step to take before you really dig into meeting the regulations; look at projects in the planning or early deployment stages which may be impacted by the regulations and determine if they need to me modified before going live. It is always easier to get things right the first time, and projects on the drawing board are a lot easier to tune than those already in production. You may be able to get a victory or two under your belt with little pain and expense. These are basic and generic suggestions but they can be valuable as you begin almost any compliance project.

Today Astaro announced the appointment of a new Senior Vice President of Worldwide Sales and Marketing. Günter Junk, who will be based in Germany, will be responsible for Astaro's worldwide sales and marketing strategy as a globally operating vendor for UTM solutions. Günter Junk comes to Astaro from Swyx Solutions AG where he served as the CEO.

During his leadership Swyx was able to become a market leader for IP telephony in Europe. Prior to his tenure at Swyx, Mr. Junk developed the German sales organization at Cisco Systems and was ultimately responsible for all European operations as Vice President of the region.

For more information on this exciting new appointment please read the press release. For a photo and the biography of Günter Junk, please visit: http://www.astaro.com/newsroom/press_kit.

Here regulations may help specify, but there is much more information to protect in your environment than what is required- certainly confidential patient data and customer financial records must be protected; and not just because HIPAA or PCI DSS require it. Your organization may also have trade secrets, marketing campaigns, merger plans or other information which should be protected regardless of regulatory imperatives. A basic rule of protection is that you must know what you have and where it is before you can protect it. It doesn't matter if you need to defend jewelry from theft or credit card numbers from loss, you have to know where they are before you can protect them- so identifying the information you must protect is a logical first step towards both security and compliance.

The information to be secured will vary by organization and change over time and therefore will require a flexible and versatile identification method. One effective approach is to start by asking three questions about the information to be protected:

• How does the information enter the environment? - Identify every point of entry for the information. Include the origins of internally created information.
• Where is the information stored and accessed internally? Not simply where it is stored but also where it is used
• How does the information leave your organization? Map every egress point including submissions to any outside organizations.

Now for the truly informative step: connect the dots. Map all of those entry and creation points to the storage and use points and then to the egress points. You will likely discover paths and storage locations previously overlooked.

You may even need to go back and re-answer the three questions armed with your new insights. With this exercise complete you can begin to build a plan for both securing the information and meeting your compliance goals. Streamlining the information flow and reducing the number of storage points would be a valuable next step. This will reduce your exposure and simplify future security and compliance tasks.

With this foundation you should be better prepared for your next steps towards both security and compliance.

This post is the first in a series of posts detailing some basic security techniques for keeping your network, your identity and your computer safe. Among these measures include locking your computer when you leave your work station. Many people forget to lock their desktop when they leave their desk, e.g. for a meeting. At smaller organizations where you know most if not all of your co-workers an open desktop might not seem like a threat. However I have heard plenty of stories of people not locking their computer, only to return and find they sent an email offering to purchase coffee for everyone in the office. While this example is rather harmless (and somewhat comical) it demonstrates how vulnerable we leave ourselves when we do not lock (or shut off) our computers. Anyone can access any information you have on your computer.

If you work in an industry with regulations about privacy (such as a hospital or financial institution) of if you possess sensitive information on our hard drive (revenue information, company information that is not yet public) leaving your computer unlocked could cause you to lose your job, tarnish your employer's reputation, require your employer to make monetary reparations (if customer data is stolen) and may even cause a legal battle. As another extreme, someone who has ill will towards your employer could even spread a virus or spyware on your computer and then it would appear as if the malware came from you! Locking your computer is a simple step toward protecting yourself and protecting your company's network. Perhaps the worst thing that would ever happen is you offer to buy lunch for your entire office, but why chance it?

Get into the habit of locking your computer whenever you leave it for more than five minutes and if you forget the computer on a train or someone steals it you at least made it a little more difficult for someone to access your computer. Most operating systems allow you to establish setting that will automatically lock your desktop after the computer is inactive for a certain amount of time. Taking advantage of this setting will ensure your computer is locked even if you forget.

The standard is currently 72 pages, not a quick read- and that may be part of the problem; an amazing number of people like to argue about it without ever actually reading the beast. I believe the root problem is that many people confuse being compliant with being secure. While they may be complimentary goals, compliance and security are very different. Being compliant with a "security" standard or regulation does not make you secure, and I believe it is approaching the problem from the wrong direction- focusing your efforts on being secure, then aligning with your compliance requirements will result in a more secure, sustainable, and affordable environment. Even people who should know better have been confused by this; recently Heartland CEO Robert Carr said in an interview with CSO Online that he believed PCI compliance meant that Heartland was "secure".

We all learned that Heartland wasn't secure when they suffered the "Largest Data Breach Ever". The reactions to Mr. Carr's comments were strong and swift, Rich Mogull and Mike Rothman were among the many people who took exception to Mr. Carr's statements about compliance and security- but the controversy Mr. Carr's comments sparked only serves to highlight the problem. Part of the confusion comes from the different security postures of organizations before they begin their compliance programs. For a company with poor security and a lack of organizational awareness of security standards, becoming PCI- (or whatever) - compliant can introduce many positive changes and dramatically improve the overall security of the organization.

On the other hand, if an organization already has a well established and effective security posture, becoming compliant should be fairly easy, BUT, it could result in losing focus on security as attention shifts to compliance. Worse still, if an organization has done a thorough risk assessment and focused their efforts accordingly, some regulations may require them to divert resources to addressing requirements that are not aligned with actual risk to the organization, effectively reducing their security.

Another problem with compliance is that while most security professionals understand that the standards define the minimum security standard, many outside of the field believe that compliance is all that you need to do to be secure- thus confusing a security baseline with a finish line. In the absence of standards and regulations it is often easier to grasp that security is a process, not something you "are" or "aren't", and should be tailored to fit the situation. Unfortunately, it is also common for organizations to neglect security unless they are required to comply with some regulations or laws.

Finally, complaining about PCI, HIPAA, or any other regulation doesn't change the fact that we need to comply. Go ahead and work to change the laws or regulations you find onerous- but complaining is no substitute for an ongoing assessment of your environment, securing it as appropriate, and mapping your security posture to meet compliance requirements.

Today, Astaro announced that it will soon offer a Free Business Firewall for VMware to all organizations with virtual environments. The Free VMware Firewall will protect networks from external threats as well as control and monitor communications between virtual machines. The Free Business Firewall for VMware offers the base functionality of the Astaro Security Gateway virtual appliance using a special license key.

The free VMware firewall includes the same functionalities and performance as VMware's vShield Zones, however it is free and offer s the possibility to add additional security features. Astaro is offering the free VMware firewall to fill the gap left by VMware in their free virtualization tool.

This tool, used by many small and medium sized businesses, allows these organizations to create virtual environments but does not offer security functionality. Only the larger virtualization tools offered by VMware include these security features and these installations are often oversized for a small or medium sized business whose virtualization needs are met by the smaller installations. For more information about Astaro's Free Firewall read the press release here.

To register for an e-mail reminder once the Free Business Firewall for VMware is available and for a 30 day free trial of the Astaro Security Gateway Virtual Appliance visit: http://www.astaro.com/en/free_business_firewall_vmware

Astaro's Regina Grieco was named one of Everything Channel's CRN Magazine Top 100 Women in the Channel. This award honors women in the channel who were able to achieve great results as executives and the amount of influence they wield over the technology channel. The Top 100 Women in the Channel represent a changing trend in a traditionally all male industry. Astaro's Regina Grieco was named one of Everything Channel's CRN Magazine Top 100 Women in the Channel.

This award honors women in the channel who were able to achieve great results as executives and the amount of influence they wield over the technology channel. The Top 100 Women in the Channel represent a changing trend in a traditionally all male industry.

For more information on this award and about Regina Grieco read the article here or read the press release.

However, one reason why users are hesitant to virtualize their production servers is the lack of network security in such an environment. By using physical servers you can place dedicated firewalls between the servers and/or the Internet for protection. This has not yet been possible in virtual environments. VMware addressed this need in their new vSphere product by adding "vShield Zones", an integrated, statefull firewall which solves basic network security needs. But this offering has two problems:

First, it is only available in the upper, more expensive vSphere editions, which leaves SMB customers that can only afford the entry editions in the dark. Second, trying to address state of the art malware and attacks with this is like trying to use chainmail to protect police offers in their fight against modern gangs with advanced automatic guns. Basic protection does not withstand modern attacks. In order to protect your IT infrastructure, physical or virtual, you need state of the art enterprise security products to detect and neutralize modern malware, botnets and other attacks.

Besides a statefull firewall, which is a good start, you need a proven Intrusion Prevention system (IPS) as well as malware and reputation filters to protect the common attack vectors of web surfing and email reading - this includes encrypted ones. Especially small and medium sized businesses need an affordable, easy to use yet complete security solution which is able to run within a virtual environment.

As usual, the show lined up some very knowledgeable people, but as the term cloud computing is a bit vague and has had more definitions than Merriam's can keep track of, the conversation could have gone in several different directions. I thought that it would be useful to call. Have a listen at their site: http://www.onpointradio.org/2009/08/from-desktop-to-the-digital-cloud. One of the common thoughts about cloud offerings is that "anything accessible over the internet can be called 'cloud'." This line of thought leads to the belief that you need to hand your information to a third party. While there are some very popular offerings that use this method, it is not entirely true.

There is a way to keep an eye on your data while still reaping the benefits of the cloud computing architecture. This is the essence of public cloud vs. private cloud. Cloud Computing is really a "new" architecture for computing in general (new in quotes, because it's "new" like bellbottoms were "new" in the 90s [link: http://en.wikipedia.org/wiki/Centralized_computing] ). Computation is moved to the server, rather than on the client. Often this means that a user will now use a browser to input into a server's processing and get output from the server (instead of entering input into a local application and getting output directly). In terms of security, there are some immediate concerns. First, who handles the information? In terms of public cloud architectures, the vendors will take control of your information.

This opens several legal issues that I should not be considered an authority on, but suffice it to say that the vendor is now legally responsible for your data and can disclose it to authorities under certain circumstances. Also, you must trust their security methods because if they have a breach, you are affected. The private cloud, however, means that you keep control of your information's chain of custody. This is a great benefit for organizations with highly confidential information and highly competent security personnel such as hospitals and financial institutions. Another interesting security topic is that you create a smaller, but more inviting target - but also, you create a smaller footprint to defend. With private cloud, you have one (or a small amount of) server(s) that hold all of your applications and data and are all centrally located. This means that if one system is compromised, there is a lot more damage that can be done to disrupt operations.

With the current model, an administrator has to keep track of a multitude of information on disparate machines on various network segments. If one host was compromised it is a limited disruption, but the entire operation would not grind to a halt. This may seem that there is a security drawback to private cloud but instead you can now focus your efforts on a smaller amount of infrastructure, making it more difficult to compromise a central system, increasing security of your key infrastructure. In my mind, both architectures have their merits and there can be gains if done correctly on both sides. In my opinion, there is no "one size fits all" solution.

Organizations need to find an architecture that suits their needs. As long as all topology chosen is implemented properly and securely then maybe someday we can completely secure the Internet. Isn't that why we are so passionate about security?

The service started only a few years ago and since then its usage has exploded partly due to its high profile involvement in such recent events as the Iranian presidential election protests. During this incident detailed, on the ground information was limited due to governmental control which disrupted efforts to contact the outside world. Protesters were able to use Twitter though to broadcast real time details on what was happening to the world at large.

These simple concise messages by people experiencing oppression and violence at the hands of their government were seen in real time by millions of people worldwide. The Iranian government was unable to control the flow of information which proved to be a strong message for proponents of free ideas, and showed how emerging technologies and ideas can be effective tools in the fight against censorship.

Why would someone want to hit Twitter with a denial of service attack? Such a dramatic display has given Twitter a very high profile which makes it an attractive target for those wishing to prove their skills in the world of spam proliferation and cracking. Spam is increasingly tied to guerilla marketing campaigns and organized crime which employ 'bot-herders' to deliver their messages via mass marketed spam messages. The bot program allows the bot-herder to control the machine whenever they wish without the owners' consent. Bot-herders can then sell the services of their zombie army to those wishing to send out large amounts of spam, or it could be used to launch a denial of service attack on a target such as a rival businesses website.

Successfully launching such an attack on a service such as Twitter can give someone instant credibility and may help attract new business opportunities. Most people would probably assume that a company such as twitter is well protected against all known internet attacks but that may not be the case. Internet security requires protection on many different fronts, and due to the constantly evolving methods of attack your tools must be able to adapt to the new threats which will inevitably arise. The Internet and new applications such as Twitter remind us how difficult it is has become to control information and to protect organizations against malicious intents.

This service will help network administrators understand how well their current security products are working, improving network security and employee productivity. The silent business audit and forensic analysis will accomplish this by sitting behind an organization's normal firewall and monitoring spam, malware and Internet usage trends to determine what is getting by the firewall and spam filters.

At the end of the 14 day audit period Astaro will provide the organization with a report detailing what malware passed through the firewall. As an added bonus, the appliance will also block the transfer of any malware and spyware that makes it passed the normal web filter to avoid the spread of infections. To register for a silent business audit and forensic analysis click here.

Astaro Security Gateway, Astaro Mail Gateway and Astaro Web Gateway have all been certified as VMware Ready, and Astaro is the only Unified Threat Management provider to have submitted to and passed VMware Ready validation. For more information, check out the press release here.

On this new site our partners and customers can make suggestions for improvements or request totally new functionality. Not only can visitors make their own suggestions - they can vote on the suggestions of others, giving us a better understanding of the popularity or urgency of specific network security needs.

We will be using the insight gained from this site to plan future product updates and releases. We've always taken the suggestions of our partners and customers into account when planning future enhancements to our products - we know they have the best insight into what they need for web security but this new site gives them formal channel for making suggestions.

I'm excited to read the suggestions we receive and I look forward to learning more about what our customers and partners want.

Network based mitigation:

• Install IDS/IPS with the ability to track floods (such as SYN, ICMP etc.)
• Install a firewall that has the ability to drop packets rather than have them reach the internal server. The nature of a web server is such that you will allow HTTP to the server from the Internet. You will need to monitor your server to know where to block traffic.
• Have contact numbers for your ISP's Emergency Management Team (or Response team, or the team that is able to respond to such an event). You will need to contact them in order to prevent the attack from reaching your network's perimeter in the first place.

Host based mitigation:

• Ensure that HTTP open sessions time out at a reasonable time. When under attack, you will want to reduce this number.
• Ensure that TCP also time out at a reasonable time.
• Install a host-based firewall to prevent HTTP threads from spawning for attack packets

Proactive measures:
For those with the know-how, it would be possible to "fight back" with programs that can neutralize the threat. This method is used mostly by networks that are under constant attack such as government sites.

Spam rarely ends up in my own inbox due to the effectiveness of the blocking solution I use, (I use a solution from Astaro) but many of the people I speak with daily communicate that in an inbox with 50 messages, 45 or more can easily be spam on a given day.

How obnoxious is it to go through all of your email and delete meaningless message after meaningless message. You have to wonder what these spammers are thinking - they must know that 99% of their messages are going to be deleted or blocked - and what are they trying to sell by randomly emailing people? Well, first of all they don't care that 99% of their emails will be deleted or blocked. Because they send out tens of millions of spam messages at a time if only 1% of the emails get through and accomplishes its goal they consider the distribution a success. That is why spammers use topics currently in the news (like the Swine Flu) to grab the attention of the few people who don't have a spam blocker already in place.

So, what can you do to stop these annoying, and potentially harmful messages from getting into your inbox? Email filtering is just the beginning. Email filtering will only work as a spam blocker if you are indentifying spam properly, and using the right technology for your organization. Astaro published a white paper describing the dangers of spam and effective anti-spam technologies and techniques. To read this white paper visit The Hidden Dangers of Spam.

One of the hot-button issues facing the country today is healthcare reform. President Obama has identified widespread electronic medical records as a major benchmark towards achieving the goal of affordable health coverage for all. Scott Kirsner did an excellent job describing some of the technologies Massachusetts companies are creating that will make universal electronic health records possible in his article State helping to shape US efforts to digitize health records for all.

The article neglected to examine the network security concerns of such a system. One may say "Moving medical records online will mean less privacy for everybody." In reality less privacy is not an issue if proper security is in place. Therefore, moving medical records to electronic storage will increase the need to secure networks. The truth is that records are no less secure when stored electronically, as long as the network is secure. In fact, there are gains in privacy. The biggest risk involved is that making all records electronic does allow a person to attempt to gather information remotely by compromising a network. As long as medical facilities deploy network security technologies and maintain them, this should not be a widespread problem.

With paper records, someone who wanted to steal medical information can be successful, but would need to get a hold of a physical copy of the record. This means that an attacker would need to take a risk and go to the location of the records storage. Paper records also pose a risk to patient privacy as medical staff bring records home with them so they can work outside of the hospital. Recently, an employee at a Boston hospital accidently left records on the "T". If the records were accessible electronically through a secure network connection, this wouldn't have happened.

Electronic medical record keeping also provides for a more secure data backup process. Hospitals using electronic records will need redundant hard drives, servers, data storage and other important infrastructure to ensure medical information is never lost. With all those backups, many fear that it will be easier to gain unauthorized access to patient information. In actuality, the electronic backups will be easier to secure than the current system of paper charts. Currently paper records are sent to storage vendors and the vendor's employees have access to the information in clear text.

The best security that you can provide without destroying the information is to send the charts in a locked receptacle. In an electronic system, data can be encrypted and stored at vendors' facilities without fear that the vendor will be able to read the data. This adds to the locked receptacle, because you can lock storage medium in a case, then if that case is compromised, you also have the data in an illegible form. You can also deploy hashing functions to ensure that no data is tampered with. To address one of the biggest fears, properly deployed medical networks will not send information in a manner that is easy for someone to simply capture. With electronic medical records, you will need to make sure that there is no path for the records to be sent over the open Internet. Instead records should be sent over secured VPN networks specifically designed to protect this information.

Nobody should have access to the network that does not need access. Congress has already acted to ensure that this guideline is followed, through the HIPAA and HITECH acts. However, these acts stop short of dictating the security standards and focus on the penalty for if a record is compromised. Creating an electronic medical records system will benefit the healthcare system in America in many ways, including increasing the security of medical records However, if the country is to move towards mandating electronic medical records, then congress should create additional acts creating security standards.

This is an interesting attack, particularly because it does not require a lot of bandwidth by the attacker. It is possible to DoS even large sites simply using a common residential Internet connection, and using Slowloris to eat-up the Web Server's ability to respond to other HTTP requests, by sending partial ones itself and thus holding the sockets open.

You can read more about this DoS technique here. While the approach is not new, the working implementation of it "for the masses" is starting to appear more commonly. As we have already received dozens of queries about how to stop this attack, we'd like to inform you that Astaro installations with current/updated Intrusion Protection Patterns will be protected against this, so neither admins nor their Web Servers need to fear. The ID for this new rule is #1000023, and is located in the HTTP Servers Group under the Apache category.

Some of the more startling statistics show that "For about $10, [a spammer] can send a million emails". Even if 2 people order a product that they are selling for $10, that's a 100% profit over the cost of the use of the botnet. Assuming the actual production of the product is cheap enough, that's a good margin

How are botnets so inexpensive, though? And, why are there so many available? If you look at Commtouch's Malware Outbreak Center you will notice that the vast majority of detected malware seems to be botnet downloaders. Gone are the times when malware consisted of cute "look what I can do" code we are now in the time of real revenue-generating malware. All a botnet "commander" needs to do is create the code, send it out and let it propagate through the Internet. Eventually, there will be enough zombie hosts to really make money.

The strategies in use now should provide a good-enough deterrent to spammers, but there are simply not enough people using current protections. So long as host-based malware detection is in use and network based protections such as IDS/IPS, malware scanning and firewalling are in use, then the amount of zombies on the internet will be reduced enough so that spamming will not be profitable. Then we can look at our in boxes with confidence. We haven't reached that point yet, because there just simply aren't enough people using adequate controls of network traffic.

According to Commtouch again, in the Western world, zombies are not as common as developing nations. Unfortunately for the Western world, we feel the effects of others' lack of controls. Judging from all of this information, all the world needs to do in order to stop spam is make sure we are using currently available controls for our networks. This will make spamming unprofitable and make spammers use their tricks for other means. Until that day, the back-and-forth between spam and anti-spam will continue.

While we were able to throw this site together over a weekend by using a lot of manpower and equipment it could have just as easily been done with a few decent virtual servers hosting the applications we needed. All applications including endpoints security could have been hosted virtually making design and deployment very simple. There most likely would have been significant cost savings on manpower, space, power, etc...

Though this is an extreme example it does show how virtual environments can be used for disaster recovery.

First, when using a VPN on an un-trusted hotspot, make sure that it is a "full tunnel" VPN. Split tunnels work well for connecting with trusted networks (like your home network). Unfortunately, if you are on an un-trusted hotspot, then there is no guarantee that there is security on that hotspot and an attacker can use your PC to get access to your internal network. Second, I would just like to point out that "Secure your home network" Is a huge point. Don't just take advantage of encryption, MAC filtering and other ubiquitous measures. Also, reduce the size of your network to the minimum that is necessary for the amount of expected systems. And change the default network. Choose something not common.

These steps may not be effective alone, but can certainly add to an overall secure environment. SIDENOTE: MAC filtering and other security features have been shown to be inadequate when a skilled attacker targets your network. There is still not reason *not* to use them. The key is to make your network harder to get into than the ones around you, make it difficult enough so that the attacker loses interest or make it harder than his skill level to crack.

An attacker will likely take the path of least resistance, after all. If your network proves to be difficult to hack, the hacker will move on. Third, disable your wireless antenna when not in use. Most laptops have a button or switch that disables the antenna so that it's easy to see that it is disabled. This is especially true on airplanes. There are many people that find it fun to browse others' PCs while on board a plane. Fourth, if you connect to an access point that you don't intend to connect with often, delete it from your automatic wireless network list.

This was shown to be a very large hole by HD Moore (with his "Evil eeePC"). Instructions here: http://technet.microsoft.com/en-us/library/cc778180(WS.10).aspx Last, never assume that you aren't compromised. The chance always exists. Monitor your systems regularly for irregularities.

It should just work." That is a very lofty goal and a loaded statement. In reality, Google is not too off base here. What it seems they are going to do is make a very small OS. The OS will really only be responsible for basic input and output and run a browser. This means that all of the security holes that go along with the "extras" of modern operating systems will not be a factor. This will have an impact on malware. It means that there won't be any holes in code that doesn't exist.

This will dramatically reduce the security footprint of the operating system. This is true. Generally speaking, when you develop something, it will have errors. The errors can be limited and if there are any vulnerabilities, they can be mitigated. However, if you develop software that is used to interact with other peoples projects, then the security is only as good as the weakest link. In Google's case, they may be developing a light-weight, hardened OS that only runs a browser (for use with Google docs and other web-based applications), but if you use the browser to view a page that is vulnerable then you are still just as insecure.

THE REAL DEAL
Here is a prediction. Google Chrome OS will set out to revolutionize the OS world. They will be successful overall in producing a shift in concepts, but not in the ways they intend on security. There will be exploits that take advantage of the basic input and output. Not only that, but there will be exploits that take advantage of cross-site malware, session hijacking and other browser-only tricks. For instance, Google intends that for productivity you will be using Google Docs.

What would happen if you browse a site that has a cross-site exploit that steals your Google Docs? That's just one thought. I also predict that there will be security updates. Any operating system has the distinct responsibility to be in charge of any input and output of the entire system. Anything that can subvert this is malware and must be dealt with. Any OS is vulnerable just by the nature of being an OS. The advantage to Google's approach is that any holes will be found quickly as there will be a much smaller footprint. Also, you will still need to install some third party drivers and such for input and output. Vulnerabilities can quickly show up here (and although Google can't be held responsible, neither can Microsoft and we all know how we act when something *seems* to be Microsoft's bug).

IF THE HYPE IS RIGHT
If Google is fully successful in securing their code and making an OS that depends on software that exists over a network then this means that Internet security will inherently be much more important. IPS offerings will be in charge of securing your documents rather than client-based AV protection. Security will shift along with the new thoughts on OS technology and application flow. This is an announcement that should live up to the hype, either way.

First of all, it is going to be important for you to be transparent and to quell fears that this is the first step towards an Orwellian world. Let people know you do not plan on being "big brother" and that you in no way plan to censor or shut down the Internet. This might sound silly, but there are some that see the creation of a cyber czar and the potential passing of the CyberSecurity Act of 2009 as a step towards a government run web. Second, take a good hard look at our infrastructure and figure out just how much of it is dependent on the web.

Then determine which networks are the most vulnerable and most likely to be attacked. Are we really worried about our cable stations being hacked by foreign countries? It wouldn't be good, but I think having a virus in our electric grid would be worse. However, let's stop talking and creating reports about how important this role is and why. We all know what's at stake - it's time to take some action. Which brings me to my third and final piece of advice: We should focus on ways to prevent attacks from succeeding, rather than standards for what to do if we are attacked via the Internet.

I realize we need to have a system in place for IF our networks are penetrated, but just like businesses, we should focus on keeping viruses, and malicious code out of our critical infrastructure networks, rather than fixing the mess once we know it is there. This will save our country time, money and possibly even lives. I will continue blogging about the creating of the cyber czar and what the government is doing to protect critical infrastructure's networks, so check beck often.

In the article, Karen Evans, a Bush administration Information Systems executive outlined what she thought should be fast-tracked. It includes using TICs (Trusted Internet Connections) for all public infrastructures. This would include making sure that the internet connections for public access are consolidated and then served by only trusted parties. In my calculations, this has many benefits with only one glaring weakness.

What happened?
A single quote of the story stuck out. "the most important lesson learned is that many federal agency security people did not know which network service provider connected their Web sites to the Internet," said Alan Paller, director of research the SANS Institute. "So they could not get the network service provider to filter traffic." That quote takes my breath away. If this is accurate, then the preparedness of network security for the government's infrastructure is simply not up to par. There is not much else that can be said. What are we as a community to do?

Choose the battlefield
Often used as a text of inspiration to security professionals is Sun Tzu's "The Art of War". There are two quotes that are relevant to this discussion. "...And therefore those skilled in war bring the enemy to the field of battle and are not brought there by him." And "The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable."

The lessons of Sun Tzu show that we want to essentially choose the battlefield and lay in wait for an attack. We want to be wise about our battlefield and prepared for the enemy. Using the TIC approach is similar to how the Spartans chose the battlefield for the battle of Thermopylae. They chose a small gorge that a small force could successfully defend and then they put up the biggest fight in history. This is the idea behind the TIC. Secure the path to the prize. When you secure the only way to get to the servers, you secure the servers. At the moment, the servers are too distributed to mount an effective defense.

Weakness?
The only glaring weakness that I can calculate is that this can easily turn into a bureaucratic nightmare resulting in weak TICs. Weak TICs will result in a much wider path to the prize (what if the gorge at Thermopylae was twice as wide?). TICs will have to comply with some standard. Not only that, but likely the TIC will have to be the lowest bidder on the project. So what are the standards? Will they be robust enough? Will the lowest bidder do just enough to get the grant? Will the lowest bidder have qualified personnel? Will there be a process that the TIC and government will need to follow that essentially slows response time? All these are questions that should be answered among many more.

WHAT IS DirectAccess?
DirectAccess is a technology that allows Vista, Server 2008 and Windows 7 to connect with the office LAN seamlessly, without having to log into any clients. DirectAccess is also being used to remotely manage remote PCs without the PCs needing logged in user (for instance, you can push a new update to an idle PC). This technology comes at a time when there are a multitude of remote technologies to choose from so Microsoft is distinguishing itself by saying that DirectAccess is basically a hands-off technology. The user doesn't need to do anything except get a network connection and log into the machine as normal - the OS takes care of the rest.

HOW IT WORKS
Despite Microsoft's marketing, DirectAccess is a VPN technology with new functionality. For those familiar with configuring VPNs, DirectAccess uses IPSec to tunnel the remote system to a DirectAccess server. The DirectAccess server then authenticates the system and, if configured, authenticates the user. Both of these steps rely on certificates (and the option of smart cards for multi-factor authentication for the user). From here, there are differences in topology and design from which you can choose. You can use "End to End" (security to the application server) or "End to Edge" (security to the perimeter, then letting unsecured traffic on the LAN). One key piece of information that must be taken into account: DirectAccess uses IPv6 as the preferred protocol. You can use IPv4, but there will be extra steps that you may need to take. There are several more key points to the connection for which I will refer you to Microsoft's documentation at http://www.Microsoft.com/servers/directaccess.mspx.

SECURITY CONCERNS
Microsoft has taken steps to make sure that security of this technology is the focus and seems to have been successful. When this technology is configured properly and used properly, I can see a step forward with this technology. That being said, DirectAccess does assume some things. The most glaring is that user authentication is not required. If a user's laptop is stolen and not reported in time, then it is conceivable that an attacker would have access to your internal network. Although, they may not be able to log into the domain, there is still an IPSec connection between the attacker and the LAN. This will make the use of full disk encryption even more necessary. Also, the fact that there are so many technologies involved in order to get a connection is a concern. If any one of them has a vulnerability it can be a problem to say the least.

END OF THE VPN?
All-in-all, I don't think DirectAccess will herald the end of the VPN. I think that there may be some changes, but VPN is here to stay for the moment. The public information on DirectAccess is still a bit hazy on site to site connections (in fact, I am not sure it's possible). For this reason VPNs are still going to be in use. Also, remote access VPN technologies, as they exist today, will adapt to new market requirements. I foresee the major VPN vendors keeping pace with Microsoft.

If you are looking for a company that challenges you to do your best, Astaro is the place for you. To apply for a position, please review our job openings and submit your resume online.