By J.F. Rice
Computerworld (US)
June 28, 2010

FRAMINGHAM - IN A RECENT COLUMN, MY SECURITY MANAGER’S JOURNAL COUNTERPART, MATHIAS THURMAN, WROTE ABOUT SECURING VIRTUAL DESKTOP ENVIRONMENTS. MY COMPANY IS GOING THROUGH THE SAME EXERCISE OF EVALUATING VDI AS A REPLACEMENT FOR TRADITIONAL DESKTOPS. AS MATHIAS POINTED OUT, THE CONCEPT OF VIRTUALIZING THE APPLICATIONS THAT RUN ON THE SYSTEM DOES NOT SUBSTANTIALLY CHANGE THE THREAT LANDSCAPE, NOR DOES IT MODIFY THE COUNTERMEASURES WE PUT IN PLACE TO PROTECT AGAINST THOSE THREATS.

This is true in the server world as well. Physical servers are being replaced in our data center by virtual machines, but these VMs look and feel like any other server platform from the security perspective. Whether the server is real or virtual makes no difference from the network point of view. They all look the same on the wire.

But what about Internet-based services? Cloud computing and software-as-a-service (SaaS) are beginning to proliferate in my company’s network, and I find myself struggling with trying to apply the best practices we are using inside our network perimeter to outside companies beyond our control. I believe that the risks associated with Internet-based SaaS services are a combination of those risks associated with traditional data center environments in addition to those of Internet-based services, added to a new set of risks that arise from the convergence of private and public environments.

We are using SaaS-based services, including the well-known Salesforce.com and Google Docs, other Web services, and outsourced third-party support and staffing services that connect into our network over the Internet. These services need to access some of our internal network infrastructure in order to work, such as our Active Directory authentication systems. Yet we don’t really know that these outside companies will treat that access with the same care and caution that we use, and how do we know they are safe? All we really have is contractual reassurance. That’s why I insist on a SAS70 certification from every potential SaaS vendor before we start any discussions about connecting to their service. While SAS70 may not completely guarantee that a vendor’s service is safe, it at least establishes that the vendor has given some thought to protecting its customers’ information assets.

When evaluating the security of SaaS services, I am concerned about some additional factors beyond traditional data center computing that need to be addressed. For instance, knowledge and control of the location of data are important for many reasons, with regulations being near the top of the list. In the past, service providers knew exactly where their customers’ data resided, because individual servers were housed in specific data centers with minimal interaction from the providers. But in newer, distributed cloud environments, providers have many data centers and leverage virtualization of servers, network, and storage to provide elastic environments that can be scaled on demand. This means that finding the physical location of data can be difficult, and it can move around without warning.

And where is my data? I’m concerned about service providers commingling my company’s sensitive and private data with that of other customers. Service providers typically store data from multiple customers on the same hardware. They state that controls are in place to provide logical separation of data for different customers, but validating that competitors can never access our data either intentionally or accidentally may not be possible. And how do we that ensure our data is completely removed in the situation where we want to terminate our contract with the cloud provider?

I’m also concerned about whether a service provider’s physical servers are located in different places, especially when those locations are outside the U.S., and possibly even in risky locales. Ensuring the integrity and confidentiality of data when the infrastructure resides physically in other countries, especially those hostile to the U.S., can be impossible.

Mission-critical services require some thought and planning around redundancy. An established practice is to assume that any given service will fail, and plan appropriately by using redundant providers. But if the service itself goes down, we typically have defined SLAs that are published by the service providers with a provision for a cash refund or service credit based on the cost of the service, not the cost of losses due to business downtime. SLAs for SaaS services are also affected by Internet reliability — if our Internet link goes down, access to data is impossible and there is no remediation, and our people can’t work. So the Internet itself has become a mission-critical application that our workers can’t live without, and it needs to be highly available, otherwise work will stop when there is no offline alternative.

Despite these challenges, my company, like many others, continues to march forward toward virtual hardware and software services, so I’m doing the best I can to secure them. There’s always a new challenge in my security world, which is why I like my job. It seems like there’s never a dull moment.

Possibly Related Posts:

• Check Point clears the path to Web 2.0 application control
• Water cooling returns to IBM mainframe
• Microsoft still mum on programs prone to DLL hijacking attacks
• Mobile data traffic set to soar
• More IT managers plan to spend less, Oracle struggles with users, survey finds

By Ivan Uy
Computerworld Philippine
May 1, 2010

The country is about to embark on its first nationwide automated elections. This activity has reaped praises and encouragement from its advocates. It has likewise generated an equal amount of attacks and expressions of grave concern if not outright damnation from its critics. The whole scope ranges from optimists looking at it as the ultimate solution to deal with the well established cheating machineries in past elections on one hand to doomsday scenarios where a failure of elections is an imminent nightmare for the pessimists on the other.

We see around us the risks and dangers created by the political climate and its players.

* The contentious issue of who can legitimately appoint the next chief justice,

* The restless upperclassmen of batch 76 and 77 of the Philippine Military Academy who have recently been bypassed by its junior class of 78 ( the adopted batch of the hopefully outgoing president) all of whom are already generals in the various armed services,

* The realignment of loyalties among the various members of the political parties, swaying in rhythm with the surveys

* The last minute removals and reassignments of police and military commanders assigned to “bantay” or “salakay” the elections in their respective areas of command,

* The midnight appointments of various government officials and the eleventh hour removal of various elective officials identified with the opposition,

* The increasing frequency of power outages all over the country.

We see the risks and dangers created by the last minute adjustments that COMELEC and Smartmatic are doing, such as:

* The deactivation of the ultra violet light detector on the PCOS machines which would distinguish genuine ballots from fake ballots and instead merely relying on the bar codes,

* The elimination of the personbased digital signatures of the Board of Election Inspectors that would encrypt the data before transmission and instead just limiting it to the machine-based digital signatures on the PCOS machines,

* The late issuance of General Instructions for the BEI, contingency plans, and the Board of Canvassers,

* The photo finish schedule of printing of the ballots,

* the seeming inadequacy of the training for the teachers and members of the BEI and the BOC.

* The uncertainty of the capability of the logistic companies contracted by both Comelec and Smartmatic to timely and accurately deliver the right ballots to the right machines,

* The downgrading by the Telcos to second class data centers for the hosting of the election servers (they almost abandoned it and Chairman Melo had to even threaten them with take over of their facilities by the armed forces),

* The absence or lack of rules of all the electoral tribunals on how to appreciate all the electronic and digital evidence relative to disputes in a technology-based elections,

* Congress has not even come up with its own rules on how to conduct the canvass for the President and Vice President, given that the Certificates of Canvass are going to be electronically transmitted to Congress.

* The uncertainty on how the random manual audit is going to be done, whether prior to or after proclamation.

* The controversy on the source code review of the software that would ultimately run the automated counting and canvassing.

We likewise see that despite these dangers and risks, technology does provide answers to many of these threats.

* Encryption and digital signatures, if used properly can indeed ensure authenticity and reliability of information and data transmission.

* Speed in transmitting electronic results can significantly reduce or eliminate ballot switching or snatching or stuffing. It can likewise obviate the notorious “dagdag bawas”

* The presence of photos and thumb marks on the voters list, in addition to the (most of the time) indelible inks can reduce flying voters.

* Having multiple transmission of the same data to multiple parties can lessen fraud or intentional manipulation of results by any party since it can be validated by all the other recipients.

* Hashing would indeed provide parties with the capability to detect any alterations on the original software. (Hashing is putting the software or file thru an algorithm and producing an alphanumeric value. This value will change if there is any alteration on the software or file). But this presupposes that the parties had indeed ensured that the original software that was hashed and put in escrow with the Bangko Sentral is not a bastardized version from the very beginning.

* The audit log which records every action taken on or by the machines can serve as a deterrent to would-be cheaters that their activities will not go undetected.

Ultimately, vigilance by the citizenry is still the key to this whole exercise. This could be a wonderful opportunity to once more show the world, in the same manner we did at EDSA in 1986, that we Filipinos can and will prevail, despite all adversities, despite all odds, despite the seeming impossibility of success. Human dignity and the decency in many of us will still overcome the “dark side.” Heaven knows how desperately we need moral, just and competent leaders.

Possibly Related Posts:

• SocMed Savvy
• Independence Day
• Memo to President Aquino
• Wi-Fi’s Public Enemy: RF Interference
• Information Literacy: A Call to Action

Today more than ever, good network security is vital to businesses of all sizes. Cybercriminals, equipped with sophisticated software that automates the task of seeking out vulnerabilities, aren’t focusing on large enterprises alone; any easy target will do. Fortunately, however, good security isn’t as expensive or as complicated to implement as it used to be.
Technology for protecting valuable data from prying eyes, warding off malware, managing spam, or empowering employees to work remotely and securely is now bundled in routers at prices that most organizations should be able to afford. Though consumer routers offer some of these protections, you don’t have to spend a lot more for business-class alternatives that provide more-robust defenses and, typically, features that consumer products simply don’t offer.

Attending to the Basics for Free

Small businesses must cope with the same Internet security threats as larger companies do, but usually without the same budget and manpower. And in recent years, the threats have diversified and become more subtle: Whereas several years ago, you worried that a hacker or virus would crash your computers, now you may never even realize that your network has been compromised until real economic damage has been done. For example, your data may be lost or held hostage; you, your colleagues, and/or your customers may fall victim to identity theft; or your computers may be used to distribute spam or malware.

Of course, once your business grows to a certain size–100 to 200 staffers or more–you’re best off putting security in the hands of a pro, typically an independent contractor or a reseller. But if you’re handling security for a workgroup or a smaller business and money is tight, you can develop and implement your own security policy. This doesn’t cost a dime, and it can be very effective if you put in the required effort–but make no mistake, effort is involved. Nobody likes to change passwords every month, perform regular backups, and check for software updates, but tending to these chores can help minimize your risk.

Security organizations offer how-to guides that can get you going. For example, the Internet Security Alliance makes its “Common Sense Guide to Cyber Security for Small Businesses” available as a free download to registered users; you can read some of its contents in the SANS (SysAdmin, Audit, Network, Security) Institute’s “Network Security and the SMB” paper.
The guides have similar checklists with instructions that you’ve probably seen before, but the major ones bear repeating:

Also included are items that you don’t hear about as often but can also help to plug security holes:

The router that connects your network to the outside world is the primary line of defense, and ordinarily it has its own firewall; current consumer routers typically have other security features, too, so you should read the manual to see which ones your router offers. One important step that many otherwise savvy users often neglect is to change the default administrative log-in settings so that an outsider can’t easily alter all of the other settings. (Router vendors tend to use the same default settings for all their products.)

If you’re using Wi-Fi, it’s time to bite the bullet and use the best encryption available, WPA2. If you’re hanging on to a laptop that doesn’t support WPA2, either upgrade to one that does or resign yourself to disabling Wi-Fi completely and using a wired hookup. The same goes for smartphones: Current and recently issued handsets (including the iPhone) support WPA2, and you should abandon Wi-Fi on older handsets that don’t.

Moving Up to Business Class

So what does a business-class router give you that a consumer one doesn’t? The list varies, but features can include a more-robust firewall (with sophisticated software that can check to make sure data packets are what they purport to be), additional antivirus/antispyware/antispam protection, and business-friendly features such as VPN support (so that you can access your network remotely and securely, without exposing it to intruders), guest Internet access (so that visitors to your office can go online without gaining access to your internal network), and support for multiple broadband ISPs (for backup when one fails, or for load-balancing when all are functional).

A note on VPN support: This is a key feature of business-class routers, since so many people want to be able to access a network when they’re at home or on the road. (Wouldn’t you rather have remote staffers access corporate data inside your firewall than keep copies of files on a laptop they might lose?) Don’t confuse VPN support on business hardware with the pass-through VPN support on many consumer routers, which is designed to let a home user connect to a corporate VPN; a business router creates the VPN itself. They don’t have to cost a bundle: D-Link’s DIR-130, for example, is an eight-port firewall router that lets you set up VPN access for up to 25 users (it doesn’t, however, offer antivirus, antispam, or other business features).
The All-in-One Approach

Routers that do address the entire range of business security needs are known as unified threat management (UTM) appliances (see our detailed examination of UTM features from last year). Typically they involve subscriptions on top of the base price to pay for updates to the antivirus/antispyware/antispam software, and for many such offerings the fees are based on the number of users or connections supported. (Even if no user fees are involved, you should check on the number of users the device is designed to support: Exceeding that number can result in significant network slowdowns.)
You may be wondering why you need a UTM when your business PCs already have antivirus and antispyware software. Security experts say that the additional layer of protection at the network level can make a real difference–especially if the antimalware programs on your client PCs and on the UTM appliance come from different vendors. You should confirm which third-party software vendors an appliance manufacturer has partnered with; most depend on established antivirus, antispam, and/or antispyware products.
A Wealth of Security Choices

The UTM category is exploding, with offerings from home and small-business networking companies such as D-Link and Netgear, networking giants such as Cisco, and companies that are well known for their enterprise-class security appliances and software, such as Check Point and SonicWall. Most of these companies have a range of products that a growing business can step up through.

Prices vary widely depending on the features and the number of users supported. A couple of examples: Check Point’s Safe@Office UTM appliances for small businesses come in versions that cover 5 seats ($299), up to 25 seats ($599), or an unlimited number of seats ($999). Software updates run $79 a year. However, if your primary concern is a good firewall and you don’t need features such as multiple ISP support, Check Point’s ZoneAlarm subsidiary offers a Z100G security router that supports 802.11 b/g Wi-Fi and up to 10 seats for $150.

Netgear, meanwhile, is readying its first ProSecure UTM devices, the UTM 10 (recommended for up to 15 users) and the UTM 25 (for up to 30 users). The UTM 10 starts at $550, which includes a year’s worth of software updates and features for remote network management; subscriptions for the antimalware/spam services run $175 a year thereafter.

The pricier the device, the more complicated it will be to set up. Typically vendors will provide links to a network of professional resellers. Again, larger workgroups or medium-size businesses will probably find working with a security professional more efficient, but the tech-savvy user at smaller outfits or workgroups can usually buy these appliances directly from big online retailers such as CDW, NewEgg, or PC Connection. You’ll have to determine whether it makes more sense to pay a pro or to spend your own time on setup.

***************

By Yardena Arar

Possibly Related Posts:

• Fix a Windows 7 System That Randomly Freezes
• Update Firmware On Your HDTV, Camera, Smartphone, PC
• Keep Your PC Awake, Install Apps Fast & More–Free
• Use Facebook Places
• My Keyboard isn’t Working