The Big Switch

Cloud computing is all the rage. According to Nicholas Carr, one of the unstoppable drivers is the economics of cloud computing. Carr uses the history of the electric industry to explain the historical forces that are in play today in the information technology market and that will move Information Technology to more and more of a utility computing model.

There is an informative description of companies such as YouTube who generate tremendous value by providing a platform with a small number of employees that millions of people add value to for free. This viral model has been used a number of times in the Internet space and is one of the forces that is negatively affecting traditional industries such as newspapers.

Carr also covers a number of the social changes that are occurring, including the loss of privacy, which in some ways was the opposite effect that early Internet pioneers predicted.

This is book is required reading for anyone who wants to understand the major forces that are moving the Information Technology field.

Buy The Big Switch: Rewiring the World, from Edison to Google
from Amazon now.

Adobe Reader is Vulnerable Again

Back in May we first discussed the vulnerability in Adobe Reader. Once again, an issue has cropped up. I ask the question again, why doesn't Adobe release a standard verison of the reader without Javascript? Sure, it would disable some forms, but the bulk of users in the world want to read documents safely and not use forms. They could certainly have a Premium Reader with Javascript support for those people that need it.
Here is the statement from them, "Adobe has confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild. Adobe recommends customers follow the mitigation guidance below until a patch is available.

Adobe plans to make available an update to Adobe Reader and Acrobat by January 12, 2010 to resolve the issue."

Here is a link to the security advisory.

Who Stole Those Emails

I have started writing a column for Infonomics, the publishing portion of AIIM. The first column covers the basics of Information Security. Here is a link to The Article.

OWASP Releases 2010 - Top 10 Web Application Security Risks

OWASP (Open Web Application Security Project) released the preliminary version of the Top 10 Web Application Security Risks in a Request for Comment format.

According to OWASP they plan "to release the final public release of the OWASP Top 10 -2010 during the first quarter of 2010 after a final, one-month public comment period ending December 31, 2009. This release of the OWASP Top 10 marks this project’s eighth year of raising awareness of the importance of application security risks. This release has been significantly revised to clarify the focus on risk. To do this, we’ve detailed the threats, attacks, weaknesses, security controls, technical impacts, and business impacts associated with each risk. By adopting this approach, we hope to provide a model for how organizations can think beyond the ten risks here and figure out the most important risks that their applications create for their business."

The full document can be found on the OWASP web site.

The OWASP Top Ten has been a key driver in improving the security of Web applications across many industries. If you have any questions please ask Arthur, who is an active OWASP member.

HP Laserjet 3100 on Vista or Windows 7

I have a wonderful HP Laserjet 3100 that is still working reliably after seven years of use. I recently added a new laptop that is running Vista Business (no choice in the matter) to my stable of machines. I still want to use this printer with the Vista machine, but HP has no drivers for the printer. What to do?

The printer is connected to a machine on my network running Windows XP Professional.

1) I added a new printer on the Windows XP machine without using Plug and Play. It was set up as an HP LaserJet II Series printer connected to LPT1 (The parallel port).
2) I shared out the printer as \\Machine\HPLJII
3) I went to the Vista laptop and added a network printer. Of course it didn't discover it so I clicked on the option "The printer I want isn't listed."
4) I manually entered the Share \\Machine\HPLJII, which the Vista machine recognized as a LaserJet II and bingo I was up and running.

This solution should work for a Windows 7 machine as well.

AIIM Garden State Chapter Meeting - November 12th

I am attending the AIIM Garden State Chapter meeting on November 12, 2009.

The topic is "Social Media All You Need To Know: A to Z"

The meeting is at the Woodbridge Hilton, 120 Wood Avenue South -- Iselin, NJ

Key Takeaways:

• Learn how to setup Twitter, LinkedIn and Facebook


• Learn how to use Social Media to be found, find talent and promote your company


• Learn what and how enterprise tools are utilizing Twitter, LinkedIn and Facebook
  

Speaker(s)

• Michael Potters, The Glenmont Group
• Rahul Nirula, OpenText
  

Meet with some of New Jersey's top IT recruiters at this event
Event Time Registration & hors d'oeuvres / Networking opportunities: 5:30 - 6:30 pm Presentation: 6:30 – 8:00 pm Dessert / Networking opportunities: 8:00- 8:30 pm
Fees* AIIM Members $30Non-Members $35On-Site + $10

REGISTER ONLINE

I hope to see you there!

The Hacker Turned Serial Killer

Just finished a very entertaining book, The Scarecrow, by Michael Connelly. I am not regularly a reader of crime fiction, but a friend who knew about my interest in information security suggested it to me. I really enjoyed it and was spooked by the effectiveness of the hacker. WIthout giving away any of the story, the hacker uses social engineering, trojan horses, viruses, and other nefarious techniques to further his criminal activities. I highly recommend it; you may just take better care of your personal information after reading it.

Restoring Deleted Permissions with Varonis

This afternoon a hedge fund client called with a high profile problem. One of the system admins from their outsourcer had deleted all of the Active Directory permissions of the General Counsel. Not a great person to prevent from accessing the system. Since they are a Varonis DatAdvantage user, I was able to help them solve this problem.

We ran a query from the log area and selected "History of differences" as the data source. The keys were to set the "File Server" to "IDU" and set the "Change Description" to start with his fully defined domain account. Then we got a list of all of the groups that he belogned to and my client was able to restore them all and get the General Counsel up and running ASAP.

DatAdvantage to the rescue.

Kudos to the Department of Justice for the indictment of Albert Gonzalez and two of his coconspirators. With all of the high profile data breaches occurring we need to take a deeper look at what is going on here. While TJX and Heartland may have been PCI compliant, they were still breached. The issue with most security approaches is that they focus primarily on “preventative” controls. There are not enough “detective” controls in place to make sure that if one of the preventative controls fails, there is someone or something there to notice. No defense is impenetrable and that is why we practice “defense in depth.”

In the case of Heartland Payments Systems, it is alleged that the hackers were siphoning off data for months and it wasn’t until Visa and MasterCard noticed the fraud, that Heartland found the breach. Some questions that companies should be asking themselves include:

• Do you have in place a process to review audit logs from your firewalls and core routers on a regular basis?
• Do you have a process in place to monitor the activities of privileged users and system accounts?
• Do you have a formal entitlement review to verify that security is granted in a “least privilege” model?
• Do you audit database and file system activity?
• If any user was accessing an unusual amount of data, would anyone notice?

I would appreciate hearing your thoughts on these questions.

AIIM SharePoint Event - September 17, 2009

On September 17 , 2009 the AIIM International Garden State Chapter is hosting a Panel Discussion and Networking Event and I will be one of the panelists. Here is some info in case you are interested in attending.

Register Here!
--------------------------------------------------------------------------------
Panel Topic: MS SharePoint – where is it headed?

· How is MS SharePoint different from traditional ECM products
· How well does MS SharePoint integrate with other ECM products
· What are the top ECM products being integrated with MS SharePoint
· How are companies leveraging MS SharePoint
· What are the "hot skills" in demand around the MS SharePoint

Panel Members:

· Allan Schweighardt, Senior Technology Strategist, Microsoft
· Joe Giegerich, President / Managing Partner, Gig Werks
· Kenneth Shea, Former Executive Director of Enabling Technology, KPMG
· Arthur Hedge III, President, Castle Ventures

Networking:

· Network, Network, Network!!
· Meet and talk with individuals from the industry
· Meet some top New Jersey's recruiters in the MS SharePoint space

Meeting Agenda

5:30 - 6:30 pm - Registration & hors d'oeuvres Networking opportunities
6:30 - 7:30 pm - Panel Discussion
7:30 - 8:30 pm - Dessert: Networking opportunities

Location:

The Woodbridge Hilton
120 Wood Avenue South
Iselin, NJ 08830
Tel: 732-494-6200

Fees:*

AIIM Members $30
Non-Members $35
On-Site + $10

*$10 discount for early registration (September 10th deadline)

Register Here!

Hope to see you there.

YouTube Hacked?

Yesterday, Twitter and Facebook were attacked. Is YouTube being hacked today? There is a video about a healthcare protest that is not having its view counter updated. People have been commenting that the counter has been stuck at 1,338 views for a while. Has someone hacked into YouTube or is it just a bug?

Here is a link to the video.

Hacker Steals Domain Name

The New Jersey State Police arrested a man who allegedly stole the P2P.com domain name. SC Magazine provides the details in this article "Hacker charged with domain name theft." What is troubling is that domain owners do not adequately protect their domain names. We have an offering that will analyze your risks for only $249. Please visit our website to learn more.

Please protect your Domain information.

SQL Server 2005 on Windows Server 2008

If you want to install SQL Server 2005 with Reporting Services on Windows Server 2008 you have to jump through a few hoops. Reporting Services is dependent on IIS 6 and SQL Server 2008 runs IIS 7. However, there is the capability to emulate II6, which is critical to making this work.

There is a great blog post on this issue at iGregor, where he walks you through the exact configuration options to make this work.

Hope this helps all those who see that grayed out Reporting Services box in SQL Server 2005 install and are shaking their heads.

I am planning to attend the August 5th New York SharePoint User Group meeting. It always well attended with somewhere between 50 and 150 people depending upon the evening. The meetings are the first Wednesday of the month at the Microsoft office in New York City.

Click here to register.

Hope to see you there

Is Senator Leahy a Capitalist?

On July 22, 2009 Senator Patrick Leahy (D-VT) introduced the "Personal Data Privacy and Security Act" to combat the growing number of data breaches. As of July 24, 2009 the Privacy Rights Clearing House had calculated 263,214,232 records had been "lost." They are posting new breaches every week; and these are just those that are public knowledge.

We applaud Senator Leahy for tackling this important issue as it threatens the trust in the financial systems that we use and have become central to the American way of life.

However, several things strike me about the proposed legislation that protect the data brokers and not individuals. First in Section 303 dealing with the "Privacy and Security of Personally Identifiable Information" there is a prohibition against "private action." That protects the data brokers from being sued by the people that have been adversely affected by a data breach. If someone is defrauded out of tens of thousands of dollars because a company lost their records, there is no recourse to sue and try to recover damages and associated costs in dealing with the identify theft. How does that protect the consumer?

Second, Section 316 gives a breached organization 14 days to report the breach to law enforcement agencies (the Secret Service in this case). That is way too long. In 14 days hundreds of thousands of those records could be resold by hackers and be used in fraudulent transactions. Why not make the notification requirement 24 hours? Better safe than sorry.

More to follow on this legislation as it is a step in the right direction.

Identify Theft Comes to Payday Loans

According to the Chicago Tribune a temporary worker from AT&T, Cassandra Walls, stole information on a number of her co-workers and took out at least 130 loans in their names. Some of the victims found out they had been scammed when collection agencies began calling them.

Let's hope that this identify thief and her co-conspirators are able to compensate all of their victims, even if they have to wait until they get out of prison.

Goldman Sachs Data Breach

Earlier this week the FBI arrested Sergey Aleynikov for the theft of proprietary software from his employer, Goldman Sachs. The complaint is fascinating in providing insight as to what a leading financial institution is doing to protect its intellectual property. Here are some of the items that they had in place (we know there are more controls that were not revealed in the document):

• Scanned and analyzed outgoing mail
• Prohibited file transfers using ftp to outside locations
• Recorded commands performed on the user's desktop
• Logged access to systems
• Monitored https traffic

Sergey was a sophisticated insider with technical skills who tried to cover his tracks, unfortunately for him, the security folks at Goldman Sachs were several steps ahead of him.

One other lesson that we should learn from the affidavit is that:

1) They had a written security policy.
2) That put tools in place to support that policy.
3) They had a security architecture in place to detect when the policy was being violated.

Kudos to the security team at Goldman and the FBI agents who arrested Aleynikov.

New York SharePoint Users Group Meeting - July 1

I am planning to attend the July 1st SharePoint User Group meeting. It always well attended 50 to 150 people depending upon the evening. The meetings are the first Wednesday of the month at the Microsoft office in New York City.

http://www.sharepointusergroup.org/NewYork/default.aspx

Hope to see you there.

Renaming SQL Backup Files

If you use a SQL 2005 Maintenance Plan to create backups of individual databases, the .bak files have a date stamp on them. I have a customer that wants to handle the files with an automated tool and would prefer that the backup files have a consistent name. We could backup up the databases en masse, but we wanted separate backups for this purpose.


The solution was to create a VB script that runs as a scheduled task and renames the files every night after the backups are run. Here is the code that I wrote to handle renaming all of the files.

-------------------------------

------------------------------------------

Note: this will fail in 2100. Just setting up some Y2100 work for your grandchildren.

Active Directory Security Groups

Yesterday, during a Varonis training session, Paul Ezhaya started a great discussion by asking my opinion on strategies for naming security groups and organizing folders on file servers. The primary debate was whether to use security groups named after departments and roles or to use security groups named after folders that they provide access to. For example, if there was folder called Human Resources with sub-folders such as Employee Data, Forms, and Terminations, and folders specific to several departments how would we set this up from a security perspective? Would we create Active Directory groups based on Roles for the HR people who handle each department and then apply those groups to the corresponding folders on the file server? Or would we create AD groups named after the specific sub-folders and then add the specific people to those groups as needed? Along with the security groups we would take the lead in organizing the folder structure to match the security group naming conventions.

There is no “right” answer, but here are some of my thoughts on the Role versus Folder question.

In general, I prefer the Folder-based solution. The first reason is for the long-term security of your organization. Finding the data is always top priority so regardless of how you organize the folders; users will learn the taxonomy and adjust to it. You need to force the organization to apply security; therefore, if you organize the infrastructure in a secure manner, they won’t have to. Second, When you first set up your Role-based Security Groups you might have an accurate grouping of the users by department. However, over time people will not make the appropriate adjustments to those groups. After the initial setup fades away, when you add someone to a role-based security group to they can access a particular set of data, you may not realize what else that gives them access to. You may not it even give it any consideration because security will always be an afterthought. In a Folder-based solution, the security of the data is pushed to the forefront as the IT department knows what folders the Active Directory group gives them access to. And if the access is insufficient user will surely let you know, where the odds of them notifying you that they were given too much access in the Role-based scenario is highly unlikely.

Of course, we may have a hybrid approach. At the top level shares we might want to have security groups for the department and apply those at that level. Then we would turn off inheritance on folders with confidential data and apply the folder-based security to those folders. So we end up with a set of groups like this:

grp_HumanResources
grp_Terminations-RO
grp_Terminations-RW

Where RO is for the group with Read Only privileges and RW is the group with Modify privileges.

If there are other reasons for you to use a Role-based strategy then I would highly recommend an automated Identify Access Management system. I think that you will still find that the default will be to provide too much access, but the results will be better.

AIIM Garden State Chapter Meeting - Software as a Service

I am a member of AIIM, which is a trade association and professional organization focused on the Enterprise Content Management market. The Garden State Chapter of AIIM is holding its next meeting on June 18, 2009 at the Woodbridge Hilton. The meeting starts at 5:00 p.m. and goes until 8:00 p.m.

There is a Panel Discussion: With panelists from Adobe, SpringCM and IPS covering "Software as a Service (SaaS) - a Better Solution?"

• Does SaaS deliver on its promise to lower ECM costs?
• Where does it fit in the market vs. hosted and in-house models?
• Learn how companies are leveraging SaaS technologies Hear what the "hot skills" are in SaaS

Go to the Garden State Chapter web site to register.

There are plenty of networking opportunities as well.

Hope to see you there.

Adobe Acrobat Requires Critical Security Update

It is astonishing that software that was created to present documents in a "neutral format", Adobe Acrobat, can be hacked. Another case of taking a great product and adding features that eventually take the software far beyond the original architecture and creating security vulnerabilities.

Why is JavaScript even an option in PDF files? PDF files were suppossed to be the safe alternative to documents that you might receive in formats such as Word. I guess that has gone by the wayside.

Here is the link to Adobe's update site.

US-CERT has more detail about the vulnerabilities and other workarounds and protection methods on their web site.

AIIM New York Metro Chapter Presentation - May 15, 2009

I gave a presentation today to the New York Metro Chapter of AIIM on

"Is SharePoint the future of Enterprise Content Management?"

I described how SharePoint fits into the traditional ECM Marketplace, where it succeeds, where it falls short, and where it ventures far beyond ECM. Audience participation was great. We discussed where SharePoint is an appropriate solution for organizations and some of the challenges in implementing SharePoint to solve business problems.

Here is a copy of the presentation.

TechRepublic Reviews Varonis Suite

The TechRepublic blogger Mark Kaelin has a review of the Varonis Data Governance suite.

Here is a link to the review.

Nice to see the product get some coverage, since it is the greatest thing since sliced bread (actually since VMware). The review mentioned three things that are wrong with the product, I take issue with two of them.

Issue 1 that I disagree with:

"Culture shock: The general principle of placing decision making concerning data governance in the hands of employees deep in the organization may be a significant change of policy for many established organizations, especially those with established hierarchical structures and controlling IT departments. "

One of the advantages of the Varonis solution is that you can start small, with one directory if you want, so that there is no need for any culture shock. Security provisioning by the user community can be rolled out as slowly or as quickly as the organization can handle.

Issue 2 that I disagree with:

"Cost and scope: The scope of the Varonis Data Governance Suite 4.0 does not come cheap. Not only will the entire organization have to buy-in to the concept, the initial software installation and training cost will be significant. This suite of software is most likely to be used in larger organizations with very specific and vital data governance needs. "

The cost of the solution relative to the value of the data is not significant and in terms of improved efficiency of IT administration the product more than justifies the cost. We have a number of customers that are small (250 users) and see significant benefit from the DatAdvantage product. Again the "enterprise" buy in is not a necessity for implementing the solution. Behind the scenes the DatAdvantage solution monitors and reports and access without disturbing anyone and the Data Privilege component can be rolled out directory by directory if you so desire.

How to we keep users aware of security concerns?

An organization can only be successful in securing its data and assests if it is a company-wide effort. Most security failures involve a technical failure(s) as well as a human failure, through social engineering as an example. One of the challenges that we face in dealing with the user community is that we need them to be vigiliant all the time even though the threats that we face come very rarely (or hopefully not at all). I have several thoughts:

1. Design systems to take the rarity of threats into account and design better "detection" systems in addition to better "prevention" systems.
2. Vary the reminders that people get about security so they don't become oblivious to them.
3. Make sure that we design systems so they fail safely.
   

Are Your Admins Accountable?

A comprehensive security process protecting critical assets needs to follow a basic outline such as this:

• Prevention
• Detection
• Reaction
• Correction

Access to servers is one area where I see this process break down all the time. First, people reasonably Prevent access with passwords. However, they use a common account such as Administrator; which seriously weakens the Detection and Reaction steps. If every system administrator is using the same privileged account to do their work, there is no accountability (a key component of detection) and no reasonable ability to React when something goes wrong.

CIOs, don't let your admins grow up to be cowboys! Make it a policy and practice to require that system administrators use their own accounts to perform their jobs.

SharePoint Designer is Free

SharePoint has taken the world by storm. In almost all of our clients SharePoint has been deployed or is being discussed and this phenomenon is happening everywhere. SharePoint Designer is one of the key tools that you can use to customize the SharePoint experience without coding. Download it for free here. You can also use SharePoint Designer to do traditional HTML programming.

Two-factor authentication comes to Main Street

Security can be a wonderful thing and if it is well thought out and it does not have to be onerous.

I have seen an increase in the number of merchants who are asking me for my billing zip code when using my American Express card. Walmart has been doing it for years. Many gas stations have started and last night, Walgreens asked me for the first time.

This is a great example of intelligent two-factor authentication. The transaction relies on “something I have,” the credit card, and “something I know,” the billing zip code. Something that is easy for me to remember.

This is much more effective than a signature because the credit card processor can easily validate my zip code as compared with analyzing handwriting. If security involves a cycle of:

• Prevention
• Detection
• Reaction

the use of the Zip Code raises the ability of the bank and merchant to prevent and detect a fraudulent transaction.

Several years ago someone stole my credit card and spent about $300 before I noticed the next morning that the card was gone. Had the thief been asked my zip code, he never would have been able to order that $50 meal at McDonald’s. Let’s hope that more merchants follow this protocol and we see a drop in credit card theft, saving all of us money in the long run.

Unresolved SIDs

When we are working on cleaning up security in a Active Directory environment using Varonis DatAdvantage, one of the common problems that we run across are SIDs that Varonis cannot resolve to a useful name. In most cases this is because someone has deleted the user from Active Directory, rather than just disabling the user account. However, there are cases when the SID (security identifier) represents a group or machine account. Here is an example:

SID: S-1-5-32-544

Nobody ever remembers what those are. In walks Jennifer!

A Varonis user that we were working with, Jennifer Crusade, found this great Knowledge Base article that explains common security identifiers in Windows operating systems.

http://support.microsoft.com/kb/243330

Hope this helps you resolve a question or two.

Turning off the Windows Server - Shutdown Event Tracker

I often need to reboot the lab server that I am working on. One of the minor annoyances is the Shutdown Event Tracker that pops up and asks for a reason. When you are restarting the box several times during one work period this can be a real pain. So I learned how to shut it off.

Running gpedit.msc (Group Policy Object Editor) gives you the option to change this. Go to Computer Configuration:Administrative Templates:System and find the Display Shutdown Event Tracker settting.

Change the setting to Disabled and you are all set. Another minute saved.