Saturday, July 16, 2005

Enhanced Podcasting

I'm doing a little reasearch on Podcasting to try and understand it and its potential uses. I read a post that gave this little tidbit "If a publisher wishes they can even put in clickable web-links that will open up your default browser. This is kind of neat in my opinion. It opens up Podcasts to a whole different world of possibilities. " whole story about Apple's Enhanced Podcasting.

I don't know about you but my first thought was "Great! A new way for malicious hackers to infect our systems!"

I now return to my normal research mode...

Tell me what you think!

Saturday, July 09, 2005

Backup, Backup, Backup (and test recovery)

Imagine my joy when I discovered two of my favorite bloggers talking about things I have an interest in and pointing to each other!
Dave Taylor, in his Intuitive Life Business Blog, panned podcasting for business in "Why podcasts won't help promote your business". Since I am a newbie to the world of blogging and have no thoughts of venturing into podcasting, I actually read some thoughts I was having but couldn't articulate (thanks Dave). Unless there is someone who's voice you really really want to hear, I don't see the draw. Why would anyone listen to something without a clue of whether it would be of value?
However, my friend Des Walsh, along with plenty of others (see the comments on Dave's blog). But Des went in a different direction altogether in his reference to Dave's post in "Podcasting and Cautionary Tale on Backups". Ah, backups... and the lack thereof. Des talks about Blogarama's total loss of a lot of content because they didn't have a backup. Imagine the storage you'd need for backing up Podcasting posts!
Des kind of let Blogarama off the hook (by not even questioning why not). I'm not that kind (on this topic anyway). There is no excuse for any business to not have proper backups and a disaster recovery plan that is tested and known to work. Anything less is, in my opinion, criminal.
Most companies that suffer this fate never make it back to prosperity though so I guess that is a steep enough price to pay.
data loss

Close your Windows!

Allergic to Hackers, Trojans, & Worms?
Want to avoid most Virus infections?

What platform do you use? Is it Windows? OS X? Linux? Unix? Why do you use this platform? For most people, the answers are Windows, because that's what came installed on their machine. What makes a platform more or less vulnerable?

First, due to its installed base, Windows is a much bigger target than the others. Second, many users accept the default installation and do nothing to secure their system until they've already been compromised. Third, Microsoft has too many buffer overruns and does not handle them properly. (Buffer overruns are a major vector for exploitation.) Fourth, even though Microsoft has made changes that could make their system more secure, they appear to discourage software vendors from taking advantage of it.

Some users may say that they use Windows because a special progeam they need only runs on that platform. This is a valid reason... if it is indeed true and that program is the only one they can use to perform the given task(s). However, it is very rare that there is only one program that can accomplish the task(s) and you can usually find equivilant software in the *nix (all Unix & Linux distributions) world. Furthermore, if you really do need to run a Windows program, you can do it from within Linux! (providing you have one windows server and the right thin-client)

Are there vulnerabilities in the *nix world too? Of course. However, with a little knowledge and some planning, you can reduce your exposure greatly, especially as compared to Windows. I am told that you can make a Windows system safe and usable too and I would hope that is true. However, most people do not have the skills and patience to accomplish this.

If you are interested in finding a safer alternative, you must take stock of your needs, determine if there are alternative programs to do the same things you have been doing (it's much easier than you may think), and do a little homework to determine the right distribution for
you and plan for a safe implementation.

Many people should probably consult with someone who knows more before proceding but even that is easier than you may think.

Close your Windows, for good!

You can do it. {:^)
reduce costs

Tuesday, July 05, 2005

[Your unprotected] PCs [will be] Infected in 12 Minutes

Interesting tidbit here...

PCs Infected in 12 Minutes

By Vic DaSilva

The speed with which PCs can become infected has now shortened. If your
Windows computer is not properly protected, it will take 12 minutes
before it becomes infected, according to London-based security
company,Sophos. Sophos has detected 7,944 new viruses in the first half of 2005, a 59-percent increase over the same time span last year.

The bottom line is never connect an unprotected machine to the internet.
That's over 40 a day. Signature-based anti-viral software is not adaquate protection? There are many types of protection available for any operating system. Tell me what system you have, and what you want to use it for, and I'll help you find proper protection. For the home user, there are free and low cost options. For the business, you can still be protected for low cost. The cost of not protecting your systems is far greater.

virus protection

Monday, July 04, 2005

Happy Birthday America!

I hope everyone enjoyed their holiday (in America).
Today, we celebrated the Birthday of the Country. People often forget the reason for holidays, although I think July 4th is less forgotten than most. I guess we get so caught up in our day-to-day lives that it is difficult to remember that Memorial Day, originally called Decoration Day, is a day of remembrance for those who have died in our nation's service, not just the beginning of summer. Labor Day is not just the end of summer, it grew out of a celebration and parade in honor of the working class by the Knights of Labor in 1882.
Independence Day celebrates the birthday of the United States of America. Founded July 4th 1776, with the signing of the Declaration of Independence, America is celebrating it's 229th birthday this year (2005)On July 4, 1776, we claimed our independence from Britain and Democracy was born. Every day thousands leave their homeland to come to the "land of the free and the home of the brave" so they can begin their American Dream.

Let's not forget the reasons for the holidays.

Value - when it comes to web hosting

I see a lot of people asking, on various message lists, for "cheap web hosting", or in a panic because their hosting company 'disappeared'. This has prompted me to create this message to say "There is more involved in the 'value' question than simply monthly cost."

Remember, value includes long-term relationships and total cost (over the long run). Total cost includes the vendor being in business - at least for the duration of your agreement. It also includes things related to 'security'. Does it matter if every other customer can traverse your directory structure? If so, is there a 'cost' associated with that?

What is the value of not being vulnerable to code-red or other issues? Answers may or may not pertain. Value differes. The main issue is to know what you are getting and place value on what is important to you. If you don't mind your site being vulnerable, then it doesn't matter if
they run W2K without patching. If you do, it does. Perhaps there is 'value' in ensuring that your hosting company does patch their Windows boxes regularly or uses a different OS.

So, I have compiled a list of questions I ask my hosting providers.
In no particular order:
1. Professional facility
- multiple backbones
2. Responsive customer service - what hours - methods?
- Level of expertise
- What topics
3. Easy to manage system - web interface for email, DNS, content
editing, trouble tickets?
4. Basic features:
- FTP access over ssh, can use scp, or similar
- multiple E-mail addresses
- forwarding to any address
- POP/web accounts
- statistics
- backup
- off-site archiving
5. Reliable service - "up-time" - SLA available?
6. Affordable pricing - what's included/not included.
7. Has policies that maintain security.
- Customers should not be able to see or access other customers
- Programs run as a user-specific login ID, not a generic ID
common to all clients.
- Maintaing latest patches - esp. security.
- Includes configurations to minimize risk - ie. MySQL run as
named pipes vs. TCP sockets - separate instance (not shared with other
8. Does not leave basic security up to the client (who probably
doesn't know how to deal with it).
9. Deals with patches before the client knows there's a potential hole.
10. Does not allow spam. If another client spams, the whole customer
base is vulnerable to blacklisting.
11. What platforms do they support - how many experts for each
(especially windows)
12. Include extras? like:
backend scripting (what and which versions)
available canned scripts
available scripting components
mailing lists
web-based email pickup/managemnt
available media types (flash, shockwave, wmv, etc)
streaming media servers (Real, Quicktime, Widnows Media)
built in ecommerce packages

Get references - call them - ask if they would mind if you picked out
some customers at random and called them.

Do you disagree with any of these? Have I forgotten some? Talk back to me.

lower cost
wise decisions
evaluate hosting companies

Sunday, July 03, 2005

CSO (Chief Security Officers) and general security issues

I was recently involved in a discussion concerning the apparent elevation of Information Security professionals in the business world. Many companies are now hiring managers into management slots that did not exist before, creating a 'department within a department' (within the IS/IT department). The gist of the discussion was questioning whether this heralded the true elevation of this specialty but quickly turned into what I will call a 'complaint' about the skills of management. Here is my reply:

I do not dispute the "generality" that many managers are not up to the technical level of their employees. I further stipulate that Security Managers may be a little closer in technical ability. The reason for this may be the nascent nature of the management specialty.

However, the reality of the (quoted as generalization from earlier comments in the thread) "Managers, of any type/level, are the middle guys assigned to make sure, those under them, those processes and procedures get implement on time, and under budget. Granted, security managers, in a worse case scenario, are probably the very few who can step in and roll up their sleeves, but for the most part, it's the grunts who do the work." argument depends on many factors. Not the least of which is the flatness of the organization.

I managed a 7 person organization responsible for *all* aspects of telecommunications *and* Information Technology for a company of 1200 employees with 450 nodes on the WAN in 4 locations, 150 mobile employees with laptops, a mainframe, large Unix server, Novell, and 2 WinNT machines running ERP, File/Print/Authentication services, and custom developed applications. I spent only 40% of my time managing and 60% of my time doing 'real work'. I am sure there are many more managers that also do 'real work'.

Mark Twain said "All generalizations are false, including this one." It was okay to use the generalization to make a point but this thread has turned the generalization into the point, which is false. Let's try to remember this.

As for the original point, it is about time the Security field got more recognition. I am happy to see the growth of this as a specialty and have long felt that it should be. Many organizations are actually hiring CSO's (Chief Security Officers). I would like to turn this thread to a discussion of whether these changes are cosmetic or real.

It is one thing to hire a manager in a specialty. It is another to spend money on projects in that discipline. Are these companies putting their money where their" managers are or just "paying lip service" to it?

What do you think? Talk back to me...

Chief Security Officer
working managers