Enterprise IT Watch Blog

July 7, 2010  4:22 PM

Service Pack 2 set to XPire: Here’s what’s next for Windows

Melanie Yarbrough Profile: MelanieYarbrough

Don’t worry, this isn’t another Y2K-ish post about the end of Windows XP support—and civilization—as we know it. More like a friendly community reminder: Next week, July 13th, marks the end of support for Windows XP Service Pack 2. Your computer will most likely not explode into millions of tiny, useless pieces if you don’t immediately upgrade to SP3 or Windows 7, but you should be thinking about the next step for you or your company’s OS.

The details

  • Microsoft is discontinuing support and updates for Windows XP SP2 beginning July 13, 2010.
  • Since there is no 64-bit version of SP3, Windows XP SP2 64-bit will be supported until April 8, 2014.
  • Windows XP Home will no longer be pre-installed on netbooks after October 22, 2010.

Not a big deal considering it’s been a long time coming, right? According to a poll from PC Advisor, 37% of respondents continue to use XP, but only 5.6% are using SP2 or earlier; 31.4% have already upgraded to SP3. Windows 7 is close behind with 30.6% respondents. Netbooks were the primary reason for the slow on-again, off-again demise of Windows XP, which is still the most popular operating system in the world with 62.55% market share. Now even that group of holdouts might be coming to an end: 81% of netbooks sold after April 2010 had Windows 7 installed.

What would an upgrade from Windows XP to SP3 or Windows 7 mean? Continued »

July 7, 2010  5:38 AM

IT Professionals are not above the law

Guest Author Profile: Guest Author

Editor’s Note: Ever feel like you’re crossing a line with something your boss has asked you to do? Joshua Garick, a lawyer in Boston, MA., explains why you might need to think twice before installing the latest spyware on employee computers, particularly if you’re a bit dubious about what the boss is snooping on. Also, read his first guest post on why you should be wary of extended warranties. -Michael Morisy

There has been a buzz as of late as to whether IT professionals should be held criminally liable if they perform a technical task results in criminal activity. An example is the Lower Merion Township case where the school district’s IT department equipped school-issued laptop computers with webcams that took over 56,000 images of unsuspecting students in their homes.

The FBI and U.S. Attorney are presently investigating the matter to determine whether charges should be filed.

The IT professional should view cases like this as a warning. IT professionals, like anyone else, will be held liable for their criminal acts. You are hired powerful skill set which, if used inappropriately, could have devastating consequences. You should not use your skills in an illegal or immoral manner. This is akin to Superman using his x-ray vision to garner a look at Lois Lane.

Let me explain why you will be arrested if you break the law:

A recurring argument against imposing criminal liability is that the IT professional is simply performing a technical task for his employer. This is not a valid defense. Under civil law this might be true, but not for criminal law. example, I am accidently struck by a UPS truck when I cross the street, UPS – and not the driver – would likely be vicariously liable for my injuries under a legal principle known as respondeat superior – which means “let the master answer.” This, however, does not apply to criminal prosecutions or should it. If the UPS truck driver’s boss ordered him to drive his truck into a pedestrian, the driver must draw from his moral compass and recognize that he is about to engage in criminal activity. Societal norms suggest
that a victim’s right to not be struck by a speeding truck is greater than the driver’s right to his job. If the truck driver is fired because he refuses to follow this order, at least there isn’t an injured pedestrian on the side of the road.

This analogy holds true in the IT world. Criminal laws evolve over time and change based on societal norms. The latest trend is to combat privacy and other issues resulting from advances in online technology. These problems can only be created by you – the IT professional. If you are asked to do something that is illegal, you have an obligation to us non-technical folks to abstain. This is not to suggest that the IT professional should fear the unintended consequences of his work. Like the UPS driver accidentally hitting a pedestrian, if you do not have the requisite criminal intent to create an illegal technology, you will likely not be charged with a crime.

Consider the fallout from Google Map’s collection of personal data obtained during its search for unsecured wi-fi networks. If you believe Google’s explanation that any data obtained was an unforeseeable accident, the IT professional who created the technology would probably not be subject to arrest.

What is important, however, is that you keep abreast of the law. Years ago, identity theft, data breaches, dissemination of personal information, online bullying, etc., did not exist. Now most jurisdictions have laws on the books in response to these growing problems. Do you know them? Remember the old adage: ignorantia juris non excusat – ignorance of the law does not excuse. Though certainly a daunting task, there are many resources that can assist you and help save your hide. Most companies have (or should have) internal processes to ensure legal compliance. Question your legal counsel or your company’s management to make sure your project isn’t criminal. If you are dissatisfied with your general counsel’s advice (or you don’t have one), you can always discuss the matter with your own attorney. erhaps the best advice is to appeal to your own sense of morality. If you are asked to do something you are uncomfortable doing, don’t do it. Under whistleblower protection laws, your job may be protected if you notify the authorities about illegal or suspected illegal activities in lieu of carrying them out. Make sure to consult with an attorney in your state to understand your rights.

July 6, 2010  8:38 AM

No Time, No Budget, and No People? No Problem! (Part 3)

Guest Author Profile: Guest Author

We’ve got the third and final installment of Keith Morrow’s three part series, No Time, No Budget, and No People? No Problem! Straight from former CIO of Blockbuster and 7-eleven and current president of K. Morrow Associates, learn how acting like a start-up and maximizing the assets you already have can save you money and precious time when deploying applications in the cloud. Be sure to read parts one and two, too.

Today’s successful companies are those that embrace the API economy to expand their brands and create new opportunities for engaging with customers. In this final piece, we’ll discuss how creating new distribution channels via APIs rapidly creates more opportunities to sell products, reach new audiences and create new markets. Delivering content via multichannel strategies is the ultimate way to ensure that you are accessible how, when and where your customers want you to be.


Focus on Developer / Partner Adoption

The minute we decided to build and publish the API service, we knew we had to build in such a way that allowed our development partners (mobile device and set-top box companies) to adopt it easily and ramp up fast. We kept the APIs simple, only exposing what the partners needed. And we built the API service just as we would a GUI-based application, making sure that the use cases and the error handling were well thought out.

Once you achieve success with the initial applications, you can think about extending the reach of the API set to more developers. In e-commerce, we are all familiar with the affiliate model, where we rely on aggregators such as Commission Junction to deliver traffic to our online stores. Vendors such as PayPal are also enabling third-party developers to build payment solutions on their API platform. In our case, by opening our API service to a greater developer network, we enabled movie review websites and entertainment-oriented Facebook apps to begin using our movie library.

Continue to Protect Your Organization and Customers

Being conservative when it comes to technology adoption is not a bad thing for retail organizations. After all, we want to protect our customers who entrust their private and transactional data with us and mitigate our company’s risks.

As we stitched together new business solutions from existing ones, we continued to verify that the high standards we hold ourselves to in matters of data security, transactional scalability, and consumer privacy are continuously followed. In terms of credit card / transaction processing, we were really sensitive about complying with the PCI standards set forth by the credit card associations. Just because our apps were built quickly with minimal cost didn’t mean we could side step any security and privacy regulations or best practices.



Even though retailers have limited budget and no additional manpower in this recession, they can still innovate and deliver applications that meet customers’ demands for access to product information and the level of collaboration they demand with their social networks. The keys are to act fast; leverage existing enterprise software and data assets; and pragmatically tap into existing cloud computing and API-enabling technology offerings that can help us meet customer, competitive, and marketplace challenges.

July 6, 2010  6:51 AM

The deal with security on Windows 7

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

In addition to being more user-friendly than OS’s of the past, Windows 7 has some pretty stout security controls right out of the box. However, like other things security-related, lack of maintenance and oversight can turn an otherwise reasonably secure OS on its head. Did I mention some of the security features are tied to the version of Windows 7 you’re running combined with the version of Windows Server on the other end?

Anyway, here are some pieces I’ve written about Windows 7 security that you may want to check out:

Using BitLocker in Windows 7 – pros, cons, and other general things you need to know

Securing removable media with BitLocker To Go – a neat solution that can help ensure one of those darned thumb drives doesn’t get your business into a bind

Cracking passwords in Windows 7 – perhaps more appropriately titled “How to crack Windows 7 passwords so you can find the vulnerabilities before the bad guys exploit them”

Using Windows XP Mode for security testing in Windows 7 – how you can use the potential VMWare Workstation killer for security testing with the added benefit of not mucking up your local workstation installation

Using Windows 7’s DirectAccess to enhance the mobile user experience – Microsoft’s VPN alternative and what you need to know to make sure it doesn’t create more problems than it solves

Windows 7 vulnerabilities you won’t hear about – some of the things no one’s talking about when it comes to Windows 7 security

If you’re looking for more information check out my other tips, podcasts, screencasts, and webcasts on Windows security.

Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Principle Logic, LLC and a contributor to the IT Watch Blog.

July 5, 2010  6:43 AM

The near-immediate payback of Windows 7

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

IDC just released a Microsoft-sponsored whitepaper on the business value of Windows 7. They found that in just seven months (a convenient number) companies started seeing a payback with an ROI of 375%. Apparently there’s a 43-hour average savings per user per year. Not too shabby!

As far as security goes, I’ve been a big fan of Windows 7 for a while now, but I’ve been an even bigger fan of how much Windows 7 has improved my productivity. So I can attest to the numbers in IDC’s whitepaper. If anything, just the “Show desktop” button – now located in the lower right-hand corner of the screen – has saved me a ton of time flipping back and forth to my desktop while I work. I don’t even have to look for it now but rather take my mouse and ram it down to the lower right and click. It works every time.

Also, the concept of libraries and the general browsing of different folders has made my folder clicks so much more efficient. I know it doesn’t sound like much but as in the world of auto racing, thousandths of a second count and add up big time over the long haul.

Sure, Windows 7 has its quirks and still isn’t the perfect OS, but I’ll take it over what we’ve had in the past any day!

What do you think of Windows 7? Let us know in the comments section or send us your stories and reviews.

Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Principle Logic, LLC and a contributor to the IT Watch Blog.

July 2, 2010  1:59 PM

Book Recommendation: Securing Storage

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

While I’m on my storage security kick I thought it’d be worth sharing a valuable book on the topic by Himanshu Dwivedi:

Securing Storage: A Practical Guide to SAN and NAS Security

It’s five years old but still very relevant in today’s storage environments. If anything, just browse through it the next time you’re in the bookstore. It delves into storage security weaknesses you can’t afford to overlook that so many people are still ignoring.

Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Principle Logic, LLC and a contributor to the IT Watch Blog.

July 2, 2010  1:42 PM

What’s this “SkyDrive” you speak of?

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Have you seen Microsoft’s cloud storage offering called Windows Live SkyDrive? It’s funny, SkyDrive has apparently been around for nearly three years but I’m just now hearing about it. I don’t know if that’s Microsoft’s lack of marketing or seemingly minimal push into the cloud or just my inability to keep up with their offerings. Regardless, SkyDrive has some interesting features you may want to check out:

  • File backup and storage (up to 25GB)
  • Live file sharing and collaboration (with close tie-in with Office Live apps)
  • File synchronization with your local system (coming soon)

One big drawback with SkyDrive is that file upload size is limited to 50 MB, which seems a bit odd. SkyDrive may not be “enterprise” ready and you may prefer some of the features of other online backup providers, but I could certainly see SkyDrive being a good fit in many instances. If you’re open to explore it, the best way is to set up a Windows Live account and take it for a spin to see how it works.

Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Principle Logic, LLC and a contributor to the IT Watch Blog.

June 30, 2010  9:39 PM

Gartner session reminder of just how vulnerable mobile storage can be

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

I served on a mobile security panel at Gartner this week with Larry Ponemon and my esteemed colleague Stan Gatewood. The insight they brought to the table from both a research and a real-world perspective was phenomenal. I think our discussion served as a strong reminder to all of us that businesses are no where close to where we need to be when it comes to protecting our mobile storage.

For instance, Dr. Ponemon did some research – backed by Intel – that found:

  • There’s a $20,000 cost reduction between lost laptops with encryption versus without
  • The average cost of a lost laptop is over $49,000

Also, the people in the audience were asked to raise their hands if their business has ever experienced a lost or stolen laptop. All but maybe three or four of the hundred or so people in the room raise their hand!

I go back to what I wrote about nearly three years ago in my blog post What’s it going to take to encrypt laptop drives?! Seriously, what is it going to take? Nothing’s really changing.

Another neat takeaway is Intel’s (relatively) new Anti-Theft technology that’s worth checking out. It works in conjunction with drive encryption from WinMagic and PGP as well as asset management/tracking from Absolute and effectively disables the system when a loss or theft has been detected.

We can have optional mobile storage security options until the end of time but I’ve always believed that unless and until computer hardware manufacturers integrate controls that facilitate mobile storage security, such as Intel’s Anti-Theft, at the factory we’re going to continue having mobile storage exposures.

Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Principle Logic, LLC and a contributor to the IT Watch Blog.

June 30, 2010  11:29 AM

Finding those needles in your storage haystack

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Information is at rest most of the time. Therein lies the problem. Give malicious attackers, rogue insiders or just a few bored employees any decent amount of time on your network and they’ll likely uncover sensitive information they shouldn’t be able to access. So what’s a network or storage admin to do? Unstructured information (PDFs, spreadsheets, word processing documents, etc.) is scattered all about the network in practically every nook and cranny. How you can possibly find out where everything is so you can ensure it’s safe from prying eyes?

The simple formula is to find out what you’ve got, determine how it’s at risk, classify it and do whatever it takes to keep it in order only accessible to those with a business need to know. It’s that first step though – finding what you have – that’s so difficult. I’d venture to guess even the sharpest network/storage admins don’t have a real sense of what’s actually stored in their environment. Not from lack of expertise or effort but rather because it’s just so darn difficult to find where everyone and every application has stored these files.

Here are some ideas on what you can do to figure out what’s where:

  1. Simply ask information owners what they’ve got. It won’t be completely reliable but it’s a start.
  2. Use search tools you’ve already got such as Windows Explorer or find in UNIX/Linux. Painful  but possible.
  3. Use more advanced search tools such as Google Desktop or FileLocator Pro.
  4. Use enterprise search tools such as Identity Finder or even some of the more advanced e-discovery/ILM tools such as those offered by StoredIQ or EMC/Kazeon.

However you go about it, just do something. There’s undoubtedly unstructured information at risk in your storage environment and getting started finding out where it’s at today will serve your greatly down the road when things are even more complex.

Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Principle Logic, LLC and a contributor to the IT Watch Blog.

June 30, 2010  10:28 AM

Cisco Cius: An iPad for the working stiff?

Michael Morisy Michael Morisy Profile: Michael Morisy

It’s been a little off our radar, but Cisco Live‘s been live and kicking this week with some hot news coming through (Yasir Irfan blogged about how you can attend Cisco Live virtually and has promised to post more updates on his blog). One surprising announcement that caught my attention, however, was Cisco’s new tablet, the Cisco Cius.

The Android-powered device takes a cue from other recent Cisco plays, focusing on video and collaboration, and aimed squarely at the business and educational markets (business tablets have had fans in education and medicine for years). The pitch, straight from Cisco’s Kara Wilson, is that it will offer better HD video talk, desktop virtualization, and on/off-campus connectivity than any other current mobile alternative (see below the jump for full specs).

While it will naturally draw comparisons to Apple’s iPad, Cisco made clear that it’s not interested in being an iPad killer as long as it can capture the enterprise market. As Matt Hamblen reported for Computer World:

When asked about comparisons of Cius to the iPad, Chambers was clear. “Cius is all about collaboration and telepresence,” he said. “It’s a business tablet. I use the iPad and love it. I love anything that loves networks. We do a lot with Apple and they are a great customer and good partner. I think of Cius as a business tablet, so [Cius and iPad] are complementary products with different target markets.”

Try telling that to the scores of business professionals that have already adopted, gleefully, the business side of the Apple iPad: At every conference and briefing I’ve been to since the tablet’s launch, it’s been a strange dance to watch, to see how smooth and nonchalant each vendor can be as they power up their PowerPoints on that thin, aluminum frame that was at once both magical and revolutionary. One presenter literally got so giddy he began giggling during his pitch.

With Cisco and even HP entering the tablet game, maybe enterprise tablets will get less magical while getting more work done. See below for full specs:

Continued »

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: