CIO Symmetry

January 30, 2009  4:09 PM

Heartland ‘low and slow’ data breach not likely at SMBs?

Linda Tucci Linda Tucci Profile: Linda Tucci

Reporters hear this a lot when it comes to SMB security: The security risks facing small and medium-sized businesses (SMBs) are often identical to those at big companies, only different in scale. The spam and viruses coming through email are as much a plague on SMBs as they are on the big guys. Ditto for worms and bots.

But the malware that surreptitiously burrowed into Heartland Payments Systems Inc. months ago and was just now discovered to have stolen a massive amount of credit and debit card data?

“I don’t think that would happen at an SMB,” says Rick Caccia, a VP of product marketing at security vendor ArcSight Inc. SMBs see their share of “smash and grab” attacks, where some malware breaks through a firewall and steals a bunch of information or infects a bunch of computers. “It’s a big pain for awhile, but then you clean up afterwards.”

But the type of “low and slow” attack perpetrated on Heartland, where intruders plant a bit of malware that quietly collects information, wakes up and spits back credit card numbers to some domain, is not a top risk item for SMBs, contends Caccia, who ran the email and security products for SMBs and large companies at Symantec prior to joining ArcSight.

Never say never, says Caccia, but size matters in data breaches. “That’s a kind of attack you wouldn’t put in a law firm. You’re going to get like, 50 credit card numbers.” Where’s the criminal return on investment? In contrast, Heartland processes more than 100 million credit card transactions per month.
But there is a “low and slow” attack that SMBs do need to worry about, he says.

“The [Heartland] attack is similar to these botnet infections where users go to a bad website and pick up a new bot.” Like the low-and-slow attacks, the bots are hard to catch, says Caccia.

“They just don’t send much traffic, so the antivirus vendors can’t create signatures for them. They sort of lay there quietly, wake up and spit out some spam,” he said.

The data breaches most likely to affect SMBs, he contends, bubble up from within, from malicious or ignorant users accessing data they shouldn’t.

“Despite the flash, I am not sure all these credit card harvesting [schemes] are actually something they have to worry about,” Caccia says.

Do you agree that you don’t have to worry about the Heartland-type data breach? Do you go after bots — and if so, how is it part of your SMB security strategy?

January 26, 2009  3:35 PM

Hyper-V update: Yes, it works with Linux

mschlack Mark Schlack Profile: mschlack

The Hyper-V experiment continues. My three Server 2008 VMs are extremely stable — no crashes at all, nine days continuous running. I made a number of restarts to address various upgrades and all three VMs came back automatically. Am also using a VM to test Windows 7, and no problems there either.

Now addressing how well Hyper-V handles Linux. Ubuntu 7.1 desktop installed with no problems at all, although still working on networking. My Linux skills are pitiful, so I draw no conclusions yet about whether the networking issues are related to Hyper-V or user error. Perhaps I’ll have to install the Unix services roll on the base server. Am also installing a more recent version, 8.1, and will probably throw a Linux server up there, too. From a CPU and disk perspective, no problem — this machine still has a gear or two on the upside.

I am running out of memory, however, now that I have 6 VMs on this 8GB machine. The culprit: SQL Server on the base machine. Why did I install that? I’ve been trying to get System Center Essentials (SCE) on to the base machine and that requires SQL Server. This is a very tangled web Microsoft has woven: you need SQL Server and Windows Server Update Services to run SCE. SQL Server, no big deal; WSUS, something of a project, as it involves Group Policy. So far I haven’t gotten SCE to install and may abandon the whole project.

It does point out an interesting conundrum: Hyper-V manager manages memory for VMs. Is it more efficient than the base OS is? In other words, if SQL Server were running in a VM, would it be using as much memory? Sounds like my next experiment.

January 22, 2009  6:42 PM

Shut up and tweet: Finding the business benefits of Twitter

Kristen Caretta Kristen Caretta Profile: Kristen Caretta

I’ve succumbed to the call of the “tweet.” In the Web 2.0 checklist of the best, I can add Twitter to the short list with the likes of Facebook, LinkedIn and Yammer. And although the novelty still lingers, the whole thing seems like a lot of work. But is this constant connectivity beneficial in the business world?

Many execs are unsure about Twitter (what are the business benefits? Is it too time-consuming? Is it actually effective?). Further, with ROI more important than ever, the inability to measure Twitter’s influence and success is unsettling. Without a way to track ROI, how can anyone justify spending time throwing around status updates?

From a companywide perspective, the thought of being in constant contact with your peers and colleagues is attractive – but only if everyone is using it. If it’s just you and your five closest work buds in a Yammer social circle, where’s the business value in that? Shouldn’t this be about connecting with people you wouldn’t normally get the chance to share ideas with? But if the entire company connects and shares insight and ideas – well, then we may be on to something.

The Twitter turn-on for me was the spider-web effect. If I can follow a certain number of knowledgeable, credible people in my field (and get them to follow me) I’m exposed to their followers, possibly their followers’ followers and so on. So now, rather than just asking my team of co-workers if they know of a CIO with a PMO I can tap for article insight, I can tweet about it. With the right followers (and a little luck), I can find a CIO directly who wants to talk about PMOs. I can find out what people are saying about it, test the waters for interest levels, make connections – all in 140 characters or less. But, again, that’s with the right followers, and finding them can be tricky.

For now, I’m embarking on a Twitter trial (a Twial?) to weigh the business benefits. I invite you to follow me and share your thoughts on Twitter (or below): a beneficial trend?

January 16, 2009  3:15 PM

Is a Windows 7 migration inevitable for XP users?

EditorAnne Anne McCrory Profile: EditorAnne

So Windows 7 is out in beta. My colleague Mark Schlack took it for a test drive and wasn’t impressed (see Windows 7migration: First thoughts). Yet at some point, if you’re still a Windows XP user, you’re probably going to have to plan a Windows 7 migration, unless you decide to start now and go for Vista (Win7 won’t be out before the end of the year, at the soonest). Windows XP support starts to wane in April, and by 2014 it ends entirely. Gartner recommends you make your switch by 2012.

Now some XP users told our reporter Christina Torode that they’re sitting tight (see Windows XP users weigh dwindling support vs. Windows 7 migration). Some expect Microsoft will extend those Windows XP support deadlines due to customer pressure. I’ve certainly met many more midmarket CIOs who remain with XP than those who have gone through a Vista migration. Very few see anything worth migrating for.

Yet if Microsoft sunsets XP as planned, they’ll all have some re-engineering to do. Windows 7 is built on the same kernel as Vista, so if your apps won’t work on Vista, you’ve only bought yourself some time, not a pass on re-engineering. Unless, of course, you are going to explore some Microsoft alternatives.

So XP users, unite: Are you going to clamor for extended support? Plan for a Windows 7 migration now? Start to work in Vista machines as you upgrade your hardware, as one analyst recommends in our article on migration tips? Go Linux? Let’s discuss.

January 8, 2009  10:35 PM

Should midmarket companies have one virtualization environment?

mschlack Mark Schlack Profile: mschlack

A lot of budget-strapped CIOs are going to be telling their systems and storage directors to take another look at consolidation this year. These days, consolidation means virtualization. Only recently, that mainly meant VMware ESX. That is still the weapon of choice for many reasons, but suddenly Microsoft actually has a competitive product.

After a pretty feeble offering with Virtual Server 2005, Microsoft went the hypervisor route and now offers that as a built-in feature (excuse me, a “role”) on Server 2008 Enterprise Edition. Make that your base install and you can then put any version of Windows and some versions of Linux in VMs on the same box. I’ve been playing with it on a quad-core AMD box with 8 gigs of memory and hey, it actually works! Two years ago, Hyper-V vs. ESX was a silly conversation about marketing. Now you can actually start to compare them and make decisions about how to use them.

In my case, I put three guests (a domain controller, a file server and one just idling while I figure out System Center Essentials) on Hyper-V without the box breaking a sweat. More to the point, I didn’t break a sweat, either. Even a non-MCSE guy like me could do it. No muss, no fuss. If you have admins who can install and configure Windows Server, they can work this.

There are a lot of holes in the Hyper-V story. As of 2009, it’s not going to get you close to a fully dynamic data center. You can’t move VMs around willy-nilly. There aren’t the same kind of admin tools for DR or test/dev labs or many other of the niceties that VMware and many third parties now have.

Pricewise, it might not be that big a bargain, either. Enterprise Edition can run you as much as $3,999, which isn’t very different than buying VMware VI3 and one copy of Server 2008 Standard. The devil will be in the details of your volume purchase agreements as far as that goes – depending on the support agreements, VMware could actually cost less. Eric Seibert on Server Virtualization Blog recently remarked that the many differences between the products makes comparing them, especially from a cost point of view, an apples-to-carrots comparison.

As for performance, I haven’t seen any face-offs yet between Hyper-V and Server 2008. But if you’re trying to quickly collapse a lot of low-effort servers, maybe you don’t care about the ultimate in benchmark scores.

So it comes back to what it often does when choosing between Windows and something else: familiarity, integration and ease of use. In midmarket companies, you can’t always afford overspecialized IT staff. Maybe you don’t have budget or headcount for VMware specialists. Maybe you’d rather use your existing ESX licenses for more hard-core uses like email and ERP. Maybe you want to use similar tools to manage your physical and virtual servers.

The point is, CIOs will want to take a close look at the tradeoff between having one virtual environment (whether that’s Microsoft or VMware) or tiering their virtual environments. And finally, they have a reason to do that.

December 19, 2008  3:58 PM

Vendor gifts: Holiday cheer or ethical dilemma?

Kristen Caretta Kristen Caretta Profile: Kristen Caretta

Twas the night before deadline and all through the office,
we worked with our heads down, appeasing our bosses.
But what to my weary eyes should appear?
The USPS delivery, bringing vendor-purchased cheer!
Brown, unmarked boxes of who knows what,
Cookies? Chocolates? Kitsch that is haute?

‘Tis the season! The lights, the cheer and, for some, the vendor gifts.

In the name of the holidays, vendors will often promote goodwill (future sales?) by giving gifts to employees they have worked with. Although thoughtful, some gifts can raise ethical and moral issues. For example, an extravagant gift could make the recipient feel a sense of obligation. You certainly don’t want gifts hampering employee objectivity when making purchasing decisions or recommending products or services to clients and users. You have an obligation to consider your company’s – not your own — best interests (as well as those of consumers or people looking to you for advice).

Most companies have strict human resource policies about what is considered a gift, what dollar amount needs to be reported to the company, what needs to be sent back (What, no spa weekend?!), etc. For some industries (such as health care) the giving and receiving of gifts can raise certain implications concerning the appropriateness of medical treatments given to patients and at what point the gift starts looking like a bribe.

So, how do you differentiate between a possible bribe and a simple thank you? Use common sense, read up on your company’s policy and if you find yourself in a gray area, it’s always best to check with your HR department.

With that said, you may not even really want what your vendor is sending you. Here are some examples of vendor gifts my colleagues have received and kept over the years (whether they wanted to or not):

  • A large, corned beef-style chunk of buffalo.
  • Electric ice cubes (sounded dangerous to me, although she swears by ‘em).
  • A bottle of chocolate wine (yes, it was alcoholic).
  • Mr. Potato Head.
  • A box of mixed nuts doubling as a business card holder.
  • A red velvet blanket teamed with Godiva hot chocolate (?).
  • A bottle of whiskey. Period.
  • A gift card for either a facial or a body wax at a local spa (No further comment necessary).
  • Steaks. Packed in ice.

Feel free to send along any strange, interesting, bizarre and random vendor gifts you’ve received (or sent).

Share the gift of laughter

December 16, 2008  4:09 PM

IT budgets should include agility and innovation in light of recession

Kristen Caretta Kristen Caretta Profile: Kristen Caretta

We’re almost at the end of 2008.


It’s been a year of cutbacks, layoffs, crashes and downturns. We’ve started using the word recession and are planning 2009 budgets accordingly. So, what happens next year? Forrester Research recommends investing in agility and innovation to accelerate out of the downturn, in a recent CIO-geared webinar presented by Forrester principal analyst, Bobby Cameron.

While interacting with IT executives on budgets and planning, Forrester found that 21% expected their budgets to either grow or stay the same in 2009. But most are anticipating a stagnant or cut budget and have moved into one of three planning scenarios: cutting, anticipating cutting or keeping their options open.

Although Forrester found that most companies are focusing on traditional cost-cutting tactics (such as using low-cost resources, eliminating large-sized efforts and focusing on short-term returns), it has seen some firms choose an alternate path — investing what they can into agility and innovation.

Why? Agile companies (those that can rapidly shift suppliers, trading partners or markets) are more likely to navigate through failing firms and slow economies. Companies investing in innovation will look for new business models and product/service offerings (alongside operational improvements) instead of just hunkering down.

When investing in agility, Forrester says, companies should focus on flexibility. For IT, that means applying SOA and creating flexible external interfaces to data and systems so that companies can more easily shift or change contractors, suppliers or partners. Innovation investments, such as utilizing Web 2.0 technologies to establish and spread ideas, can positively affect core business strategies by engaging internal and external sources in meaningful dialogue – without over-extending budgets.

There is no all-encompassing recipe for success, and Forrester recommends addressing the downturn based on current situations and industry:

  • Those already cutting budgets should execute on those plans to cut, while preparing to make deeper cuts if things don’t turn around. They should also consider investments in agility and innovation, but only if there is enough breathing room.
  • Companies anticipating cuts should invest in agility and innovation, keeping the commitments small and the returns short-term.
  • And those companies keeping their options open should pursue agility and innovation aggressively to maintain company health and leadership.

Keep your heads up – most pundits are expecting a leveling of the economy by the end of 2009. Are you ready for another 12 months?

December 9, 2008  9:11 PM

Recent FBI vishing scam warning an old issue

Kristen Caretta Kristen Caretta Profile: Kristen Caretta

Last Friday, the FBI issued a warning about a security vulnerability that could be used by cybercriminals to make vishing telephone scams.

Vishing (combining phishing and voice) uses Voice over IP (VoIP) features to gain access to company information. In this case, the flaw was found in a free and widely used open source toolkit – Asterisk.

According to a posting on the Internet Crime Complaint Center, hackers who gain access and exploit the Asterisk flaw can potentially auto-dial thousands of people in an hour.

Security risk news spreads like wildfire and the FBI vishing warning was no exception — bloggers everywhere began weighing in. It was quickly learned, however, that the security scuttlebutt was actually an old issue.

According to a Digium blog post, the bug was originally found in March (AST-2008-03, a SIP guest permissions problem) and was patched for 1.2 and 1.4 versions of the software (1.6 releases were not vulnerable). The bug did not allow the arbitrary setting of caller ID and would work in only a limited set of circumstances.

It sounds quite similar to the telephone scams already known, no VoIP hacking necessary! The Federal Communications Commission already warns us about everything from the Mexico Collect Call Scam to the 90# Telephone scam.

Just another reminder to keep your information safe by making your passwords safer … and do your homework before going off on new exploits.

December 5, 2008  2:46 PM

Bank of America rolls out new secure online banking tool

Kristen Caretta Kristen Caretta Profile: Kristen Caretta

Bank of America has introduced a new security feature for customers – the SafePass Card. Adding more protection to transactions, the SafePass Card is Bank of America’s next layer of secure online banking.

Smartphones are being used as digital wallets, mobile online banking is occurring more frequently and Wi-Fi access points are turning into cybercrime hotbeds. The Georgia Tech Information Security Center’s Emerging Cyber Threats Report for 2009 cited malware, botnets, cyberwarfare and threats to VoIP and mobile devices as the top security threats to be aware of – all of which aim to steal your data.

It’s no wonder one of our largest banks is looking to provide more online peace of mind. With keystroke loggers infesting email, IM and (the recently popularized) infected links on social networking sites, cybercriminals can steal your two-step login information and gain access to your account. For customers wanting added protection, the SafePass Card generates a six-digit, one-time pass code, necessary to complete online transactions. Customers can either receive the pass code via text message or by purchasing a wallet-sized card ($19.95) that generates the code (think chip and pin meets Magic 8 Ball)

And who wouldn’t want more secure online banking? Malicious programs are on the rise and many companies are not prepared for them. Naspera Networks recently issued the results of a corporate network security survey. Two hundred small and medium-sized enterprises answered a series of questions probing them on network security and potential threats. According to the results, most companies surveyed were not as secure as they could be (or wanted to be). What were the networks’ weakest links? Respondents cited as the primary offenders computers not kept up to date, Wi-Fi security and encryption practices, unknown threats from mobile workers and laptops, an increased need to provide guest access and an overall lack of policy governing endpoint security.

The SafePass is a step in the right direction. Just don’t lose the card … or your mobile phone.

December 1, 2008  7:27 PM

Protect that Facebook profile: The risks of social networking sites

Kristen Caretta Kristen Caretta Profile: Kristen Caretta

Facebook is keeping people linked together both personally and professionally. Knowing that, it’s important to keep an eye on the security of your accounts on social networking sites — and the integrity of your online persona.

Facebook won an $873 million judgment against Adam Guerbuez of Montreal, after suing him for spamming Facebook users with sexually explicit messages. Guerbuez hacked into member profiles using phishing tricks to get users to give up their login details. Once in, Guerbuez used the compromised profiles to send out mass messages (4 million) to friends of friends.

My first thought when I heard about this: What if my account had been compromised and, as a result, my boss (and Facebook friend) received messages from my account touting male enhancement pills? That would certainly not be cool, Guerbuez. No poke for you.

One may ask why I would be Facebook friends with my boss — Facebook, the sacred, secret window into my personal life, littered with an assortment of pictures, wall posts and (dare I say it) “bumper stickers?” I keep it clean on my Facebook profile and usually follow the “don’t friend me, I’ll friend you” credo. I have noticed more and more people opting to have two Facebook accounts (although Facebook expressly forbids multiple profiles) – a personal one and a professional one. I have considered this myself but then thought, don’t I have a LinkedIn account for that? Furthermore, if someone searches for someone and finds two Facebook profiles (one with a Sears-style profile picture and one including a tequila shot-athon — both pictures clearly of that person) it may look a bit sketchy. Or smart?

Today, it’s especially important to keep it clean on Facebook – 22% of hiring managers check social networking sites before hiring someone. This number has doubled since 2006 and will continue to increase as an additional 9% of hiring managers plan on screening applicants online in the future. On top of that, 34% of the managers who screen have dropped candidates from their lists based on what was found in their profiles.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: