Oct 22 2009 4:33AM GMT
Posted by: Tony Bradley
Unified Communications,
UC,
Sipera Systems,
Aberdeen Research,
smart phones,
Wireless,
wi-fi,
Security,
Compliance,
webinar
If you’re free next Wednesday, October 28, you should mark your calendar and plan on attending The Final Frontier: Secure Unified Communications to Any Device in Any Place at 12pm Eastern time (9am Pacific).
Unified communications, like just about any useful technology, can be a double-edged sword. Often, for every benefit or convenience there is a tradeoff of increased risk and exposure. As organizations work to extend unified communications to smart phones and wireless devices, they face even more security and compliance challenges.
The webinar is being presented by Sipera Systems and Aberdeen Research and will include the latest research and industry trends, real-world scenarios from actual deployments, and best practices for deploying unified communications securely.
Oct 19 2009 2:45AM GMT
Posted by: Tony Bradley
Microsoft,
Office Communications Server,
OCS 2007 R2,
SCOM 2007,
System Center Operation Manager,
Management Pack,
Security,
protection,
monitor,
malware
For organizations that rely on Microsoft unified communications, Forefront Security seems like a natural fit. With components to protect and secure Exchange, SharePoint, and Office Communications Server, as well as client endpoints, Forefront Security provides comprehensive protection for a Microsoft unified communications environment.
To make things even easier to monitor and manage, Microsoft has developed a Forefront Security for Office Communications Server Management Pack for System Center Operations Manager 2007. Microsoft provides the following overview of the capabilities of this tool:
The Microsoft Forefront Security for Office Communications Server Management Pack for Microsoft System Center Operations Manager 2007 provides real-time insight into the health and performance of key Forefront Security for Office Communications Server (Version 10) components and services. The Microsoft Forefront Security for Office Communications Server Management Pack alerts the administrator to critical events affecting the security of their OCS environment. Proactive management of the Microsoft Forefront Security for Office Communications Server environment is facilitated through management pack activity reports on IM scan performance.
Feature Bullet Summary
- Monitoring of current license state
- Monitoring of Antimalware Engine health and update activity
- Monitoring of IM Scan Job availability
- Monitoring health of required Forefront Security for OCS services
- Reports on key Forefront for OCS performance counters
Sep 20 2009 2:51AM GMT
Posted by: Tony Bradley
Mobile,
Wireless,
Security,
Compliance,
DUST Model
Mobile devices are a critical component of enterprise communications and a core element of unified communications. They used to just be phones, but now they are more like tiny micro-laptops that fit in a pocket. With that increased functionality and ability to store massive amounts of data comes an acutely greater need for security.
An industry analyst firm has developed a model for managing mobile security and compliance. The DUST Model for Managing the Risk to Enterprise Mobility establishes guidelines and provides a framework for end-to-end compliance practices and security controls.
The guidelines have four primary components that make up the DUST:
- Devices
- Users
- Sessions
- Transactions
You can get more details on the DUST Model from this CRG Research Brief.
Sep 12 2009 3:31AM GMT
Posted by: Tony Bradley
VoIP,
Security,
steganography,
eavesdropping,
wiretapping,
NSA,
al qaeda,
terrorists,
secret message
Security researchers are increasingly concerned that hackers are close to developing tools for VoIP-based steganography. With hidden messages being transmitted secretly within the voice data, eavesdropping programs like the NSA wiretapping would be rendered useless.
Steganography hides a message within some other medium in such a way that only the sender and the intended recipient are even aware a message exists. If combined with some form of encryption to protect the message on the remote possibility that someone randomly stumbles across it, steganography can be a very powerful method of transmitting secret messages and data.
There have long been rumors that terrorist groups like Al Qaeda transmit secred coded messages to each other by using steganography to embed data within JPG images such as porn photos, or images associated with eBay auctions.
Steganography isn’t new. Even steganography on VoIP is not really new. What is new, and what concerns security researchers, is if tools become available to average users to enable anyone to use steganography over VoIP.
Government and law enforcement agencies in the United States (and other countries as well) use eavesdropping and wiretapping as a means of intelligence gathering for national security purposes. But, if two terrorist operatives use steganography over VoIP they will be able to transmit plans for the next suicide bombing or airplane hijacking secretly in the background while the NSA just eavesdrops on two people having an innocent conversation about which actor is the best James Bond (I vote for Roger Moore).
Sep 12 2009 2:12AM GMT
Posted by: Tony Bradley
Verizon,
AT&T,
BT,
IBM,
mobile service,
mobile communications,
Managed Mobility Solutions,
Security,
inventory,
expense
Verizon would love to be the sole provider of mobile communications services for every customer around the world. But, realizing that won’t ever happen it is going for the next best thing- managing mobile communications for customers regardless of the mobile carrier(s) they are using.
The concept is not ground-breaking in and of itself. Other technology service providers such as BT and IBM, as well as competing mobile carriers like AT&T already have similar offerings to help customers manage mobility throughout the enterprise and around the world.
Verizon is bringing a little something extra by including mobile security tools from Sybase and mobile expense management tools from Quickcomm Software Solutions. The resulting suite of services consists of five modules which can be mixed and matched to suit customer needs: inventory and expense management; logistics; mobile device management; mobile security and application management.
As the number one mobile service carrier in the United States, Verizon has a decent foundation to build on. We’ll see if the Verizon name combined with a different mix of tools is a recipe for success.
Sep 5 2009 3:03AM GMT
Posted by: Tony Bradley
UC,
Unified Communications,
VoIP,
Web 2.0,
facetime,
Sunbelt,
Unified Security Gateway,
malware
FaceTime is building more comprehensive security into its Unified Security Gateway thanks to a partnership with Sunbelt Software.
According to the press release, “Sunbelt’s anti-malware technology, designed specifically for the gateway, and its Threat Track(TM) data feeds have been licensed by FaceTime for integration with its Unified Security Gateway product. As part of the integration, FaceTime will deploy Sunbelt’s VIPRE(R) technology into its appliance to augment the protection provided by FaceTime’s Security Labs and the FaceTime WebFilter.”
What that translates to for you is a gateway appliance that performs both Web filtering and malware scanning at the perimeter to keep bad stuff out and good stuff in. The combination of FaceTime’s Security Labs efforts to identify Web 2.0 threats and SunbeltLabs malware research provide a formidable defense against emerging threats.
If you are using unified communications and/or Web 2.0 technologies in your network, the FaceTime Unified Security Gateway is probably worth investigating as a solution for securing and protecting your network.
Sep 4 2009 1:56AM GMT
Posted by: Tony Bradley
VoIP,
Unified Communications,
UC,
toll fraud,
Security,
Sipera,
Adam Boone
Implementing security controls after an attack or compromise of data is like shutting the barn door after the horse has already escaped…but worse.
Getting serious about VoIP and unified communications security after the whole solution is architected and implemented is costly enough. It is generally much easier and less expensive to implement sound security practices and controls organically as a part of the solution rather than tacking them on after the fact.
Sometimes architectural and procedural decisions made without security in mind are like water under the bridge and can’t be undone. You can put security controls in place, but they won’t be as effective as they could have been if security would have been a part of the initial design.
If you wait until after a successful attack or compromise of data you are just adding insult to injury. Its a double-negative. Now, on top of the more expensive, less effective security you were going to get by not thinking of security in the first place, you also have the expense of whatever financial impact or lost revenue the attack has, plus any potential damage to the reputation and credibility of the company.
Sipera VP of Marketing, Adam Boone, talked recently about just how costly it can be to forget about VoIP and unified communications security. Boone shared a story of a client victimized by toll fraud. Attackers placed 9,000 minutes of international calls turning the company’s normal phone bill of a couple hundred dollars to a $19,000 bill.
That’s $19,000 the company had to eat, on top of any security solutions it chose to implement to prevent similar attacks in the future. Shutting the door before the horse escaped would have saved it at least $19,000.
Is your VoIP or unified communications infrastructure secure? Are you planning to figure out the answer to that question now, or after it is compromised?
Aug 29 2009 2:43AM GMT
Posted by: Tony Bradley
VoIP,
UC,
Unified Communications,
Security,
breach,
security professional
In a past life I worked as a consultant for a very large global computer services firm. I was a lead security engineer and one of the first responders for incidents and virus outbreaks for a large, Fortune 100 customer.
The powers that be spent a significant amount of time and effort sucking up to the customer. The customer said ‘jump’ and we asked ‘how high?’ That included decisions about computer and network security and how to mitigate and resolve security breaches.
Well, leave it to me to be the rebel who said “um, didn’t they hire US to manage their security?” As far as I was concerned the value that we brought to the table and the reason they paid us was to let THEM know how to secure their computers and network, and to effectively and efficiently mitigate and resolve security breaches.
So, when I read a recent blog post titled ‘Why Not Leave Security to the Experts?’ it resonated with me. Whether its internal employees or external contracted resources, management needs to respect that security is a full-time role and let those who are focused on emerging attack techniques and trained in avoiding or blocking them do the job they were hired to do.
Here is the bottom line I learned while watching my management suck up to our large customer: they may like how compliant you are when you follow their direction and do what they ask no matter how stupid it is or how contrary it is to protecting and securing the network, but they also have short memories. When the proverbial ’stuff’ hits the fan you will still be held responsible for the failed security and the customer will conveniently forget that they’re the ones who requested that hole in the firewall, or whatever.
I am not suggesting security pros go around being cocky or abrasive- but confident and assertive is OK. You will prove your value more and establish yourself as an indispensible asset by firmly doing the job you were hired to do and not catering to the whims of those who don’t know what they’re doing.
This is true throughout IT and throughout information security. It has particular application these days though with VoIP and unified communications. Companies are racing to deploy unified communications technologies, but slow to understand the security risks or invest in the controls and technologies to secure it. When the system is breached, you will be the scapebgoat taking the heat so do the right thing and stand your ground to ensure management understands the risks involved.
Aug 27 2009 8:49PM GMT
Posted by: Tony Bradley
communications fraud,
toll fraud,
Unified Communications,
UC,
VoIP,
Security,
jobs
Did I get your attention? I thought I might.
Now, let’s step back and look at the perhaps questionable or dubious math I used to arrive at this sensational conclusion.
A recent worldwide survey by the Communications Fraud Control Association (CFCA) reported that the annual loss from communications fraud is about $80 billion (USD). Assuming an annual income of $30,000 - perhaps low for United States standards, but arguably quite high by global standards- that means that companies lose the equivalent amount of money as 2.6 million employees’ annual salaries.
So, could 2.6 million more people have decent paying jobs if we got communications fraud under control? I am sure the correlation is not that direct. If more money in the corporate coffers translated to more jobs or higher paying jobs then trickle-down economics wouldn’t be such an abysmal failure.
But, money is money. Assuming your employer could save 10% or 15% of the annual communications expenses by reducing or eliminating fraud it might make that next request for a raise go a little smoother.
Forgetting employees entirely- the company has its own interests to look out for as well. I assume the corporations can find better things to do with $80 billion. Relative to the losses, the investment in the tools and technologies to secure communications and prevent fraud is relatively small. Companies should view this report as a wake up call of sorts and use it to build the business case for funding that VoIP / unified communications security project that is pending approval.
