One group I participate in is a mailing list from SANS. If you have not attended a SANS event or education, then you should try to get to one of their events. They are one, if not, the premier non-vendor related security and systems administration group in the IT industry. I posed the same question to this peer group and have had some very good responses. Some suggestions for solutions have come back and include:

Microsoft Office SharePoint (http://www.microsoft.com/sharepoint/default.mspx)

OpenText – Livelink (http://www.opentext.com/2/sol-products/sol-pro-llecm10.htm)

Webex Connect – (http://webex.com/enterprise/index.html) (There are other flavors for small & medium business)

 Accellion – (http://www.accellion.com)

These are very interesting solutions and I will certainly be looking at all potential candidates. One thing that bothers me about the SharePoint option is its security capabilities. SharePoint is typically Microsoft Active Directory integrated. This has major security implications and in fact CSO magazine has posted a recent article on this topic. I recommend that you read the article and understand what risks the SharePoint solution may open for your organization.

Why Security Pros Hate Microsoft SharePoint

Microsoft’s SharePoint collaboration platform is all the rage in today’s business world, especially since third parties gained the ability to plug security holes. But managing it can still be a nightmare for IT security shops.

I am still looking for more references and ideas for this solution, so please share what you are doing for your organization and it will be much appreciated by me and other readers.

Take for example the entry describing GoogleTalk. The site rates it as one of the top 5 internal threats.

The more we know about these risks the better prepared we can be. Thanks for your time. Let’s be good network citizens together & practice safe networking!

In the old facility some of the users were required to use a kiosk or standalone computer to access customer extranets using VPN. We wanted to make this easier in the new facility and get rid of the standalone computers and internet connections. As we approach each instance of VPN access, we have to ask the standard questions of what is the destination IP address and what ports need to be opened on the firewall for this service. I recently came across a customer technology staff member at another organization who was responsible for the remote access service but could not answer these standard application questions. The answer I was given was just open any-to-any ports for their destination IP (at least he knew their IP address for this service). I don’t think this was a junior staff member either answering the question. This is the person responsible for interfacing with suppliers!

Well, after walking around and burning off some frustration, I took some steps to try to identify how the application works and make firewall changes according to what I discovered. Working with my managed security partner I went through the following steps:

1. Configure a private client machine and designate as single source of traffic.

2. Define firewall rule to permit any traffic from this client to the destination IP.

3. Run VPN application  and capture details about TCP/UDP ports during the conversation.

4. Close the any-to-any rule and open ports discovered in step #3.

Well, things did work pretty well but apparently there are some other ports needed to be opened, so once again I am asking this customer to help us as their supplier to gain access to their network. We will see if I have to get someone else involved in his organization even though I was told he manages this by himself.

hmmmm… so have you ever had to train someone at another organization that you deal with how to do their job?

The Web Application Security Consortium (WASC) is pleased to announce the WASC Web Application Security Statistics Project 2007. This initiative is a collaborative industry wide effort to pool together sanitized website vulnerability data and to gain a better understanding about the web application vulnerability landscape.

Goals

1. Identify the prevalence and probability of different vulnerability classes 2. Compare testing methodologies against what types of vulnerabilities they are likely to identify.

The statistics was compiled from web application security assessment projects which were made by the following companies in 2007 (in alphabetic

order):

- Booz Allen Hamilton

- BT

- Cenzic with Hailstorm and ClickToSecure

- dblogic.it

- HP Application Security Center with WebInspect

- Positive Technologies with MaxPatrol

- Veracode with Veracode Security Review

- WhiteHat Security with WhiteHat Sentinel

The overall statistics includes analysis results of 32,717 sites and 69,476 vulnerabilities of different degrees of severity. The detailed information can be found here:

http://www.webappsec.org/projects/statistics/

This may be a great tutorial for you and/or your users.

CERTStation Media – Spam-Prevent.mp3

I just ran my monthly e-mail statistics and these are the results:

97,000 msgs/day inbound

8,800 msgs/day delivered to end users – 9%

22,200 msgs/day quarantined as spam – 23%

66,000 msgs/day blocked as spam – 67%

This month had higher than normal quarantine activity. Quarantine has been running about 15% and blocking around 75%.  How does your mail stack up?

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Who is paying for all of this for NYC? Is this really where the city should be spending its dollars on risk mitigation? Maybe someone should share my thoughts on managing risk & vulnerability.

Thanks for your time. Let’s be good network citizens together & practice safe networking!

What I am referring to is the situation described in this article by David Jonas of The Transnational: Airport Laptop Seizures Debated in Washington. I know that I should have nothing to worry about if I do nothing wrong like any law abiding citizen of the world. However, what about the risk to an organization’s intellectual property?

Look at the comment …the laptop seizure policy is not analogous to physical searches of persons and belongings at airports: “Not only does the government get access to an unprecedented wealth of material with a laptop border search, but the government now has the ability to copy, store and analyze that information at its leisure. In traditional border searches, travelers carried their suitcases with them once they cleared customs. With laptop border searches, the government can keep everything in the computer in perpetuity.” So, who is responsible for the data once it is out of the traveller’s hands? What is the care & duty of the government with regards to a company’s intellectual capital?

This issue seems like a bureaucratic (and maybe totalitarian leaning – think “Big Brother”) nightmare! Who would be considered the appropriate person to review the data on a device? What is their liability if the device or data is damaged during their review?

I know I don’t have an easy answer to these nagging questions and it will take much better minds and skills than mine to work through the protection and liability issues for an organization. What mechanisms do you use to protect equipment and data during travel? Maybe this situation is a boon to shipping organizations. More people may be shipping their gear ahead of them when travelling across the border or use equipment at a remote site and transfer data across a network.

This situation is definitely one to watch and be concerned about as world citizens.

Thanks for your time. Let’s be good network citizens together & practice safe networking!

I found a great blog posting with links to some excellent Exchange resources. Keep this in your toolkit for those times you just can’t find the answer elsewhere to those nagging Exchange problems. I see lots of other IT people struggling with this system and looking for support here at IT KnowledgeExchange.

Some other Exchange resources I recommend are:

Microsoft Exchange Server Resource Site

E-mail archiving

Seven ways to organize your e-mail

MessagingTalk.org – Portal for Microsoft Exchange Messaging & Collaboration

Thanks for your time. Let’s be good network citizens together & practice safe networking!

Some ways to measure risk include:

How valuable is the asset?
How much of a threat exists?
What is the impact if the system/service is exploited?
Is the vulnerability rated high/medium/low?
Can the risk be reduced?
How easily can it be reduced considering costs, technology, staffing & skills?
What is the probability of the vulnerability being exploited?

You are asking yourself:
What are you protecting?
What can happen to it? – How can it happen?
What does it mean to the business?
How can the risk be reduced?
How likely is it to happen given the existing conditions?

Risk assessment goal: identify & prioritize risks.
Risk management goal: manage risks to an acceptable level. This can be done by:

• Mitigate: select controls; implement; monitor
• Transfer: purchase insurance
• Accept: do nothing
• Avoid: discontinue activity

Thanks for your time. Let’s be good network citizens together & practice safe networking!