Enterprise IT Watch Blog

September 13, 2010  12:29 PM

Email insecurity: How a GMail trick could trash your server

Melanie Yarbrough Profile: MelanieYarbrough

It seems innocent enough, forwarding your work email to your Gmail (hotmail, yahoo, etc.). Your work email will be more accessible: on the train, at home, on the go. You pat yourself on the back for working harder than anyone else in the office. They really ought to give you a raise.

The flipside of that, of course, are the risks of forwarding potentially sensitive corporate materials to a third party email host, where your company and IT security department has no means of protecting it. We recently had an IT Knowledge Exchange member ask about the ways to forward work email to Gmail, and the response we received from the community had one underlying theme: BE CAREFUL. So what, exactly, could go wrong?

David Vasta, one of our member bloggers, brings to light the possible legal repercussions.

You want to be very careful you are now sending company mail that belongs to your company from your company owned and operated email to an external source. In most states it is considered Corporate Theft and it’s a felony.

For more of David’s thoughts on the subject, check out what he wrote for his blog: Question of the Day – Forwarding Emails.

Sc00ter63 gave brief instructions on how to go about forwarding emails, but informed our user that his company has the option disabled “because of the security issues that can arise with forwarding company email to a personal/civilian account.”

CallMeRich brings up an often-overlooked but important concern: Bringing down your company’s mail servers. It could happen with the slightest oversights, such as setting up your email to forward to Gmail, setting up a Gmail “out-of-office” auto-response that gets sent to your work email, which gets automatically forwarded back to Gmail and so on until, within minutes, your Gmail account is full and your corporate mailbox grows terabytes in size. This could in turn take down or seriously hinder your mail servers. Rich further warns that he’s seen this “simple gotcha” happen and it can be devastating.

What sorts of email security blunders have you run into or been careful to avoid?

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her onTwitter or send her an email at Melanie@ITKnowledgeExchange.com.

September 13, 2010  6:50 AM

What’s your strategy? (The answer is not “compliance.”)

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Compliance has become a threat to business, or at least that’s how I see it. It’s complex, it’s overlapping, it creates a false sense of security and it’s downright expensive – especially when it’s not done correctly. Compliance is one of those things that you can hardly do business with and certainly can’t do business without.

But compliance still exists and it cannot be ignored.

The major problem with compliance is that so many people view it as a substitute for reasonable information security and proper risk management. I was just looking at the Chronology of Data Breaches and shaking my head. Over 510 million compromised records and counting. Many of the breaches on this list are unbelievable and likely inexcusable. Sadly, I’m sure somewhere along the way someone – an auditor or manager – deemed these computers/networks/operations “compliant” with whatever regulation.

Just what is it going to take to keep our personal information personal? Not to mention “confidential” and “internal use only” business information confidential and internal use only.

The key is to never ever rely on compliance alone like I wrote about in this CSO Magazine piece. It’s just too risky. It may please some auditors or regulators in the short term, but it’s not a sustainable strategy. Period.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.

September 10, 2010  9:34 AM

The He-Said, She-Said of Information Security: Some quotes for Friday morning

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

I find it amazing how some of the great quotes about life and business from both the past and present directly apply to information security and risk management today. Here are a few that really stand out to me:

“Learn to see in another’s calamity the ills that you should avoid.” -Thomas Jefferson

“There’s nothing stronger when you’re trying to get something done than common sense.” -Ned Jarrett

“If you believe everything you read, perhaps it’s better not to read.” -Japanese proverb

“All that is necessary for the triumph of evil is that good men do nothing.” -Edmund Burke

“I don’t know the key to success, but the key to failure is trying to please everybody.” -Bill Cosby

“The important thing is to not stop questioning.” -Albert Einstein

…and my favorite quote of all time:

“Use wisely your power of choice.” -Og Mandino

Think about these quotes and the real messages they convey. If you apply just one of them to your everyday decisions related to information security you can make grand improvements in your environment.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. You can reach Kevin through his website at www.principlelogic.com and follow him on Twitter at @kevinbeaver.

September 9, 2010  7:54 AM

The Seven Deadly Enterprise Security Sins, Part I

Michael Morisy Michael Morisy Profile: Michael Morisy

While the security threat landscape has changed drastically over the last decade, in many ways the discussion about security, particularly at the popular level, hasn’t kept pace. High-profile breaches, attacks, clever workarounds and individual viruses grab headlines while more sinister, on-going threats often lurk below the surface, unseen and unheard of by an organization until it’s too late.

Continued »

September 3, 2010  6:00 AM

Wireless-based surveillance systems: Who’s watching who’s watching you?

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

As you likely know, there are numerous 802.11-based wireless security surveillance systems on the market. Some are targeted at home users while others are aimed at the enterprise. I’ve actually seen such devices at my clients’ locations. That’s all fine and dandy – many businesses need some type of security surveillance system – and why not go wireless? It can be a heck of a lot cheaper.

The problem is that these devices are often outside of the realm of typical network monitoring, maintenance, and security. The physical security folks install them and don’t notify IT. The IT folks may come across them and proclaim, “Those aren’t my devices to support.” The business ultimately suffers. How so? Well, given the lack of oversight, these devices are often installed with the defaults. Maybe WEP, maybe no encryption at all. Maybe a strong password, maybe the default. Furthermore, the central console often has a Web interface that’s wide open for anyone and everyone on the network to configure. Then there’s patching, audit logging and so on. All of these are critical functions of security – for servers, routers, and firewalls, that is.

Even though these wireless-based surveillance systems often provide a way into the network and contain sensitive videos, logs, etc., they just aren’t as important – at least that’s the way it appears in many cases. They just end up in no-man’s land waiting to be attacked from a bad guy across the street or a rogue insider who likes to play around.

Make sure these systems are on your – or someone’s – radar. If it has an IP address and an on/off switch, it’s fair game to those with ill intent.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. He can be reached through his website at www.principlelogic.com.

September 2, 2010  1:25 PM

A Tiny Toolbelt: Lesser-known wireless network security resources

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Managing and securing wireless networks is difficult enough, so why re-create the wheel? Well, you don’t have to, at least to an extent. There are several wireless network “standards” you can lean on for ideas, tips, and documentation to help bring things full circle in your wireless environment. Here are the documents you need to get to know – or at least bookmark – for future reference:

Center for Internet Security’s Wireless Networking Benchmark: Old but still relevant; contains wireless-related policies to consider as well as specific vendor configuration documents and information on performing wireless network assessments.

NIST’s Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i: A newer and much more in-depth document; in my eyes, the mac-daddy reference for wireless network security.

Last, and probably least, going beyond the standards are some free chapters of the book I co-authored Hacking Wireless Networks For Dummies:

The important thing to remember is that no matter what these standards (or chapters) recommend, only you and your team know what’s best for your business and in your environment. Determine your risks and your risk tolerance and build it out from there.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. He can be reached through his website at www.principlelogic.com and you can follow him on Twitter at @kevinbeaver.

September 2, 2010  6:10 AM

Are your airwaves secure? Prove it with these tools.

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

Once you implement your “secure” wireless network, the true test is to see how your airwaves and devices look from a hacker’s eye view. There are several must-have tools that can help you along with this. Keep in mind there’s a bit of knowledge required to operate these tools and interpret their findings but it’s not rocket science. With a little bit of reading and some hands-on practice you can use these tools to find out where your wireless network is (still) vulnerable.

In addition to a laptop computer with a mainstream network card, consider adding the following tools to your wireless network security testing toolbox.

  • NetStumbler (www.netstumbler.com/downloads) to find out what wireless devices respond to a “hey, anybody there?” request.
  • Kismet (www.kismetwireless.net) to find wireless devices that may not respond to NetStumbler requests, capture packets, and much more.
  • BackTrack (www.backtrack-linux.org) to be able to run Kismet and a ton of other wireless network tools directly from a bootable CD without having to fuss and cuss getting Linux to work with wireless drivers.
  • OmniPeek Network Analyzer (www.wildpackets.com/products/network_analysis_and_monitoring/omnipeek_network_analyzer) to capture packets, look for top talkers, analyze protocols, and practically anything else wireless-related, all in a very easy-to-use graphical interface.
  • AirMagnet WiFi Analyzer (www.airmagnet.com/products/wifi_analyzer/) for a really nice graphical representation of anything imaginable involving the 802.11 protocol.
  • CommView for WiFi (www.tamos.com/products/commwifi) for a great lower-cost wireless network analyzer alternative to capture packets, monitor the airwaves, capture packets, generate packets (great for wireless packet injection), bandwidth monitoring, and more. To me, the best thing about CommView for WiFi is its top notch WEP and WPA cracking capabilities.
  • Aircrack-ng (www.aircrack-ng.org/) for a low-cost (free) way of cracking WEP and WPA-PSKs.
  • GFI LANguard (www.gfi.com/lannetscan) and QualysGuard (www.qualys.com) for in-depth vulnerability testing of the hosts on your wireless network including workstations, servers, access points, and more.
  • Acunetix Web Vulnerability Scanner (www.acunetix.com) and N-Stalker (www.nstalker.com) for vulnerability testing of the Web interfaces on your access points and related Web hosts.

As you go along with your wireless security testing endeavors, keep in mind the following two things about security testing tools: 1) You’ll likely need multiple tools to ensure you’ve looked at everything, and 2) With a few exceptions, you get what you pay for.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. He can be reached through his website at www.principlelogic.com.

September 1, 2010  4:25 PM

Virtual Roads, Actual Clouds: VMware 2010

Melanie Yarbrough Profile: MelanieYarbrough

Monday was the big kickoff for VMworld 2010, where attendees are promised virtual roads and actual clouds. The annual, four-day conference boasts over 200 exhibitors, 30 lab topics ranging from virtualized desktop infrastructure to VMware-powered clouds, and more than 170 breakout sessions this year. Not one of the 17,000 registered attendees at the conference? No worries, we’ve got you covered.

Among the topics being discussed at VMworld 2010 – and the enterprise at large – is how to change IT from a wallet leech into an efficient and essential link in the product delivery chain. Virtualization and the cloud will help IT transition into business-centric thinking, or at least that’s the hope. The opening keynote opened with a sense of humor about itself, with a “humorous short movie that was attempting to describe and define Cloud Computing, it even enlisted the help of ‘The Oracle’ from the feature trilogy ‘The Matrix’ to try and define Cloud Computing to no avail.” Beyond the abstract goals of the conference, there are some exciting and concrete announcements coming from the Golden Gate city.

VMware’s vCloud Director, or what some are calling “a new model for consuming infrastructure services,” and starting today, you can get your own per-VM 25-pack of licenses starting at $3,750. Excitement is balanced with industry experts criticizing vCloud Director’s complicated deployment requirements (i.e. don’t expect to float into the cloud without the help of third-party products and services).

Isilon announced its integration of iSCSI into the OneFS operating system, providing an option for block storage capabilities in addition to file storage.

NetApp announces integration with VMware View 4.5 for enhanced storage and desktop virtualization capabilities. You can also count on NetApp to support VMware’s vCloud Director.

Blade Network Technologies can provide automation, provisioning, and security for virtualized networks with VMready 3.0.

Xsigo announced “the industry’s first virtual I/O technology to leverage the standard Ethernet ports found on every x86 server.” Another step forward in the quest for better enterprise efficiency and data center convergence.

Can’t get enough of VMworld 2010? Search Server Virtualization has you covered with play-by-play coverage of the goings on at VMworld 2010 and daily updates on their Search Server Virtualization blog. What are some of your favorite announcements or sessions at the conference?

Melanie Yarbrough is the assistant community editor at ITKnowledgeExchange.com. Follow her on Twitter or send her an email at Melanie@ITKnowledgeExchange.com.

September 1, 2010  2:06 PM

Analyze That… Wireless Network

Kevin Beaver Kevin Beaver Profile: Kevin Beaver

If you do anything to support, manage, maintain, or secure 802.11-based wireless networks, having a good commercial wireless network analyzer is an absolute MUST. I say “commercial” because like most things IT-related, you get what you pay for. Commercial wireless network analyzers are easy to use, they can do lots of stuff right out of the box, and have good reporting capabilities. Did I mention they’re easy to use?

Anyway, two tools you really need to have on your radar are the following:

I’ve used both tools extensively; they’re solid, proven, and just work. All things considered, they’re not that expensive either.

The reality with wireless networks is that if you don’t have good tools, you’re not going to get good results. Period. So try these tools or scope out some others; just do something to get your hands on one. While you’re at it, take the time to read through the documentation, watch any vendor webcasts and so on to familiarize yourself with the tools. Ideally, you should take a class to learn both the tools and 802.11-based technologies. Doing so will make your job – and your life – much, much easier moving forward.

Kevin Beaver is an independent information security consultant, expert witness, author, and professional speaker with Atlanta-based Principle Logic, LLC and a contributor to the IT Watch Blog. He can be reached through his website at www.principlelogic.com.

September 1, 2010  1:55 PM

The unsung perils of Linux love and penny pinching

Michael Morisy Michael Morisy Profile: Michael Morisy

There are few things I love more than dissecting old PCs and seeing what kind of FrankenComputers I can pull together. In my apartment, I have two dead towers, four deceased laptops and one deep-fried modded XBox, none of which I’m eager to part with. I’d have a hard time trusting any of these kludges, or even something a few notches sturdier, to run anything more mission critical than a puppy cam or media server.

Am I just a prude? Have I drunk too much enterprise vendor Kool-aid over the years? Steven J. Vaughan-Nichols had a good piece about deploying cheap Linux appliances which made me wonder:

I’m cheap. Given a choice between buying an elaborate, full-featured server requiring expensive technicians and administrators, versus turning an out-of-date PC into a single-purpose Linux server, I’m going to go with the Linux server every time.

It’s not that Linux isn’t expensive. It sometimes is. But if a department or a branch office just needs one or two specific server jobs, there are plenty of obsolete PCs and easy-to-set-up, special-purpose Linux servers that can fill the bill for little or no cost.

In the home office, where I’m my own IT, I couldn’t agree more, but the thought of second-hand boxen powering a branch office day in, day out, for critical needs sent chills down my spine: I’ve seen how bad makeshift deployments can get (check out our server disaster slideshow).

Trust my e-mail security and firewall to a device that I may or may not be able to access, that may or may not fail at a moment’s notice, and that my users may or may not be trying to load up solitaire on? No, thank you. But I decided to poll the ITKnowledgeExchange.com community for their thoughts, and as usual there were several thoughtful replies.

MrDenny said trying to save money up front would cost you down the road, particularly when it comes to maintaining that hardware on an ongoing basis:

I would say that it you need the remote server to be reliable and be online then no. Spend a few thousand bucks and get a new server with a support contract so that if the hardware at the remote office fails the vendor can send someone to fix it. This will also get you things like lights out management so that you can power the server on and off if you need to.

Aquacer0 agreed:

It’s like insurance, one day you will regret not having it. I would spend the money on quality hardware with redundant components even for a small remote branch. If the remote branch needs multiple “services,” you can utilize VMware Server to provide multiple virtual servers on a single reliable platform.

So what do you think? Is there any scenario in which you’d trust a remote branch, either down the street or hundreds of miles away, with your main office’s castoffs? I would love to hear your thoughts, either in the comments or at Michael@ITKnowledgeExchange.com.  And if you are brave enough to trust the fates with a box of a certain age, check out Vaughan-Nichols’s list of Linux utilities for common IT tasks, and let us know if there’s any you would add.

Michael Morisy is the editorial director for ITKnowledgeExchange. He can be followed on Twitter or you can reach him at Michael@ITKnowledgeExchange.com.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: