IT Productivity News   ---  

Many development organizations view security as a one-time activity during the development process. In these cases, security becomes the responsibility of one group within the organization, such as the QA team or internal audit department. Once the group signs off on an application, the organization considers it secure. However, web applications are not static systems. Changes to web applications create risk, and what was once secure can now be vulnerable. If security is a onetime activity, a vulnerability that enters the system after the audit can go undetected. Instead, you need to view application security as a process, included throughout the development lifecycle in order to create secure web applications. Add security into the practices of every team member associated with developing and running your web applications.

A study by Reserarch Concepts has found:

• Data breach prevention is a top priority: More than 80% of those surveyed rated protecting corporate data as an important initiative. By comparison, only 38% of those surveyed ranked complying with governmental regulations as very important.
• Data breach is common and costly: Fully 25% of those surveyed indicated that their organization had experienced a data breach in the past and more than 60% of IT managers felt that a data breach would cost their organization in excess of $10,000. Nearly 65% were very concerned that a data breach would result in public embarrassment and media scrutiny for their organization.
• Preventative measures are consistently undermined by employees: According to IT professionals surveyed, less than one in 100 employees consistently follow company data and computer security policy. More worrying is the fact that 72% of respondents felt that employees were responsible for the majority of data breaches.

Janco had a detail PCI Audit program included in its templates.

Although you can't entirely avoid card-related risk and compliance issues, you can lessen their impact by limiting storage of credit card numbers and reducing the overall scope of the PCI Standard on your organization. By eliminating all card numbers or only holding limited card data in a very small subset of your entire network, you can greatly narrow risk exposure and potentially reduce the impact of the PCI Standard on your organization.

• Server Consolidation - Server consolidation typically results in protocols such as CIFS (Common Internet File System) running over the WAN. CIFS, which was designed to run over a LAN, is a chatty protocol. In particular, the way that CIFS works is that it decomposes all files into smaller blocks prior to transmitting them. The server sends each of these data blocks to the client where it is verified and an acknowledgement is sent back to the server. The server must wait for an acknowledgement prior to sending the next data block. As a result opening a file that would take a fraction of a second before consolidating servers would take tens of seconds after the servers have been consolidated.
• Decentralized Work Force - Branch office workers need access to the same applications as do workers in a headquarters facility. However, the combination of consolidating servers into centralized data centers while simultaneously decentralizing the work force means that the vast majority of workers now access applications over a WAN instead of a LAN. The fact that there is a movement both to consolidate data centers and to move to a single-hosting model for applications has the effect of increasing the distance between remote users and the applications they need to access. This increased distance translates into additional WAN latency, jitter and packet loss. The impact of increasing the distance between the user and the application is often not well understood.
• Globalization - Combining globalization with server consolidation and a decentralized work force results in an even longer WAN link, and hence more WAN latency, between the remote users and the applications they need to access.
• Voice over IP (VoIP) - Users have come to expect 100% voice availability, fast call set-up and excellent quality. However, VoIP is very sensitive to network parameters such as delay, jitter and packet loss. As a result, when run over a packet network, voice does not always perform as well as it does when run on a circuit-switched network.
• Service-Oriented Architecture (SOA) - In a Web services based application, the Web services that comprise the application typically run on servers that are housed within multiple data centers. As a result of housing the Web services in multiple data centers, the WAN impacts multiple traffic flows and hence has a greater overall impact on the performance of a Web services-based application than it does on the performance of traditional n-tier applications.

The 11 areas of audit focus objectives are:

• Corporate Security Management

• Systems Development and Maintenance

• Information Access Control Management

• Compliance Management

• Human Resource Security Management

• Information Security Incident Management

• Communications and Operations Management

• Organizational Asset Management

• Physical and Environmental Security Management

• Security Policy Management

• Disaster Recovery Plan and Business Continuity

• Assumption: A job search will take no time at all or I have nothing to worry about.
  
  Reality: There is no guarantee how long it will take to find a new position many have found that an easy job search can take between 3 to 6 months... Finding the right opportunity is easy. You might find the right position but there is no way to ensure that you are even offered the job. Many hiring managers may take several weeks to respond to your application. After all, they have full-time jobs with demands of their own, and hundreds, if not thousands, of resumes to review.
  
• Assumption: I am so skilled and in so in demand that I need to send out only a few resumes.
  
  Reality: Finding a job is a numbers game and the more resumes you send out and the more peers that know that you are looking the greater the chances are that you will find and be offer the right job. A hiring manager may receive countless resumes for an open position. That is why it not smart to hold out for the "perfect" job, which you might not find - which might not even exist – or which you are not offered.  At the same time as you send out resumes, networking with members of your professional network is one way to maximize your time and effort. Many hiring managers give preference to personal recommendations and may move your resume to the top of the pile if someone you know puts in a good word for you.
  
• Assumption: The resume and cover letter sent out are perfect and need no changes
  
  Reality: Each cover letter should be customized for the enterprise, the hiring manager, and the position desired.  Enterprises look for results and view them as the reason that they most often hire IT Professionals.  At the same time the results should be directed towards the position that you are looking for. 
  
  A resume is employment and education chronology and should be no longer than 1 page and the cover letter so be directed to the enterprise and should stand out in a positive way to the hiring manger.  After reading both the hiring manger needs to be left with the thought that "I need to know more about this candidate.
  
• Assumption: My skills are in high demand and are needed by almost every company.
  
  Reality: You are one of many – supply and demand are driven by factors outside of your control.  A common mistake may IT professionals make is overestimating their marketability. Although they may think their skill set is solid but they may not be the best of the best.  Value and results performance are what drive success in IT and the hiring manager needs to see that you provide the best value for the salary in any given position.

Adobe said that it is committed to open architecture and by passing the copyright to ISO they now have a product that competes with MicrosoftÂ’s Office Open XML, a proprietary XML-based document format it built for its Office 2007 productivity suite, to the ISO. The ISO approved OOXML on April 1 in a controversial vote that is still being contested by some of the standards bodies that took part in it.

A group calling itself "NetDevilz" claimed responsibility for the hack, which Thursday morning temporarily redirected visitors to the sites for IANA and ICANN (Internet Corporation for Assigned Names and Numbers).

Users who tried to reach iana.com, iana-servers.com, icann.com and icann.net were shunted to an illegitimate site. According to a screen capture of the defacement snapped by zone-h.org, the bogus site simply displayed a taunting message claiming ownerhship of the assignment processes.

• Install a robust firewall and SPAM filter at the front end of the corporate mail server
• Improve SPAM filters on both desktops and smart phones
• Provide company owned laptops and smart phones that have robust SPAM filtering software and
• Limit the accessibility to POP and non-company mail servers

Without systems in place to keep applications and data flowing after a natural disaster or other interruption, a business risks losses that extend far beyond a manufacturing plant or data center. Many businesses incur ongoing financial loses, damage to a businesses' reputation, and possible regulatory and legal sanctions. In a worst-case scenario like 35% of the companies that FEMA estimated, a company can find its existence threatened.

How can an organization tackle disaster recovery and business continuity issues effectively? How can it develop a strategy that reduces risk and increases the likelihood of success? And how can it devise a roadmap for coping with constant change? There are no easy answers, but the Disaster Recovery Planning Template with the Security Manual  Template are a step in the right direction.

Park City, UT -  The prospect for IT professionals is not good. Janco has found that IT compensation growth remains flat, hiring is limited to key replacements, and discretionary spending has been cut back and in many cases eliminated. The CEO of Janco said, "As we collected compensation data for our mid-year 2008 IT Salary Survey we found that at the end of the first quarter businesses turned off the faucet for IT spending. Many businesses, in response to economic projections, slowed down and halted discretionary spending for software and hardware as well as placed hiring requisitions on a slow track."

  The summary findings in Janco 2008 Mid-Year IT Salary Survey are:

• Hiring demand is now the lowest it has been since 2004. Many enterprises have stopped hiring except for key replacements and those positions are being replaced at lower salary levels.
• Enterprises have slowed down and in many cases eliminated discretionary spending by IT. This has resulted in fewer projects being initiated, consultants use being reduced (if not eliminated), and a slow-down of initiatives that had already been approved.
• In the last twelve (12) months the increases in compensation for most IT Professionals were lower than increases in the cost of living.
• The mean increase in compensation for CIO's was less that 1.5%. The mean compensation for CIOs in large enterprises now is $179,823 and $171,755 for CIOs in  mid-sized enterprises. (Large enterprises have over $500 million in revenue and mid-sized have are $100 to $499 million in revenue).
• The mean compensation (which includes bonuses) for all Executive IT positions surveyed now is $144,645 in large enterprises and $131,763 in mid-sized enterprises.
• Positions that were in high demand in the 4th quarter of 2007 such as CSOs and others to develop new Web 2.0 applications are now back to normal hiring patterns.         
• Administrative positions in some IT functions are now being looked at as those that are expendable

They said that Without competition, the free enterprise system suffers. It is true across all segments of industry, and that includes the business of agriculture.

The American Corn Growers Association represents part of a thriving industry knows it has to adapt and change to survive market conditions through the years.

An AGCA spokesperson said it is no different for the family farmers out there, who have come to use search advertising as a way to mitigate risks associated with supplying customers and their businesses. Fewer providers, they fear, means higher prices.

Responding to the bank's delay in reporting one incident, which was not disclosed for over three (3) months, the Connecticut Governor said: "The disastrous effects of identity theft are virtually instantaneous in today's computerized world, and the lag time between the theft and the notification only aggravates what is an already outrageous situation."

BNY Mellon's chief risk officer said the bank now plans to improve security related to backup tapes. From Computerworld - "To bolster its security controls, the bank said it will now require that any confidential data written on tapes or CDs for transport must be encrypted or transported with undisclosed additional data protections. Further, when "technically feasible," the bank will demand that encrypted confidential data be delivered to off-site facilities electronically".

After exposing 4.5 million people to identity theft, it seems the notion of tape encryption suddenly popped into their heads. 

One in four workers said they plan to stay connected with work while they are on vacation this summer, a percentage that has nearly doubled in the last two years, according to a survey released by CareerBuilder.  The bulk of these hyper-connected workers were in the IT industry. Beat out only by sales workers, 37 percent of IT workers said they planned to check in while away.

Yet while IT workers also led the way in the requirement to be connected in the off-hours - 19 percent said working, checking voice mail and/or e-mail while on vacation was mandated by their employers - the reverse of this is that four in five IT workers are checking in with their jobs while on vacation on their own volition.

The Solutions Research Group study found that 68 percent of Americans feel anxious when they are not connected in one way or another. This disconnect anxiety (feelings of disorientation and nervousness when a person is deprived of Internet or wireless access for a period of time) affects all age groups, describing their feelings when offline as dazed, tense, inadequate and even panicked.  The study also found that 63 percent of BlackBerry users admitted to having sent a message from the bathroom.

In fact, this concept of "technology addiction" has gone so far that U.S. psychiatrists are considering adding this "compulsive-impulsive" disorder to the next release of the DSM-V (Diagnostic and Statistical Manual of Mental Disorders) in 2011.

Firefox version 3.0 has a cleaner look and is significantlty faster than prior versions.  One issue over the long terrn will be the exposure to security breaches with the Master Password feature.

IE 8.0 will default to a standards-compliant rendering of Web content -- an approach that had been pushed by site developers in lieu of a mode that stresses compatibility with IE7. A new tag, which can be applied on a per-page basis or site wide, instructs IE8 to display the content as would IE7. Browsing with this default setting in IE8 may cause content written for previous versions of Internet Explorer to display differently than intended

The first beta of IE8 is not exactly in widespread use. According to the latest data from Janco Browser and Operating System Market Share Study IE8 Beta 1 accounted for just .03% of all browsers used in May 2008. IE7, by comparison, held the top spot with a market share of 30.07% and IE 6 at 34.22%.

What many vendors do not realize is there are a large number of users who just do not like to change. These people are not technophiles, they are just users who comfortable with what they are using and they do not want to deal with the risk that something they depend on does not work.

Many feel that just because a product is old it does not mean it do not meet their requirements. Eventually as their computers get replaced they will move to a new version of an OS and Browser because that is what the computer comes with.

A great example of this reluctance to change is Vista. After 18 months, many have not moved to it because they do not to risk what they have that works with something new.

Another example is seen in a a survey by Opinion Research Corp. which found that non-iPhone and non-BlackBerry smart phones were the single most-returned gift during the most recent holiday season; more than one-fifth of those purchased were brought back to stores. Why? The top reason was the inability to understand the setup process.

Returned gadgets are bad enough for the companies that make them, but the survey also found that almost 16% of those polled said that trouble with phone setup 'significantly worsened their perception of the company that manufactured the product."

The summary findings in Janco's June 2008 Browser and OS Market Share White Paper are:

• Firefox's market share now is 15.05% versus 19.06% in January 2008

• IE's market share is 65.50% versus 66.72% in May 2007 and 61.06% in January 2008

• Netscape's market share has remained at the same level (10.64%) as before the announcement that it would no longer be supported.

• Google Desktop is gaining in popularity and now commands 3.27% of the market

• Microsoft's Vista continues to have a slow acceptance and is on approximately 14.55% of internet connected desktops.

A summary of Janco's browser market share data can be found on the IT Productivity Center's (ITPC) web site (http://www.itproductivity.org/browser.php) .  In addition the full white paper with excel spreadsheets can be purchased for $249.

The attack in China and Taiwan is ongoing. In addition with the impact of the earthquake and the associated relief efforts, the attack is having a huge impact. Even if they cannot successfully insert malware, they are killing lots of Web sites right now, because they are just brute-forcing every attack surface with SQL injection, and hence causing lots of permanent changes to the victim Web sites.

In a SQL injection attack, an attacker attempts to exploit vulnerabilities in custom Web applications by entering SQL code in an entry field, such as a log-in. If successful, such an attack can give the attacker access to data on the database used by the application and the ability to run malicious code on the Web site.

Mass SQL injection attacks have increasingly become a security threat. In January, tens of thousands of PCs were infected by an automated SQL injection attack. That attack exploited a vulnerability in Microsoft Corp.'s SQL Server.

Thousands of Web sites have been hit by the attack, he said, noting that 10,000 servers alone were infected by malware on Friday. Most of the affected servers are in China, while some are located in Taiwan. The attackers appear to be using automated queries to the Google search engine to identify Web sites vulnerable to the attack, he said.

The attackers in the more recent outbreak are not targeting a specific vulnerability. Instead, they are using an automated SQL injection attack engine that is tailored to attack Web sites using SQL Server. The attack uses SQL injection to infect targeted Web sites with malware, which in turn exploits vulnerabilities in the browsers of those who visit the Web sites.

The malware injected by the attack comes from 1,000 different servers and targets 10 vulnerabilities in Internet Explorer and related plug-ins that are popular in Asia.

The 27-count indictment, returned in Central Islip, N.Y., charges a Ukrainian , and an Estonian with wire fraud conspiracy, wire fraud, conspiracy to possess unauthorized access devices, access device fraud, aggravated identity theft, conspiracy to commit computer fraud, computer fraud and counts of interception of electronic communications.  In addition a one-count complaint charges a Miami resident with wire fraud conspiracy related to the scheme.

According to the indictment and complaint, they engaged in a scheme in which they hacked into cash register terminals for restaurants at various locations around the United States in order to acquire credit and debit card information. The defendants then sold the stolen data to others who used it to make fraudulent purchases or re-sold it to make such purchases, causing losses to financial institutions that issued the credit and debit cards.

The data included the customer account number and expiration date, but not the cardholderÂ’s name or other personally identifiable information.  The indictment alleges that in or about May 2007, gained unauthorized access to the cash register terminals and installed at each restaurant a packet sniffer, a malicious piece of computer code designed to capture communications between two or more computer systems on a single network. The packet sniffer was configured to capture the credit card data as it moved from the restaurant point-of-sale server through the computer system at the companys corporate headquarters to the data processors computer system. At one restaurant location the packet sniffer captured data for approximately 5,000 credit and debit cards, eventually causing losses of at least $600,000 to the financial institutions that issued the credit and debit cards.