PENETRATION TESTING VS. VULNERABILITY SCANNING | I am often amazed at how a vulnerability scan is sold as a penetration test.  On more than one occasion, I have audited a financial institution that has a 300-page “penetration test” report that consists of nothing but a listing of vulnerabilities discovered by some vulnerability scanning tool.   Here’s one first clue: if your penetration test report is longer than 10 pages, you’ve probably got a vulnerability scan.

INFORMATION SECURITY & PRIVACY REGULATORY COMPLIANCE: THE RED FLAGS RULES | If you are a financial institution or a creditor, you should already know about the Red Flags Rules and how it affects your organization.  Even if you are not a financial institution, if you don't know what Red Flags Rules are, you will want to keep on reading.

Many institutions which would not normally be affected or regulated by the Federal Trade Commission (FTC) are in fact now regulated by the FTC as it relates to identity theft, based on the Red Flags Rules.  If you are deemed to be a creditor, you will be affected by the Red Flags Rules.  The penalty for being out of compliance with these rules is ten times more damaging than HIPAA, thus this is serious business.

INFORMATION SECURITY & PRIVACY REGULATORY COMPLIANCE: PAYMENT CARD INDUSTRY (PCI) DATA SECURITY STANDARD | The PCI security standards council has created a document, “10 Common Myths of PCI DSS,” which helps to highlight the main elements involved in implementing any security program and which debunks many of the myths surrounding information security.

https://www.pcisecuritystandards.org/pdfs/pciscc_ten_common_myths.pdf

The first myth this article discusses is the one that in information security, there can be found a “silver bullet,” a single product that can provide any institution with total coverage in terms of their information security. Unfortunately, this silver bullet does not exist. Instead, when considering one’s security and the procedures, rules or devices which need to be implemented, consider them as a part of a holistic security system designed to protect the institution at every exposure point.

INFORMATION SECURITY & PRIVACY REGULATORY COMPLIANCE: DEFENSE INDUSTRIES – YOU DON’T HAVE TO BE FASTER THAN BEAR… | When reviewing information security strategies, you can learn a lot from the Department of Defense (DoD) and how it does things. There is no doubt that the DoD has a genuine and defined threat to their information, even their unclassified information, and examining how they structure their security profile might help inform your company’s efforts.

INFORMATION SECURITY & PRIVACY REGULATORY COMPLIANCE: HIGH-TECH | First, if you’re reading this, let me say “thank you.” I run into so many high tech firms that have not even considered information security, until it is too late that is. It’s enough to make a grown man cry. Or write an article about it!

Second, let me assure you that there is a structure that is measurable and concrete and that can provide your firm a measure of protection vastly superior to the current method of applying whatever security add-ons vendors choose to provide.

INFORMATION SECURITY & PRIVACY REGULATORY COMPLIANCE: NIST SUPPORT FOR HIPAA | The National Institute of Standards and Technology (NIST) has done something wonderful with Health Insurance Portability and Accountability Act (HIPAA) security standards: they have made them easier to understand!

INFORMATION SECURITY & PRIVACY REGULATORY COMPLIANCE: THE GRAMM-LEACH-BLILEY ACT | As any banker will tell us, theirs is a heavily regulated industry. With regulations from A to Z and then some, banks spend up to two out of every three operational dollars on meeting regulatory requirements. Think of it this way: banks and credit unions are a national resource with regulatory safeguards that virtually require them to be able to survive a nuclear attack. With that as our yardstick, how does our business continuity plan compare?

INFORMATION SECURITY & PRIVACY REGULATORY COMPLIANCE: WHAT DO WE NEED TO KNOW? | This is the first of a series of white papers that will cover issues related to Information Security & Privacy Regulatory compliance.  This is an effort on the part of TNS to demystify the issues regarding what information security & privacy regulations cover, to what level of detail, what you need to know to be in compliance with them, and what benefits and risks are involved. Think your organization’s information security and privacy are not regulated? Think again!

THE WILD WORLD OF WI-FI AND YOUR LAPTOP | Wi-Fi networks give users the freedom to access the Internet just about anywhere – from home, the offices, or local neighborhood businesses, even sometimes parks and other outdoor spaces.  However, with this accessibility comes risk.  My advice when it comes to using Wi-Fi networks is this (from the movie “Body of Lies”) – “Trust no one, deceive everyone.”

SUSTAINABLE INFORMATION TECHNOLOGY SERIES – SERVER ROOM & DATA CENTER SETUP | The proper set up of a server room is certainly not on the top of most small businesses lists of mission-critical issues, although perhaps it should be. Over the years, we have seen many server rooms and data centers, some good and some are not so good. (The worst we’ve seen was sharing space with a men’s room!)

What most surprised us was seeing how some medium and large businesses operate their server rooms and data centers. Some may appear to be well designed and maintained, but this façade is quickly revealed when the power or HVAC fails. Even the best-designed data centers that follow all best practices have failed, despite all their built-in protections. And some have failed repeatedly over the course of a few months.

SUSTAINABLE INFORMATION TECHNOLOGY SERIES – THE PHILOSOPHY | Why is it so difficult to run Information Technology (IT) with little or no issues? To create an IT environment that is revered for its innovation rather than for its ability to recover from failure?

Many IT Departments and many of the people who work and manage them qualify as workaholics. They’re working just to work. For a workaholic, a large part of the recovery process is to recognize the issue and to work smarter not harder.  One thing that can be an “enabler” is the illusion of dedication. In reality, often those appear to be very dedicated are not actually so much dedicated to getting things done as to being at work, appearing to be responsible for and accomplishing highly important things.

INTRODUCTION TO VOICE & SPEECH RECOGNITION | The entire subjects of voice & speech recognition are often confused and the terms are often misused. Knowing what’s being spoken is very different than knowing who is speaking. Voice recognition focuses on who is speaking it (a synonym for the speaker – a way we can recognize one speaker from another) and the speech recognition concentrates on what is being spoken.

INFORMATION RETENTION POLICY – TO SHRED OR NOT TO SHRED, THAT IS THE QUESTION | Many of us remember when news of the Enron scandal broke and the details of the extent of the scandal started to come to light, but most of us were not aware of the fall of Arthur Andersen LLP that was closely related to the fall of Enron. Founded in 1913, Arthur Andersen was once one of the Big Five accounting firms; it lost that elite status when it was convicted of obstruction of justice in June of 2002 in relation to the Enron scandal.  As details of the scandal started to emerge, managers of Arthur Andersen instructed certain Enron-related auditing documents to be shredded.

THE MOVERS ARE HERE – ARE YOU READY? | Nearly every growing business moves at least once.  TNS has been involved with countless office and data center moves over the years, and we have found there are several key considerations that make moves easier and less interruptive and therefore less costly both financially and emotionally.

THE ART OF COMPUTING SERIES - DEVELOPMENT OF PCI EXPRESS TECHNOLOGY | PCI Express is the successor to PCI and AGP.  Unlike PCI and AGP, which are 32 and 64 bit parallel buses, PCI Express uses high-speed serial link technology.  PCI Express reflects an industry trend to replace legacy, shared parallel buses with high-speed point-to-point serial buses.  The new bus technology will allow PCI Express transmission rates to keep pace with processor and I/O advances.

HAVE A GREENER WORLD – MODERN TECHNOLOGIES & GLOBAL WARMING | There is no longer any doubt now that burning fossil fuels in any form contributes to global warming.  And powering electrical appliances requires burning fossil fuel to generate the needed electricity.   According to Consumer Reports, putting a computer on system standby or hibernation mode 12 hours out of every 24 would save about 576 pounds of CO2 annually.  Certainly turning the computer off saves even more energy.  The same power save mode is now available with many other types of office equipment like printers and copiers.  I often wonder why we can’t take it a step further and build equipment with timers, so we can program them to turn on at a certain time and also go to sleep when they are idle.  It would cost $5 or less to have such logic circuits built-in.

THE ART OF COMPUTING SERIES – DEVELOPMENT OF SATA TECHNOLOGY | In the past several years, Serial Advanced Technology Attachment (SATA) has developed as a technology in the low-end of enterprise class storage markets.  SATA has shown that there are alternatives technologies to expensive Fiber Channel (FC) and Small Computer System Interface (SCSI).  SATA has made significant gains in not only in desktop applications, but also in server applications.

THE KEY TO SUCCESS - PASSWORD & YOU | The passwords are quite literally the key to your success these days, well at least the key to protect your success. They protect the fortunes you own – bank, credit card and investment accounts, deepest secret you do not want to share with just anyone – your medical records, your prescription list; they also protect your career, the assets of your organization and sometimes the future of your organization. They protect some of your privacy and the privacy of the customers of your organization.

IT IS NOT ABOUT WHAT YOU RESTORE BUT WHAT YOU RECOVER! | The most common thinking when it comes to Backup vs. Recovery is that the backup process is what is most important. In reality, having the ability to recover fully is what is paramount.

FASTRACK FOR INFORMATION HIGHWAY – APPLICATION SWITCH | Imagine that in order for us to get to our destination, we all have to go through the same toll booth and then cross a bridge with only one lane. Sound daunting? Well, this is a good metaphor for Internet traffic when it first came into existence. Obviously, such a bottleneck would quickly become unacceptable as we all became increasingly tired of waiting. Then someone had an idea to install more booths and build more lanes so that more traffic could move through more swiftly, reaching its destination in a shorter period of time. This is similar to what we have today: a switching network. However, eventually a switching network also becomes inadequate because there is simply too much traffic: important traffic, not-so-important traffic, useless traffic, and even some harmful traffic. Unfortunately, there is no way for the switches to tell all this different types of traffic apart and so all the traffic competes for limited toll booths and lanes, and just like rush hour traffic, all one can do is wait.

INTRODUCTION TO POLICY-BASED FILE AREA NETWORK | As we go further into this digital world, digitizing anything and everything possible, we create hundreds and thousands of files scattered in hundreds of millions of PCs and servers, resulting in more and more storage across many different types of network architectures.  For most computer users and organizations, our digital information is becoming a lot like our garages before Spring cleaning: for some, the garage just keeps getting crammed with more and more stuff, and there is never any Spring cleaning because it’s just easier to leave it alone than to face the daunting task of trying to sort through all the junk.

THE ART OF COMPUTING SERIES - DISK PERFORMANCE | All of us know that our computer disks are where we keep our digital files. Although these days, we do use USB memory sticks for temporary file storage and transportation of data the way we used to use floppy disks previously. Some parts of the world’s computer users are actually still storing data on floppy disks. However, by and large, individuals store their personal digital contents in files and folders on their computers, the same way organizations like banks, on-line shopping sites, corporations, and government departments do—storing business and mission-critical data on massive disk storages. Today, nearly all the data we have access to come from some form of computer disk storage, somewhere. So what’s the big deal?  That sounds pretty straightforward, right?

INTRODUCTION TO IP SAN | There is no question that the Internet is becoming the predominant media for carrying massive amounts of digital information in an expanding digitized world and in a highly redundant, distributed, and resilient way—much more so than its original designers could have imagined. Increasingly, the Internet functions as the backbone not only for email (email being the single most used and most mission critical application of all) but also for all sorts of raw data, financial information, knowledge content, and business transactions. The Internet also carries voice (in the form of Internet-based, long distance telephone), video and, if things go the way I think they will, a virtually boundless digital storage medium for the masses.

COMPUTER STORAGE ARCHITECTURE – FROM ANCIENT STONE AGE TO MODERN COMPUTER STORAGE | Our ancestors used to carve on stones to record their important events, histories and stories. Then, the Chinese invented paper and methods for mass producing it some three thousand years ago, after getting tired of carving on stones and bamboo. This made storing information much easier and less labor-intensive. Paper has remained throughout the last three thousand years the primary medium for societies to record information.

THE STATE OF STORAGE MANAGEMENT | Can we keep our storage running cost effectively if we do not know how and where we store our data?  Now, how about all those duplicated copies?

What is the total cost of losing a valuable file or worse, a whole disk full of valuable data?  The answer will be different for each one of us, but we know it will be much more than what we paid for the storage hardware we used to store it in the first place.

THE COLD WAR OF ECONOMIC ESPIONAGE | The cold war of ideologies and military domination may be over for now, but the war of economic and financial domination wages on, fiercer now than it ever was. There are no clear front-lines or alliances in this not-so-new war—a war waged by individuals and corporations that is ongoing and which started long before the cold war of the 20th century.

INFORMATION TECHNOLOGY KNOWLEDGE MANAGEMENT & HUMAN CIVILIZATIONS | As human beings, one difference between us and others of the animal kingdom is that we document our knowledge, experiences, imaginations, re-usable patterns, and thoughts.  We do not just depend on our DNA to pass down what we know and who we are to the next generation.  With the documentation of our knowledge and experiences, we have achieved significant and powerful advantages over our competition over the course of our existence.

THE SECURITY FRAMEWORK FOR INFORMATION TECHNOLOGY | Most of the damage to Information Technology (IT) security is not from outside malicious attacks, but rather from simple mistakes, unintended or unauthorized actions of legitimate users and IT engineers who are either untrained in security and/or who misunderstood the instructions from the management.

DIGITAL INFORMATION SECURITY DOMAINS | In the world of Information Technology (IT) security practices, there is no a clear definition of what is a Security Domain, at this time.  Different IT security practitioners have their own definitions for the Security Domains that they think make sense.

DIGITAL INFORMATION AGE DECEPTION – SOCIAL ENGINEERING | Social engineering has been around for as long as there have been human societies and individuals willing to try to manipulate others. Social engineering is the art and the science of getting what you need or what you want by using deception and other techniques based on the fundamentals of human psychology.

BUSINESS CONTINUITY PLAN | According to Gartner Group, an industry consulting firm, two out of five companies that experience a catastrophic event or prolonged outage end up shutting down for good. And of those that do, one out of three goes out of business within two years.  That means a full 60 percent of all organizations affected by a major disaster go out of business for various reasons, including the cost of trying to resume operations and losing the goodwill of customers.

RULE OF LAW FOR DIGITAL INFORMATION WORLD – SECURITY POLICY | Having a sound digital information security policy can and will benefit an organization in many ways.  It serves as a framework for an organization to operate in this digital information world with a set of over-guiding rules.  It is evidence that the management of the organization is serious about safeguarding its proprietary information and trade secrets and lays out a solid foundation when legal disputes are necessary, thereby reducing the liability of the organization.

DIGITAL INFORMATION SECURITY | Today’s digital information has become the backbone of hundreds of billions of dollars worldwide spent annually on the digital economy. In fact, the command and control centers for the United States armed forces would fall apart if mission-critical digital information wasn’t available or compromised.  Corporations and organizations worldwide, large and small would cease to function if we took away their digital information.

But how secure is our digital information? Is our digital information protected from natural disasters, computer hackers and human errors?

The answer is a resounding “no.”  Almost everyone knows someone who lost data on a Personal Computer (PC) because of a virus, hacker, hardware issues, Internet-related faults or identity theft.

DIGITAL IDENTITY – AUTHENTICATION, ACCESS CONTROL & RIGHTS MANAGEMENT | We already have the technologies to make everything described in this white paper work. But as of yet, nobody has put it all together. And for the most part, none of these technologies can work with each other in any sort of meaningful and usable way. Until all of the pieces presented in this white paper can be integrated into one vendor and device, independent, pervasive, portable and easy to use in a globally federated environment, we won’t be capable of experiencing the full benefits of the Digital Information Revolution.

PUBLIC ENEMY NUMBER ONE OF THE INTERNET | Call it Adware, Bot Code, Malicious Code, Malware, Spyware, or Unwanted Programs.  Here at Triware Networld Systems, we call it Public Enemy Number One of the Internet.  The situation is so bad that four anti-Spyware bills are making their way through Congress as you’re reading this.

THE CONVERGENCE OF VIRUS & SPAM THREATS | Small, medium and large organizations are facing the challenge of protecting their IT environments from malicious threats growing in volume and complexity. They can spread within minutes, creating complicated issues for IT managers and administrators. 

The sheer volume of threats facing organizations continues to grow. We will focus on two main categories of malicious threats—Virus and Spam. These converging threats are putting network and user productivity and data security at risk.

INTRODUCTION TO FIREWALL | Not all firewalls are created equal. And not all firewalls are doing the job you may think they’re created to do.  A firewall should really be doing more than simply filtering and blocking particular network traffic. A good firewall should, at the minimum, provide adequate security for its organization.  However, most firewall manufacturers seem to forget that good security includes: reliability, performance and management.

AIR-TIGHT, MULTI-LAYER IT SECURITY DEFENSE SYSTEMS™ | In March, two security companies, Preventsys and Qualys, published a joint survey revealing that a startling 52 percent of chief information officers (CIOs) still use a “Moat-And-Castle” approach to their overall network security solutions. In other words, the majority of CIOs admitted that once their perimeter security systems are penetrated, their networks are at risk.

PROACTIVE INFORMATION TECHNOLOGY MANAGEMENT AUTOMATION™ | It goes without saying that being Proactive is always better than being Reactive when it comes to Information Technology management.  However, I am venturing to say that the majority of IT operational time is still being spent on being reactive. 

INTRODUCTION TO VOICE OVER INTERNET PROTOCOL (VoIP) | Voice over Internet Protocol (VoIP) is a technology that allows you to make voice / telephone calls using a broadband Internet connection instead of a regular phone line, which has been the method used for the last hundred years or so.

VoIP services vary. Some services using VoIP may only allow you to call other people using the same service, but others may allow you to call anyone who has a telephone number anywhere in the world.  While some services only work via your computer or a special VoIP phone, other services allow you to use a traditional phone with an adaptor.

INTRODUCTION TO BIOMETRICS AUTHENTICATION | Biometrics are automated methods of recognizing a person based on a physiological or behavioral characteristic. Among the features measured are; face, fingerprint, hand geometry, iris, retinal, signature, and voice. Biometric technologies are becoming the foundation of an extensive array of highly secure identification and personal verification solutions. As the level of security breaches and transaction fraud increases, the need for highly secure identification and personal verification technologies is becoming apparent.

INFORMATION HIGHWAY | In "Welcome to the Revolution," an article in the December 1993 issue of Fortune magazine, Thomas A. Stewart discusses four simultaneous business revolutions that are shaping the future business world. These changes are "the workings of large, unruly forces; the globalization of markets; the spread of information technology and computer networks; the dismantling of hierarchy. Growing up around these is a new, information-age economy, whose fundamental sources of wealth are knowledge and communication."