Bing, an update to Microsoft Live Search, is already getting more attention than its predecessor, according to a report released today by ComScore Inc.

Microsoft Sites increased its average daily penetration among U.S. searchers from 13.8 percent during the period of May 26-30 to 15.5 percent during the period of June 2-6, 2009, an indication that the search engine is reaching more people than before. Microsoft’s share of search result pages in the U.S., a proxy for overall search intensity, increased from 9.1 percent to 11.1 percent during the same time frame.

Business Continuity and Disaster Recovery Defined

Business Continuity and Disaster Recovery Planning are the way an organization can prepare for and aid in disaster recovery. It is an arrangement agreed upon in advance by management and key personnel of the steps that will be taken to help the organization recover should any type of disaster occur. These programs prepare for multiple problems. Detailed plans are created that clearly outline the actions that an organization or particular members of an organization will take to help recover/restore any of its critical operations that may have been either completely or partially interrupted during or after (occurring within a specified period of time) a disaster or other extended disruption in accessibility to operational functions. In order to be fully effective at disaster recovery, these plans are fully defined and are tested regularly.

Palm Pre in Short Supply

The Palm Pre, which goes on sale June 6 from Sprint Nextel Inc., appears on the Best Buy Web site for $849.99, several times the $200 price after a $100 rebate that Sprint has announced.  Sprint and Best Buy could not be reached immediately to comment, but bloggers speculated the Best Buy online price is artificially high to discourage Best Buy employees and other customers from reserving a purchase in advance due to expectations that there will be shortage of the new Smartphones at the time of the launch.

The expected shortages were clearly described by Sprint's CEO at an investors' conference.  He said, "We don't intend to advertise it heavily early on because we think we are going to have shortages for a while. We won't be able to keep up with demand for the device in the early period of time."

CIOs Major Responsibilities Are Focused

CIOs have three major responsibilities in helping enterprises succeed.

• CIOs must keep all IT systems and networks managed, optimized, and available to contribute maximum business value at minimal cost.
• CIOs need to protect critical infrastructure against an increasingly hostile threat environment spyware, viruses, attacks, intrusions and human-engineered security lapses.
• CIOs  must prevent exposure to legal and regulatory compliance penalties or breach disclosure laws. If IT fails in any one of these areas, their organizations can go out of business, or face criminal sanctions.

In meeting these responsibilities, CIOs can no longer incrementally buy new tools to meet any new requirement that makes headlines in the technical or business media. Business drivers, security and compliance mandates converging on the enterprise require a converged response. CIOs now demand solutions that enable them to eliminate redundant technologies and processes and integrate disparate elements into a common workflow. While established enterprise software vendors have adopted the language of convergence and consolidation, their product lines remain constrained by legacy architectures and designs. Proposing radical change to their customers' carries the risk of disrupting established revenue flows not to mention technical risks inherent in overhauling or replacing obsolete products.

Business runs at a velocity unimagined a few short years ago. Complex and highly distributed environments have grown to support an intricate web of partners, suppliers, distributors, and customers. Service oriented architectures and web-based applications have progressed from vision to real-world instantiation as enterprises look to leverage technology to innovate and deliver new services. In this new world, IT-delivered services must be available 24x7 to customers, suppliers, employees, regulators, investors and other constituencies.

The highly exposed nature of today's IT infrastructures fundamentally changes how organizations manage IT assets, processes and data. IT organizations can no longer treat resource management and maintenance as back-end functions that can be performed at times and conditions of their choosing. Neither is their work protected from outside scrutiny. Processes whose success or failures were largely internal now make the difference between business success or failure, legal compliance or litigation, prudent stewardship or ineffective execution.

Abuse of Email Cause for Termination

CIO Strategic Planning Guidelines

CIOs now are starting to develop new information technology strategies.  As they do that, they need to include understanding the fundamental business and operational trends that are driving businesses and enterprises of all types to redesign their operations.  The principles that CIOs need to keep in mind are:

• Flexibility - CIOs must be able to respond to opportunities and challenges faster than ever before. These CIOs are usually battling well-resourced organizations that may be based where the opportunity originated, or another globalizing company that is reaching out for new opportunities. In order to compete, a CIO must create a strategy this helps the enterprise to deliver faster a product or service as good, or better, than that of potentially any other company in the world.
• Simplicity - The increase in technology has led to increased complexity. While per unit costs of technology are decreasing, in aggregate IT budgets continue to increase. With the pressure on IT to act less as a cost center and more as a way to increase the profitability of business units, adding more storage, more bandwidth, or additional technologies throughout the organization is no longer an acceptable approach to managing information technology. Instead, smart CIOs are investigating technologies like continuous data protection, virtualization, and wireless connectivity to help IT slim down its footprint while increasing their business's competitive advantages. Therefore, the IT team is typically in a difficult position, assessing where to cut costs while still moving forward with a plan to continually enhance IT services to the business.
• Security and Mandated Requirements - With the growing importance of applications and data, the sources of threats to enterprise data have multiplied dramatically. Everything from natural disasters, to criminals, and corrupt sources within the company can steal or corrupt data. While CIOs do everything that they can to stop these threats in the first place, they still must be prepared to recover from these threats as quickly as possible.
• Disaster Recovery Business Continuity - As businesses have expanded, the need for anytime, anywhere application access has become a requirement. At the same time, "follow the sun" (global 24/7) operations have shrinking maintenance windows and a need for applications to be running at all times. Delay or loss of data for any reason - system failure, natural disasters - has a domino-like effect across the entire organization, at any time of the day or night.

SPAM a Productivity Killer

Spam now accounts for as much as 80-90% of an organization's total e-mail volume. Every day, organizations face potential communications, operations, and intellectual-property disruption from spam and other e-mail borne threats. As a result, different types of attacks have started to merge and pose severe threats to your organization, leading to a significant increase in e-mail related costs. For companies grappling with limited IT staff, outsourcing e-mail security to one of the growing number of service providers is a quick, no-fuss way of protecting internal e-mail systems.

Added Security Risks

It used to be relatively easy to secure a corporate network. It was a physically connected entity used only by internal users. Web browsing was not generally available at the desktop, and data was transferred only by removable media or email.

Today, networks as we once understood them are disappearing as the network perimeter has become blurred by the prevalence of new technologies and business practices. Instant Messaging (IM), Voice Over IP (VoIP), peer-to-peer (P2P) file-sharing software, and wireless and mobile devices all offer new ways of transferring data. Network access is given to remote workers, business partners and contractors.

These changes fulfill the real business need to remain competitive, but they also increase the risk of malware, other security threats , and data breach threats infecting the network via unsecured hardware and unmonitored communication channels.

• Security in this more complex environment requires:
• Securing more types of endpoint devices
• Securing endpoint computers
• Monitoring for compliance with security policies
• Protecting network from fast-moving zero-day threats

The Market that Micosoft Missed

Before Bill Gates left Microsoft, he realized that Enterprise Search was becoming increasingly important to organizations, and a central component of their business strategy. Competitors such as Google had moved quickly to fill the gaps left by Microsoft. With increasing competition and customer demand, Microsoft publicly announced in 2007 that Enterprise Search was strategic to them and began developing a unified search strategy, rationalizing the disparate portfolio of search products they owned.

Now Microsoft is moving to fill that gap.  The question is will they succeed?

Who Should Have a Formal Security Policy?

Data Breaches Result in Law Suits

(ComputerWorld) - In an indication of the legal troubles that companies can find themselves in over data breaches these days, several banks and credit unions have begun suing Heartland Payment Systems Inc. over its recently disclosed data breach.

In the six weeks since the potentially massive breach was disclosed, eight banks and credit unions have filed lawsuits against Heartland over its alleged failure to take adequate measures for protecting credit and debt cardholder data.

Heartland said on Jan. 20 that unknown intruders had broken into its network sometime last year and accessed payment card data belonging to an undisclosed number of customers. The breach, thought to possibly be the biggest ever disclosed, has already affected over 500 financial institutions, including a handful in the Bahamas, Bermuda and Canada.

The lawsuits seek compensation from Heartland for the costs that the financial institutions said they've had to bear in notifying affected customers about the breach and in reissuing new payment cards. The lawsuits also claim damages from Heartland for costs of the alleged fraud that the banks claimed have resulted from the breach.

Compliance Management

Regulatory requirements have made log management & analysis one of the two fastest growing areas of security. In fact, nearly every major regulation affecting cyber security now demands or implies the need for continuous logging and effective log management HIPAA, SOX, ISO 27001, COBIT. Even the Payment Card Industry (PCI) standard appears to demand it. And regulations governing information security technology are evolving as fast as the technology itself.

Economic Downturn Impacts IT

A false belief about the economic downturn: Tech workers will not be as bad off as everyone else will because they already went through our violent contraction at the beginning of the decade. The recovery after the dot-com bust was weak and for the most part never came close to restoring IT spending to its previous levels -- so there just is not that much to cut. IT has become a part of operations. If you want to keep the lights on, then you cannot cut that deeply.

To avoid the axe, many IT professionals are hunkering down and taking whatever protective measures they can. The IT professional’s  fate often depends on justifying the project to which they have been devoting their time and effort. That means selling it all over again -- like a well-prepared MBA.

IT Service Management is a Way for CIOs to Stand Out

A one-size-fits-all approach to service management does not recognize the uniqueness of each customer. Tailoring support interactions to fit the specific circumstances of an account can not only increase customer satisfaction, but also increases revenue by giving special attention to customers at certain sales milestones (renewals, pending deals) and by extending highly contextual upsell/cross-sell offers when appropriate.  Some things that you can do include

• Reward staff for outstanding relationship skills. If your metrics are centered on productivity and technical prowess, shift the emphasis toward relationships skills. I
• Change service level metrics to include all communication. Though the emphasis may be primarily on phone, include other communication channels including email and customer forums.
• Implement quality-monitoring metrics. Measure the quality of customer interactions in order to get a better understanding of how to improve IT Service Management.

Password-based Security Has Flaws

A password-based security system is the most use option by most companies. However, there are issues associated with password-based security.  Passwords are a burden on users, who view them as an obstacle to getting the information and services they need in a timely fashion. Having to enter different usernames and passwords several times a day - and especially repeated erroneous attempts - interrupts an employee's usual work flow, often at the most inopportune times.

Network administrators are aware of the need to limit application and network access to authorized personnel and therefore prefer strict password policies. This inherent conflict of interest results in a battle of wills between those charged with protecting data and those charged with using that data.

In a recent survey of over 600 U.S. IT professionals by Siber Systems found:

• Too many passwords - Over half of all respondents said the average employee in their firm is required to remember three to five passwords, with an additional 26 percent saying the number ranges from six to ten or more; 16 percent of "power users" reported having over 100 passwords.
• Passwords required too often - 49 percent responded that employees are required to use passwords more than 25 times per week, with 8 percent stating the number of password uses exceed 100 per week.
• Unprotected passwords - 66 percent stated that employees write down or store passwords in unsafe places, creating a security problem for their companies.

Security - Lost Laptops

Do you ever worry about losing your laptop computer while rushing to catch a flight at a busy airport? Companies are dependent upon a mobile workforce with access to information no matter where they travel but everyday business travelers are putting the sensitive and confidential data of their organizations at risk when they travel through airports. With 12,000 laptops reportedly lost each week in our nation's airports, companies are at risk of having a data breach if a laptop containing sensitive information is lost or stolen.

PCI Compliance Monitoring Tools

Janco has a number of tools to help monitor PCI compliance.  Since, PCI compliance is mandatory for all merchants that store, process, or transmit credit card data through retail stores, mail order, telephone order, and online sites. This is the right tool.

Retailers that do not comply are subject to suspension of credit card processing privileges very expensive fines. Retailers must carefully plan, deploy, maintain, and test all network components, servers, and applications connected to cardholder information.  As of January 1, 2009 that requirement has been added to even the smallest merchants.

When deployed and managed securely, a Wi-Fi infrastructure brings tremendous benefits to an organization. Retailers must therefore understand their vulnerabilities to unauthorized wireless access in order to keep their networks free from the threats that will compromise their network, cardholder data, and PCI compliance.

Wireless is everywhere. It has been reported that over 65% of enterprises in North America have a wireless LAN installed. Several scenarios exist that can provide an outsider with unauthorized access to the core (wired) network via a wireless LAN:

• Authorized client devices connecting to a neighboring WLAN;
• "Rogue" access point connections to the core network; and
• Ad hoc wireless connections to authorized client devices.

Any of these scenarios may occur unintentionally, but all put the core network at risk.

Delta to Provide WiFi on Flights

Delta Air Lines Inc. will roll out Wi-Fi across its entire fleet by 2009. Delta is expected to have four of its eight shuttle planes wired for Wi-Fi service on runs between New York and Boston and New York and Washington.

Early next year, Delta will begin to wire one plane every two to three days until its fleet of 330 planes is completely Web-ready. The new service will cost $9.95 for unlimited access on flights of three hours or less and $12.95 for runs of three hours or more.

Delta will provide a censored version of the Web for any Wi-Fi device. Users will be able to access e-mail, surf the Web and use instant messaging. However, Delta will restrict voice-over-IP calls, pornographic sites and any other content it deems inappropriate for public consumption. To promote the new service, Delta will offer free Wi-Fi on its shuttle flights for the next two weeks. Delta also says it will roll out Wi-Fi for Northwest Airlines Corp. planes as the two companies are in the midst of a corporate merger.

Onboard Wi-Fi may ruffle the feathers of some who prefer to get some shuteye or not feel the need to incessantly check their "CrackBerries" while shuttling across the continent, but, as they say, you can't stop progress. For a while now, airlines have been citing Web access as the service requested most often by passengers. While there have been previous attempts that floundered, Aircell and others seem to have the logistics figured out.

Art Work In Danager - Disaster Plans Need to Address That

Natural disasters, such as hurricanes that assault the southern Florida and Louisiana, make all of us acutely aware of our vulnerabilities to disaster. Fortunately, catastrophes of this magnitude are rare, but disaster can strike in many ways. For example, a broken water main inundated the Chicago Historical Society; fire severely damaged the Cabildo in New Orleans; the Loma Prieta earthquake damaged several San Francisco area museums and libraries; smoke from an electrical fire covered collections throughout the Huntington Gallery; mold damage threatened Mount Vernon's archival collections. Large or small, natural or man-made, emergencies put an institution's staff and collections in danger.

How do you provide electronic data for litigation?

Once litigation starts CIOs often are required to provide data in electronic format.  There are three (3) ways that can be accomplished:

• Active data copy - The active data copy method captures all files seen by the operating systems as well as the operating system files themselves. Deleted files or inactive data are not included. Non-forensics tools such as Zcopy or Norton Ghost can be used to transfer files from one system to another. The active data copy method will change directory-level metadata while keeping file metadata intact.
• Forensic copy - The forensic copy or image copy method is the process of creating a mirror image copy of a hard drive to capture both active and deleted data. All system and file metadata remains intact when using this method. Forensic copy is often used when the scope of the order requires information about user activity or concern about possible deletion or destruction of data.
• System backup - Capturing data on network servers can be problematic. A full system backup done in accordance with legal requirements provides a snapshot of the server data. Deleted files will not be captured when using this method. In most cases, this backup method must be performed by IT staff but witnessed by an agreed-upon and objective third-party observer.

LDAP injection is a technique for exploiting web applications

IRS Systems Lack Security - Expose Taxpayer Data

An audit report of IRS systems states that the IRS fails to implement systems with adequate security built in.  Since 1997, the IRS has designated computer security as a material weakness. The IRS continues to struggle with addressing security vulnerabilities on its modernized systems.  Until security control vulnerabilities are corrected, the IRS is jeopardizing the confidentiality, integrity, and availability of the massive volume of taxpayer data processed and stored by the IRS.

The IRS deployed two new systems with known security vulnerabilities relating to the protection of sensitive data, system access, monitoring of system access, and disaster recovery. These vulnerabilities increase the risks that

• An unscrupulous person, with little chance of detection, could gain unauthorized access to the vast amount of taxpayer information the IRS processes, and
• The systems could not be recovered effectively and efficiently during an emergency.

The IRS’ processes for ensuring that security controls are implemented before systems are deployed failed because the IRS did not consider the known security vulnerabilities to be significant, which affected vulnerability resolution and system deployment decisions.

The Customer Service Executive Steering Committee, which had final milestone approval;

• Did not provide sufficient oversight to ensure that security controls were implemented, and
• Signed off project milestones despite the existence of weaknesses repeatedly reported to the Committee.

In addition the IRS’s accepted major risks for these security vulnerabilities, including the inabilities to successfully recover the systems and their data in the event of a disaster and to detect malicious security events and unauthorized accesses to taxpayer data.

(http://www.treas.gov/tigta/auditreports/2008reports/200820163fr.pdf)

Security Manual Template
ISO 27000 (27001 & 27002) - Sarbanes-Oxley -
PCI - Patriot Act - HIPAA
Compliant

Techniques Used by Hackers Defined

There are six main techniques used by hackers to attack systems.  They are:

1. Reputation hijacking

• Attacks target legitimate sites
• Modify content to include additional malicious script or HTML
• Exploits trust relationship
• Affect huge numbers of users
• 80% of sites hosting malicious content are hijacked

2. Downloaders

• Attack site install small downloader payload
• Once run, downloads other components
• flexibility to modify content
• separation of exploit payload and subsequent malware installation (evade runtime detection)
• download cascade effect

3. Drive-by attack sites

• Malicious script containing a bundle of exploits
• No user interaction required - Browse site, get hit with malware
• Easy to create. Purchase a kit.

4. Domain look-alikes

• Catch users making typos or not checking links carefully enough
• Change TLD, change brand name
• Create dummy sites, loaded with keywords
• Trap users via search engines

5. Fast flux attacks

• Malicious content hosted within sites in botnet
• Rapidly moving target - thwart defense mechanisms such as IP filtering
• Used in spam, phishing and malware attacks
• ‘Round robin’ DNS - 1 domain queried : >1 IP returned

6. Rapid updating

• Content changes on each request
• Maintain proactive, generic detection
• Genotype detection technology

Data Breaches are Expensive

California Senate Bill1386 added a new, public dimension to regulatory compliance. In the event of a data breach such as a lost laptop computer containing sensitive information, the bill requires organizations to notify all parties whose personal information has been exposed.  Following California's lead, 36 additional states have enacted similar data breach laws. It has been estimated that it costs a company $197 per missing record when a breach occurs.  So 1,000 records breached $1,970,000!!

Data breaches and network intrusions occur because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver's license numbers. Some breaches do not expose such sensitive information; however, they still expose individuals to identity theft and business to a compromise of their electronic assets and that must be disclosed under Sarbanes-Oxley and various state laws.