You can't secure what you don't acknowledge.SM

Friday, October 16, 2009

Email business continuity - this is funny...and ironic

As I reported a couple of days ago, my email security provider stopped working. Maybe they took a hiatus...a extended vacation - and didn't tell me. Seriously, I did end up calling them a few times trying to work things out. I got what seemed to be a knowledgeable tech rep trying to help me. The problem was he never could. He said he'd call me back two different times. He made several promises to get "development" involved so they could release my 2, no 3, days worth of emails stuck in their queue. Care to guess the outcome?

No emails recovered. No call back. I'm stuck on my own. The tech rep said they were sent. I never received them...That's a tough one prove but the fact of the matter is that I lost over 100 emails. Odds are only 10-15 were legitimate emails that matter to my business, but that's not the point. The very thing I've depended on for business continuity in the event my email server or Internet connection was down - their email queue - ended up creating a business continuity problem for me. I wanted to give them the benefit of the doubt. No such luck.

The vendor is St. Bernard. Their service is iPrism. I've had a "free" account with them since the Singlefin days back in 2003. Another case of you get what you pay for?

The funny thing is that Google is apparently having similar email delivery problems of their own. Postini had an outage and people went 20 hours without email....woooo, big deal! How about several days worth like I experienced? The ironic thing is that I'm considering moving to Postini. Who would've thought...

I'm telling you folks, you have to be careful hopping on this "cloud computing" in St. Bernard's case and apparently in Google's case as well (with Postini and the recent Gmail outages), these "SaaS" providers don't always have our best interests in mind. Free service or not, customer no-service is always an option so you'd better plan for it advance.

Wednesday, October 14, 2009

The fastest vendor acquisition I've seen

This has to be the fastest security startup/acquisition I've ever seen. I'm pretty sure the company - which is here in my neck of the woods - was less than a year old.

You know how I feel about SaaS and "the cloud" but kudos to Paul Judge, Chris Tilton, and those guys for growing and turning this thing around so quickly. Capitalism at its finest!!

Cloud computing & customer no-service - match made in heaven?

I never thought I could be so productive. This week I've had less pressure to deliver. I've been able to turn "things" off. All while I'm attending a conference when I usually get even more behind. Well you see, my email isn't working. My email security "application service provider", I mean "managed service", dang it, actually my "cloud computing" provider delivering "software as a service" has apparently decided to take a break from things. I haven't received but 1 or 2 emails in the past two days...I normally get 75+ per day. It's actually been a nice break - especially from all the spam. But it's not what I was looking for.

This outage is actually nothing new with my provider...It's actually an ongoing issue I've had over the years. But the problem usually corrects itself within a few hours. Not this time. So I emailed the company last night using a personal email account and actually got a quick response. Impressive. I thought we were going to be able to have a dialog but apparently their support team decided that leaving for the day was more important. I've followed up with them twice since then...nothing. No response. But I'm going to give them the benefit of the doubt and not mention any names. It's probably something simple. Likely something stupid on my part - I am the "dumb customer" after all.

Side note: I know I can set my MX record to point directly to my email server and get my email back running again...or I could choose another provider. The problem is that I have over a day's worth of emails stuck in my email security provider's queue - likely several days worth since this problem started over a week ago. So I can't give up hope on them just yet...I have to get my emails out.

I'm telling you this story because you have a big, no grand, responsibility to make good IT and information security choices for your business. Buyer beware with cloud computing. Know that just because some cloud computing provider promises the moon that you're actually going to get the service you need. They don't know your business. They don't understand your needs. Cloud computing providers are in business to make money, not coddle you with loving support and bend over backwards to get you up and running. I know, I know, there are lots of good cloud computing providers out there...but how do you know who they are? You usually won't until you find out the hard I am now. Just because your lawyers and their lawyers agreed upon certain terms in a contract doesn't mean some yahoo in tech support is going to care when the time comes.

I'm a one-man shop...imagine if this was a problem someone was having in a large corporation. Someone's rear end would be in a sling right now. His or her job on the line. Speaking of cloud computing gone wrong, was your business affected by the Sidekick debacle? Maybe you're already looking for work because of that...

Don't lose sight of the fact that security and managing information risks is about control and visibility. If you don't have those because of some customer no-service situation then no matter how "cool" cloud computing is at the moment this hype over substance the marketers are pushing is probably not worth the risk.

Enough said, I've got to get back to work and fix this...

Tuesday, October 13, 2009

In case you're trying to email me... lovely email security provider has chosen to work part-time apparently. If you need to reach me, email my full name (1 word) at gmail dot com.

Latest version of LANguard worth considering

Have you seen the new - OK, it's not that new any more - version of LANguard (formerly LANguard Network Security Scanner)? It's certainly a tool worth checking out if you do vulnerability scanning.

I've been using LANguard for years for share finding and authenticated scanning and it does both very well. The biggest change in the latest version is the user interface. I've never been a big fan and I'm still not, but I'm getting used to it. Many of the improvements in the latest version involve authenticated scans. The quick-view dashboard is a nice improvement and I really like the scan progress.

When performing untrusted/unauthenticated scans I've found that LANguard won't find nearly the number of vulnerabilities than QualysGuard especially with regards to missing patch vulns that are exploitable via Metasploit. Hopefully that'll continue to evolve. But it does a very good job with this during authenticated scans (as would be expected if you have login credentials).

I'm still waiting for the ability to test your authentication credentials like what Sunbelt Network Security Inspector offers - at least used to, haven't used it lately. You have to plug in your credentials and hope that your login works. It'd also be nice to be able to sort through the network share finder results and filter based on permissions found (i.e. shares where Everyone has full access).

Here's a screenshot of the main interface:

In the interest of getting you hooked on good tools, here's a link to GFI's free version of LANguard. Hope this helps!

Proper password length

Probably late to the game but just had to post this:

During a recent password audit, it was found that a blonde was using the following password:


When asked why such a big password, she said that it had to be at least 8 characters long.

Monday, October 12, 2009

Cool tool for cracking/resetting SQL Server passwords

Elcomsoft has a neat - and relatively new - tool called Advanced SQL Password Recovery I thought you may be able to benefit from. It can be used to change any SQL Server databases protected by a password included SQL Server 2000, 2005 and 2008. All you need is access to the master.mdf file. SQL Server optional.

I was going to show a screenshot but there's not that much to load the program, you point it to the master.mdf file and it'll crack the passwords - simple as that. Very cool.

Yet another reason to keep your Windows systems patched and your share/file permissions in check.