Dropbox and Evernote are very easy to use and have enjoyed fairly broad market adoption.

Two issues we have with Dropbox are their security (all customer files were left open for several hours in Summer 2011 for anyone to see) and their Privacy Policy, which enables Dropbox to share your files with third-parties who provide support services to Dropbox.

Evernote’s Terms of Service have you granting Evernote a license to all of your Content that you post there. Similar to Dropbox, Evernote’s Privacy Policy also allows them to share your data with third parties. Worse, Evernote will drop cookies and tracking pixels on your devices.

For corporations in regulated industries (e.g. healthcare, financial services), employees who use such services for data covered by, say, HIPAA, may have created a defacto violation – Neither Dropbox nor Evernote to our knowledge execute Business Associate Agreements.

In unregulated industries, much corporate data is highly sensitive, so why would you want to allow a service provider to share it with third parties?

Solution: Zimbra Briefcase and CyberDuck

Zimbra already has a robust file-sharing, Google Docs-like offering in the form of the Briefcase. Until Zimbra releases Project Octupus in version 8, what is lacking in Zimbra now is the ability to synchronize easily the files in your Zimbra Briefcase with the files on your computer.

That functionality however is easily provided by a handy utility called Cyberduck, available for download at http://cyberduck.ch/. Historically, Cyberduck (and Filezilla, another favorite tool of ours) have been used for FTP transfers. As insecure plain-text FTP gave way to FTPS and SFTP, both Filezilla and Cyberduck expanded the number of transfer protocols supported.

But Cyberduck didn’t stop there. They saw that the future was in Cloud Storage, so they added even more secure transfer protocols to enable users to transfer files to Amazon S3 and indeed any storage repository which supports WebDAV over http — like Zimbra’s Briefcase.

So what we do ourselves and have configured for clients needing this functionality but are concerned about Dropbox’s past data breach history and Evernote’s content licensing, is to configure Cyberduck to talk directly to Zimbra’s Briefcase. Cyberduck you see, does Remote-Local Syncing of whole folders trees, so it’s a snap to keep your Zimbra Briefcase and your computer repositories in sync.

In the screenshot below, you can see in the upper right the Cyberduck window, looking at my Zimbra Briefcase.  In the upper left is the normal Zimbra web interface.  In the lower left is a local folder on my Mac, and in the lower right is the Cyberduck sync windoready to sync all of my Briefcase folders.

The sync process to be fair takes two mouse clicks; you have to remember to actually do it.  But if you need to keep all your corporate documents on your corporate Zimbra system and your corporate laptops, the combination of Zimbra and Cyberduck is a win-win until Zimbra’s Project Octopus comes along later this year.

Hope that helps,

Mark

According to CSIS, “Up to 85 % of all virus infections occur as a result of drive-by attacks automated via commercial exploit kits.”

Commercial exploit kits are used both by the Bad Guys as well as by legitimate security shops to perform penetration testing, security scans and other tests appropriate for regulated companies and unregulated companies with valuable intellectual property to protect. Like guns, how these tools are used is up to the person with their finger on the trigger.

We have always known that patching your systems is very important.  Unfortunately, even though Windows Update now patches Office and other Microsoft software in addition to the Windows operating system itself, that’s not enough.  And now CSIS has the facts to prove it.

The five software packages that accounted for that 99.8% of all infections as reported by CSIS comprise:

1. Java JRE (which includes the browser plugin)
2. Adobe Reader
3. Adobe Acrobat
4. Adobe Flash and,
5. Microsoft Internet Explorer

While Internet Explorer gets patched via Windows Update, the other software packages have their own update system that prompts the user to update each software package individually.

Regrettably, in our experience way too many end-users ignore and click away those update warnings.  Further, in in more locked-down corporate environments, end-users often do not have sufficient rights to install software updates and patches; those updates and patches are pushed out to the end users’ machines via centralized system management software.  When the company’s system administrators do not push those patches out promptly enough, or the end users click away and defer updating those packages, a significant exposure is created.

And once one machine on a network is infected, many more are often subsequently infected.

So what does this all mean?

Well, first… this report reaffirms the importance of prompt patching.  Second, it documents that of the five top exposures, only one of them (Internet Explorer) is patched via Windows Update, so just turning on Windows Auto Update and thinking you are protected is at best fatuous.

At the end of the day, a comprehensive patching process is required; the proper execution of which is someone’s key responsibility.

If you have concerns about your company’s patching processes, please give us a call (207) 615-1529.

Mark

CIO

P.S.  You can read a summary of the study here.

Lockheed and Northrop the articles further point out have already suffered intrusion attempts, with Northrop reportedly going so far as to shut down all remote access.

It’s not just defense contractors, Sony, VMware, Amazon, Google, and the State of Texas who suffer data breaches increasingly measured in the millions of records. We see typically half a dozen or so very professional intrusion attempts every day on our home firewalls; our data center firewalls see about the same.

SecureID, combined with a personal password known only to the user creates what is called a “two-factor authentication” authorization scheme.  Described as “something you have, plus something you know”, it works just like an ATM card (something you have) with your PIN (something you know). The two-factor authentication provided (past tense…) by SecureID often lulls users into a false sense of security and the temptation to use weak passwords; how many of us have 10-digit ATM card passcodes?  I used to have an 8-digit passcode but found it didn’t work on about half of all store credit card swipe pinpads.  Not terrific security…

And what happens when we lose our ATM card?  We cancel the card and get a new PIN.  Well… RSA just “cancelled” some 40 million SecureID cards.

With our without SecureID or some other two-factor authentication scheme, there is no substitute for good, basic password policies. We recommend strongly that our clients adopt password complexity, reuse and rotation policies, at least as follows:

1. Passwords should be a minimum of eight characters long and contain at least one each of:
   1. Uppercase character
   2. Lowercase character
   3. Number
   4. Punctuation mark or symbol (e.g. semi-colon, underscore, hyphen, parenthesis, etc.)
2. Passwords should be changed no less frequently than every 120 days (one company we know requires weekly password changes)
3. Passwords should not contain dictionary words or derivatives, or be based on personal information like birth dates or anniversaries.
4. Passwords once used should not be able to be reused for at least a year.
5. Lastly, the log files need to be parsed routinely for intrusion attempts (this can be automated) and a human alerted ASAP when something looks wonky.

Consider the costs to a company when a user’s email password is compromised and a hacker starts using that account to send out thousands and thousands of spam emails.  In short order, the company’s email server becomes blacklisted, no one in the company can send email anywhere, and business comes to a grinding halt.  It can take a few days to get off all the blacklists, so we advise clients to consider the costs of a few days of email downtime against the complaints from a vocal few users who don’t like changing their passwords three times a year.  It’s all about tradeoffs and risk management at the end of the day.

If you would like an objective review of your company’s security, remote access, password and related policies, give us a call at (207) 772-5678.

Take care!

Mark

The reasons for this coverage gap are several:  First, property and casualty insurance policies are written to cover tangible items and data isn’t tangible. Medical malpractice insurance policies don’t consider a data breach a medical error and so don’t usually cover the costs from data breaches. Even General Liability policies rarely include data breaches in the specific list of liabilities covered.

Worse, breaches are expensive! The estimated cost for a data breach spans $220 – $330 per record. Consider a primary care physician with a panel (i.e. patient base) of 4,000 patients. The practitioner’s cash out-of-pocket costs to remedy a typical data breach could exceed $1.0 million. Almost all states mandate some form of data breach reporting, and a quick search on DatalossDB.org shows health care providers are reporting data breaches frequently. Fail to report appropriately and your out-of-pocket costs go up; Stanford was recently fined $250,000 for failing to report a breach on a timely basis.

As businesses convert to electronic records or migrate to the cloud, increasingly more insurance companies offer cyber liability and data breach insurances. Rates vary depending on the risk within the practice. But it’s not easy obtaining cyber liability and data breach insurance. The vetting process is very thorough and time-consuming. We tell clients that the process is not unlike going through an actual security review — not a bad thing to do in any event since being “compliant” doesn’t necessarily mean you are “secure”!

The good news is that, with a combination of properly trained personnel and a secure network (not anywhere as expensive a proposition as you might think), any company can reduce the likelihood of these tragic and unexpected costs.

If you would like to see how your network security configurations compare with others, please feel free to call us at 207-772-5678.

Kristin Przybysz
Business Development

He should be: The Tenth Fleet has no ships, but is responsible for the cyber security (defensive) and cyber capabilities (offensive) of our Navy.

There were two key takeaways for me from this presentation.

We in the industry understand how easy it is for countries like Egypt to have “turned off” the wired Internet to their whole country so quickly, but it was interesting to see that the majority of the audience believes the Internet to be much more persistent and secure than it really is. The Internet is much more fragile than that. We as engineers know that Border Gateway Protocol (“BGP”) is the glue that connects the Internet together and controls routing of Internet traffic. Manipulation of BGP by malicious entities is often used for industrial and political espionage as one can, often with surprising ease, reroute selected Internet traffic through one’s own routers to analyze the entire flow of Internet traffic to a target. A good presentation on the fundamental security issues with BGP can be found on Renesys’s website here. (PDF Download.)

The second and more important takeaway for end users and our clients was the acknowledgment that malware these days is very professional (there is a very efficient global market for criminals and nation-states in malware and support services), well-hidden, and like StuxNet, very destructive and difficult to remediate.

The Admiral pointed out that good standard security practices, firewalls, security software and end-user training, though still very important, aren’t enough to defend a rich target. The Admiral cited Apple as an example of a company which has taken defense against industrial espionage seriously, and whose track record is yards better than most.

According to the Admiral, Apple uses software that collects data from server access logs, swipe card systems and a number of other systems and creates “profiles” of “normal” user activity. When a user’s activity deviates from normal, an alarm is triggered. This is a high-tech version of someone asking: “Why has Bobby been photocopying the new product design plans late each night?” and is similar to systems used in my former industry (investment banking) to track rogue traders and others potentially acting on inside information.

I can also tell you that we see on our data center and office firewalls at least a half-dozen professional intrusion attempts every day, most frequently from IP addresses registered in China, near Asia and Eastern Europe. Frankly, anyone who thinks that just because they are in Maine or outside of a large metro area that they are off the bad guys’ radar is deluding themselves; the Internet knows no boundaries.

If you have something valuable to protect and would like to benefit from our best practices, please do not hesitate to call us at (207) 772-5678.

Mark
CIO

Now that insurance companies and other payers have cottoned on (yes, pun intended, sorry!) to the fact that preventative medicine lowers health care costs, primary care and other specialty providers are starting to dip their toes in the waters of better managing their patient acquisition methodologies.  Practices whose revenues rely more on elective procedures have traditionally been leaders in the medical marketing space, and as we all know, the Internet is where marketing lives these days.

In that regard, I was very pleased to be invited to speak at the upcoming Medical Internet Marketing Symposium being held in Boston on October 29-30.  Their website is http://www.mims2010.com.

The symposium addresses not only core Internet marketing challenges, but also is intended to help attendees with related issues and opportunities: e.g. how iPad usage in medical practices creates tremendous efficiencies; what to look for when evaluating patient portals; Google’s perspectives on patients’ use of medical information; good website design; computer security and data breaches, and more.

Targeted specifically for medical practices, the attendees already registered comprise a mix of physicians, practice managers and other senior, non-technical medical executive staff.  So, while many of the presentations cover technical topics, the goal is to empower attendees to plan and execute an Internet marketing strategy appropriate for their practice, and not how to code middleware between Centricity and a third-party web portal (although we can certainly do that for you if you need us to).

I hope you will consider joining us at MIMS 2010 later this month!  (You can register directly on the site.)

All the best,
Mark
CIO

P.S. Please feel free to contact me directly if you have any questions about this conference.

Documentation. We are all guilty of a sick laugh over the oil companies’ collective safety plans essentially being carbon copies of each other, with an emphasis on protecting non-existent walruses from spills in the Gulf.  But… when there is a disaster in IT, the written Disaster Recovery and Business Continuity plan is where everyone looks for salvation.  If that Plan isn’t kept up to date nor reviewed objectively periodically, when an IT disaster strikes (note I said “when”, not “if”…) that disaster will almost assuredly be of longer duration and more costly than it would have otherwise been.  Keeping Disaster Recovery and Business Continuity plans up to date in our experience is pretty cheap insurance, and while we understand completely that this activity generally gets deferred to accommodate more pressing matters, we consider it our responsibility to prod clients constructively on this front.

Testing Backups. All Disaster Recovery and Business Continuity plans rely on having good, accessible backups.  You can be the best at rotating tapes off site, but if the office burns down you’ll need to get another tape backup device just to do the restores.  And who knows if the tapes are any good?  This is one good reason why we are in most cases migrating clients away from expensive tape backups to less expensive, easily verifiable, encrypted off site disk storage.  We often muse why it’s called “Backup software” when all anyone really cares about are the restores.  Unless you periodically test your backups for their restore capabilities, the best Disaster Recovery and Business Continuity plan is pretty worthless — with or without walruses.

Single Points of Failure. The news media has harped considerable coverage on the several “single points of failure” in the blowout preventer.  In IT, eliminating all single points of failure is very, very expensive.  But eliminating many common single points of failure is surprisingly inexpensive.  For example, disk drives are dirt cheap nowadays, so having a fast RAID10 (versus a slower RAID5 or RAID6 system) doesn’t cost all that much more.  Similarly, SonicWall for example sells the second unit of a failover pair of firewalls at a considerable discount over the primary unit.  We generally recommend that once our clients have a good understanding of what an hour of downtime really costs them, that they consider making “insurance” technology hardware/software investments appropriate for their risk tolerance and lost revenues from downtime.  If you can eliminate one four-hour outage every three years for a few thousand dollars when an hour of downtime costs you a few thousand dollars, isn’t that a good return on investment?

In the same way that “every author benefits from a good editor”, we work collaboratively with our clients to help ensure their documentation, backups and level of technology investments are uniquely appropriate and cost-effective.

If you think your company could benefit from a “fresh set of eyes” on your Disaster Recovery and Business Continuity plan, backups and/or levels of IT spend, please give us a call at (207) 772-5678.  Remember, we are intentionally not a reseller, so we have no incentive to suggest you buy anything you don’t really need.

All the best,

Mark

CIO

During the meeting, I will be sharing our best practices regarding email server security. The talk will be less bits ‘n bytes technical (no procmail rulesets for example!) than it will be strategic; intended to provide ISOs with both a framework and a template for securing email systems.

Malware infestations typically penetrate enterprises through web browsing and email payloads. While there is no substitute for good end-user security training, there are some things which can be done on the email server-side of things to mitigate risk, at reasonable cost, and without inconveniencing end users unduly.

NEISO meeting attendance by non-members is by invitation, so if you would like to come, please follow the link on the NEISO website.

Hope to see you there!

All the best,
Mark
CIO

The article is a bit technical, but if you skip over the techno-blah-blah-blah, you’ll see that these two researches essentially circumvented what Microsoft is touting as the two primary lines of defense in protecting Windows systems from becoming compromised. Here’s a link to the ComputerWorld article: http://bit.ly/cs8jP9

Reps from Microsoft and Firefox were in attendance at the contest, and things were arranged in advance that the exploits were not to be made public, and indeed the security firm who sponsored the contest bought the exploits from the contestants and gave them to Microsoft and Firefox.

But that doesn’t help any of us at this moment, when we still have work to do on the public Internet. So, what can you do to protect yourself when the software that’s supposed to protect you doesn’t?

The short answer is: “Take your time and be careful.”

Take your time to be sure that your systems are fully patched, that you are running modern intrusion-prevention (expanded anti-virus) software with updated virus definitions, and that you don’t click immediately on any new popups, warnings, alerts etc. (often used by malware to get you to bypass your computer’s protective systems). Although the exploits these researchers used were very cutting edge, there are still a lot of older, equally dangerous exploits out there that patches and security software can defend against successfully.

Be careful about where you browse and the links on which you are tempted to click. Your best friend may have sent you an email with a spicy link you are drooling to click, but you got that email because your friend’s machine has been infected with malware which is trying to spread itself by sending emails to everyone in your friend’s address book! Click that link and you’ll infect your own machine… Be careful clicking on ads, even on reputable web sites. The ads are served up by third party servers, and malware-infested ads are all the rage right now as a favored attack vector. You would think you could trust an ad on, say, cnn.com, but you can’t always.

A terrific Firefox extension that helps with ads is Adblock Plus, which has been downloaded more than 75 million times and which has a five-star rating. You can learn more at https://addons.mozilla.org/en-US/firefox/addon/1865?src=api

Lastly, recognize that Microsoft and all the anti-virus software vendors are in a perpetual game of catch-up against the bad guys. If your job requires you to be a heavy Internet user, the chances are that your machine will at some point become compromised.

And when that does happen, we are here to help. Call us at (207) 772-5678 when you are ready.

All the best,
Mark Stone, CIO

A recent Microsoft patch MS10-015, which requires a reboot to complete the install, is reported to be causing a number of Microsoft servers and workstations to fail to reboot at all; the reboot ends with the infamous “Blue Screen of Death” and renders the system unusable.

Putting aside for a moment that this patch fixes a security hole Microsoft has known about for seventeen years, we think this incident highlights the need for a multi-layered approach to security in the first instance.

Microsoft is claiming that a number of systems experiencing the Blue Screen of Death are doing so because the systems were already compromised. So, right away, that tells you that even applying patches quickly isn’t enough to keep systems safe.

Further, the risk with applying patches immediately when they are released is that you will bork your system. It doesn’t happen often, but when you consider how expensive downtime really is, even once every few years is very expensive. (As I write this post, I see that Microsoft has pulled the patch to avoid borking additional systems.)

Solid network perimeter protection has been a staple of our best practices for years. Smaller clients sometimes balk initially at spending hundreds of dollars for an enterprise-grade firewall, but these devices represent cheap insurance at worst and in many cases generate a positive return on investment.

End-user education and “safe-browsing” policies are also required to avoid security breaches. Malware these days (as we have blogged previously) is increasingly sophisticated and insidious. Firewalls and anti-virus/malware software will always be a few steps behind.

So, when you have good perimeter protection and careful, educated end-users, you have the luxury of time in which to evaluate new patches as they are issued. The benefits are you stay safer all the time, and reduce the risk of borking your production systems.

If you need help with your company’s patch management and security posture, please give us a call at (207) 772-5678.

Hope that helps,
Mark
CIO