Permalink | Leave a comment  »

According to the DataLossDB project, 126,749,634 medical records, bank account numbers, names, and addresses were stolen or accidently leaked in 871 separate incidents in 2011.  That’s an increase of incidences by over 37.4% and of records by 370% compared to 2010.  According to research conducted by the Ponemon Institute in 2010, the average cost of a data breach was roughly $209 per comprised record.  That brings the price tag for 2011 of over $26 billion. The following is an analysis of the incidents:

Types of Breaches

Hacking – deliberately breaking into computers – became the most common means of breach last year.

Top Incidents

• RSA
  The security division of data storage firm EMC was hit by a hack that compromised their popular SecurID cryptographic keys, forcing them to offer replacements to their clients.  The stolen information was later used in an attack on defense giant Lockheed Martin.  RSA has provided a useful working definition of the term advanced persistent threats, or APTs, as “military-grade cyber-attacks on commercial entities”.  In the face of APTs, businesses need a new defense doctrine, which is under discussion by an increasing number of corporate chief information security officers.
• Texas Comptroller
  A server mistakenly left open to the public contained the Social Security Numbers of 3.5 million teachers and other state employees.  No hacking was necessary to access this server.
• Sony
  In nine different incidents, the conglomerate lost names, addresses, and credit card and bank account numbers as hackers pillaged its online game, music, and movie divisions.  Hackers made off with 77 million names, e-mail addresses, and passwords after breaching Sony’s PlayStation network.  The Sony breaches followed several similar data breaches by online service suppliers such as Play.com and Lush, so what effect are they likely have on the online services industry?
• SK Communications
  A complex attack on the Internet company netted the personal information of 35 million South Korean users.  That’s in a country of 50 million people.
• SAIC
  A few of the defense contractor’s backup tapes were stolen out of an employee’s car.  The tapes contained the medical records of more than 5 million military patients.
• Sutter Medical Foundation
  A stolen laptop from the health-care provider contained 3.3 million names and other identifying information, along with 943,000 patient diagnoses.  This incident brought on a class action suit, alleging negligence in securing data.

Incidents by Business Type

Cybersecurity was one of the top buzzwords for 2011 as commercial organizations increasingly found themselves up against advanced and persistent attacks to the degree previously seen only in military organizations.  Information security has moved up in the agendas of most corporations and other businesses, but government too is placing increasing emphasis on the topic, backing national cybersecurity efforts with dedicated budgets.

Incidents by Offending Party

While more and more companies are becoming aware of the problem, few have taken action.  As the above analysis demonstrates, the need to take action has never been so persuasive.

To learn how to protect your organization, download our complimentary Executive Guide to Data Security.

Permalink | Leave a comment  »

Many executives feel that IT security is only an issue for the IT department.  The problem is IT security is a bigger issue than just your IT department.  Everyday your company faces viruses, lost devices, stolen data, and intellectual property walking away with recently dismissed or disgruntled employees.  According to the DataLossDB project, 126,749,634 medical records, bank account numbers, names, and addresses were stolen or accidently leaked in 871 separate incidents in 2011.  Costing companies an estimated $26 billion in 2011.  Now you might say, "We aren't in the business of IT or security.  We make widgets.  We maximize investor returns by buying, selling, and trading subsidiaries to create wealth.”  The fact is currently, for an organization to ignore IT security is clearly risky.   As reported in Forbes magazine on January 2, 2012 “If data loss continues on its current trends, it will cost the U.S. economy $290 billion by 2018”. As most cases go unreported, check out the cases that made headlines in 2011:

• RSA
  The security division of data storage firm EMC was hit by a hack that compromised their popular SecurIDcryptographic keys, forcing them to offer replacements to their clients.  The stolen information was later used in an attack on defense giant Lockheed Martin.  RSA has provided a useful working definition of the term advanced persistent threats, or APTs, as “military-grade cyber-attacks on commercial entities.”  In the face of APTs, businesses need a new defense doctrine, which is under discussion by an increasing number of corporate chief information security officers.
• Texas Comptroller
  A server mistakenly left open to the public contained the Social Security Numbers of 3.5 million teachers and other state employees.  No hacking was necessary to access this server.
• Sony
  In nine different incidents, the conglomerate lost names, addresses, and credit card and bank account numbers as hackers pillaged its online game, music, and movie divisions.  Hackers made off with 77 million names, e-mail addresses, and passwords after breaching Sony’s PlayStation network.  The Sony breaches followed several similar data breaches by online service suppliers such as Play.com and Lush, so what effects are they likely to have on the online services industry?
• SK Communications
  A complex attack on the Internet company netted the personal information of 35 million South Korean users.  That’s in a country of 50 million people.
• SAIC
  A few of the defense contractor’s backup tapes were stolen out of an employee’s car.  The tapes contained the medical records of more than 5 million military patients.
• Sutter Medical Foundation
  A stolen laptop from the health-care provider contained 3.3 million names and other identifying information, along with 943,000 patient diagnoses.  This incident brought on a class action suit, alleging negligence in securing data.

Can you afford to have your company on this list?  I did not think so.  All of us have a role to play in a more secure internet and it is clear  we have a problem and need to get on with fixing the issues as quickly as possible.  If your company has customer information, takes credit cards or has computers that use passwords then IT security is in fact your business.

Permalink | Leave a comment  »

I’m happy to announce that I will be attending the 2012 Aruba Partner Summit from March 19^th to March 21^st in Las Vegas. I’ve never attended an Aruba partner conference before, but the impression I get is that this will be more than just another partner conference.

When I think of a typical partner conference, I envision a few speeches from CEOs and founders, maybe a hand-off demo or two, and possibly some whiz-bang-hey-look-how-awesome-we-are case study reviews. Boring. This will not be the case at the Aruba Partner Summit; just take a look at the agenda. The summit will have quite a few sales and technical information sessions to help get people exposed to the entire solution line-up.

Personally, I’m looking forward to the following two sessions: 

• Designing Wi-Fi Networks for High Density Environments
• Overcoming Challenges in Outdoor Wireless

While these are the two sessions I’m looking forward to the most, I will be attending all of the technical sessions. I’ll try to post some updates during and after the summit to share what I can. Be sure to check back in a few weeks to get my thoughts on the summit and the future of wireless networking as Aruba sees it. 

Daniel

If you're interested in discussing any of the agenda items after the summit, please feel free to contact me. I'm always excited to sit and talk wireless with anyone who is interested in the technology.

Permalink | Leave a comment  »

Recently I created two wireless vendor UI walkthroughs and thought they would be worth sharing with the NCI crowd.

The first walkthrough is of the Meraki Systems Manager. This feature is built-in to the Meraki Enterprise Cloud Controller and offers a fairly extensive set of MDM features to Meraki customers at no extra cost.

The second walkthrough is of the Aruba Instant Virtual Controller UI. The Instant architecture does away with hardware controllers, feature licensing, and even simplifies the administrative experience.

I hope you find the videos interesting. As always, if you have any questions, or would like a live demonstration please do not hesitate to contact us.

Daniel

Bonus Marks: Did you spot the hidden surprise in one of the videos?

Permalink | Leave a comment  »

The time has come. Today, one of NCI's own will head to San Jose to attend the Wi-Fi Mobility Symposium and then be a delegate at Wireless Field Day 2!

This promises to be an amazing event and we are thrilled to have one of our own attending. Just look at the schedule:

Wednesday, January 25 - Wi-Fi Mobility Symposium

This event will cover important topics such as: Mobile Devices & BYOD, Gigabit Wi-Fi, and Hotspot 2.0.

Thursday, January 26 to Friday, January 27 - Wireless Field Day 2

Two days of in-depth, technical presentations and discussions with many of the wireless industries most exciting vendors (in order of presentations): Aerohive, MetaGeek, Ekahua, Meraki, Aruba Networks, HP, and Ruckus Wireless.

This even will also be streamed live (see display below):

NCI looks forward to sharing all that we learn from this event with our current and future clients. Wireless networking is set to really explode in 2012 and we are proud to be right in the middle of it!

The NCI Blogging Robot

Permalink | Leave a comment  »

On January 1^st we posted a little bit of information regarding the Wi-Fi Protected Setup (WPS) brute force vulnerability. As a follow-up, I have performed a bit more research and analysis on the vulnerability and the attack tools. Here is a list of resources you might want to check out for more information: 

No Strings Attached Podcast 

I was privileged enough to participate in the @NSAShow’s episode 2 podcast: Wi-Fi Protected Setup, Battered or Broken? I highly recommend giving the podcast a listen as it contains a lot of good information. I’d also like to thank the host @revolutionwifi and the other guest @matthewsgast for a fun and insightful 45 minutes. 

Simply Wi-Fi 

We’ve already shared my video demonstration of how a WPS brute force attack works. Since then, I’ve created another video, seen below, demonstrating the use of a tool that identifies vulnerable wireless routers. I’ve also taken some frame captures of an attack and provided an explanation of the frames at different stages of the attack. Sample frames have also been made available for anyone who wants to take a closer look in Wireshark.

United States Computer Response Team (US-Cert) 

Here is the original vulnerability note created on December 27, 2011. It details the basic purpose of WPS and describes the vulnerability. 

Dan C.

If you are aware of any additional resources, please share them in the comments section below.

Permalink | Leave a comment  »

Recently, a white paper was written by Stefan Viehböck which documented a few implentation weaknesses in the Wi-Fi Alliance's Wi-Fi Protected Setup (WPS). Immediately following the release of the whitepaper, a new tool (called Reaver) was released publicly that could be used to brute force the WPS PIN, and therefore, gain access to the WPA/WPA2 pre-shard key (PSK). The attack takes 4-10 hours on average and has an extremely high success rate.

What does this mean for you?

If you are a home user with a relatively new wireless router, you are probably susceptible to this attack. Basically, if your wireless router is WPS-capable you should assume you are vulnerable.

How do you defend against this attack?

The solution is quite simple: disable WPS on your wireless router. This renders the attack useless and it becomes a non-issue for you.

Hey, wait a minute. How come you only mentioned home users?

WPS is a system designed specifically for non-technical people. It is widely implemented in SOHO wireless routers but is generally not an enterprise wireless feature. If you happen to be running SOHO gear in the enterprise, then you will need to see if you are vulnerable as well.

Just how easy is it to perform the attack?

Easy. Here is a quick video demonstration showing how the attack works, and how to protect against it. This video was created using freely, and readily available how-to documentation on the reaver code page.

The Bottom Line

If you are running enterprise gear, you probably have nothing to worry about. If you are running SOHO gear, then you need to look into this a bit further. Increasing the length and complexity of your PSK does not protect against this attack. You need to disable WPS until the protocol can be strengthened.

Oh yeah, and Happy New Year!

The NCI Blogging Robot

Questions? Concerns? Comments? Get it in touch with us below.

Permalink | Leave a comment  »

I was originally going to post this in January, but I just couldn’t wait any longer. From January 25^th to 27^th, I will be a delegate at Wireless Field Day 2 (WFD2) in San Jose, CA.

My day job focuses primarily on Aruba Networks and Meraki, but I have always made an effort to keep up-to-speed with what everyone else is doing in the wireless industry. WFD2 will be a tremendous opportunity to do so. Sponsoring vendors include:

• Aerohive - @Aerohive
• Aruba Networks - @ArubaNetworks
• Ekahau - @Ekahau
• Meraki - @Meraki
• Metageek - @MetaGeek
• Ruckus - @RuckusWireless
• HP - @HP_Networking

If the opportunity to get all these vendors in the same room and have a pointed, no-BS discussion about wireless technology wasn’t enough, there’s more! Along with the vendors, there will also be a list of delegates that is nothing short amazing! So far, delegates include:

• Marcus Burton, CWNP, @MarcusBurton
• Sam Clements, SC-WiFi,  @Samuel_Clements
• Rocky Gregory, Intensified,  @BionicRocky
• Tom Hollingsworth, The Networking Nerd,  @NetworkingNerd
• Jennifer Huber, Wireless CCIE, here I come!,  @JenniferLucille
• Blake Krone, Digital Lifestyle,  @BlakeKrone
• Chris Lyttle, Wifi Kiwi’s Blog,  @WifiKiwi
• Andrew vonNagy, Revolution Wi-Fi,  @RevolutionWiFi
• Daniel Cybulskie, SimplyWifi - NCI, @SimplyWiFi

That’s a lot of wireless knowledge to cram into a single room. Seriously, my Wi-Q will increase just by hanging out with these people for a few days – awesome!

I’ll be tweeting and blogging during the entire event to help make sure that everyone gets to benefit from this amazing event. If you’re interested, you can also check out the official WFD2 channels.

Dan C.

Be sure to check back for more news on WFD2 as we get closer to the event date.

Permalink | Leave a comment  »

Question: What happens when two vendors work together with the common goal of making your life easier?

Answer: Your life gets easier.

Here is a quick ~5 minute video showing the integration capabilities between Aruba Networks’ Amigopod and Palo Alto Networks’ User-ID Agent. Aruba and PAN have allowed their systems to share user-ID information between each other; the benefit to you is that users can receive the same user-based firewall policy whether they are connected via wire or wirelessly. Watch the video, you’ll see what I mean.

Pretty neat stuff, no? Tight integration between wired and wireless solutions is going to be very important as we move into 2012. It’s good to see that some vendors are not only working on expanding their own offerings, but also taking the time to ensure that they play nicely with others.

Dan C.

We’d love to hear what you think of the video. Please leave a comment or contact us with your thoughts, comments, or questions.

Permalink | Leave a comment  »

Every day, innocent wireless controllers are framed for crimes they didn’t commit. This is the story of how one WLAN controller was falsely accused of connection murder…

The Crime Scene - WLAN Connection Murder

Testimony: A user is having difficulty connecting his brand new laptop to the lab WLAN using WPA2-PSK. He has been able to connect to the corporate WLAN but all attempts at the connecting to the lab have failed. Also, the user has been able to connect to other WPA2-PSK protected networks in the past. 

Prime Suspect: Bystanders report seeing a WLAN Controller fleeing the scene.

Investigation performed by Detective @SimplyWifi

Are other clients having a similar issue? - No.

Are there comments in the controller’s release notes regarding this issue? – No.

Had client submit to a connectivity test and sent logs to the lab for analysis. Lab results below:

Deauth from sta: 24:77:03:xx:yy:zz: AP xxx.yyy.yyy.zzz-00:24:6c:aa:bb:cc-NameChanged-AP Reason Unspecified Failure

 Offender Profile

Based on the resulting debug lab results, it was determined that the wireless client was successfully connecting. However, it would immediately disconnect itself due to an: ‘Unspecified Failure’. The important take-away was, the controller was not initiating the disconnect; it was the client deciding to disconnect. This information allowed the detective to provide the following offender profile:

Age: Less than 1 month old.

Height: ~1 ft.

Build: Standard corporate image.

Behavioural Patterns: The offender is highly mobile but tends to spend a lot of time resting on a docking station on a desk. When connected to the docking station, the offender will likely be physically connected to the wired network via an Ethernet cable.

The Takedown

The offender was located and, as predicted, it was found connected to a docking station. Upon removal from the docking station, the client was able to successfully connect to all corporate and lab WLANs. Detective @SimplyWifi told reporters: “This is another tragic case of the victim turning out to be our perp. Once we started looking at the evidence, it was clear that the WLAN controller was being falsely accused. After that, it was a simple matter of following the evidence back to the victim.”

Final Comments:

In this case, it turned out that an application on the client was blocking the ability to connect to both a wired and wireless network at the same time. As is usually the case, the issue was a client-side issue and required no controller changes to resolve the issue. It serves as a great reminder of the importance of performing detailed victimology in any wireless investigation.

Dan C.

Do you have a story about spending time troubleshooting the WLAN controller only to eventually determine that the issue was with the client? If so, we’d love to hear it in the comments section. Also, if you are having troubles resolving issues on your own WLAN, please contact us and we’d be happy to assist.

Permalink | Leave a comment  »

If you’ve read any of my previous blog posts, you have probably noticed that I make an effort to confine my posts to vendor-neutral topics. However, every now and then I come across vendor-specific technology implementations that are so cool that I just have to say something about them. In this case, it is DHCP fingerprinting by Aruba Networks.

Without getting into too much technical detail, this technology watches the DHCP requests of wireless clients and identifies the operating system based on the way each device asks for an address. This feature is really cool because it means you can allow a user to connect to the same ESSID (read: wireless network), using the same username/password, with a variety of different devices, and get different levels of access depending on the specific device type. For example, if the user connects to the WLAN with a company issued laptop then they get access to the internal network. However, if they connect using an iPad they get Internet access only. Didn’t I say this was cool?

Enough typing, I recorded a little demonstration of DHCP fingerprinting for your viewing enjoyment:

As BYOD becomes more prevalent, I think we are going to start seeing technologies like this popping up all over the place. This is a good thing since it gives administrators the ability to allow BYODs onto the network without having to give up on security and control.

Dan C. 

How do you deal with BYODs in your environment? If you have thoughts or comments regarding the proper way of dealing with BYODs please share them in the comments section. Also, as usual, please share this post with others if you found it useful or interesting.

Permalink | Leave a comment  »

Whether we are talking about financial security, territorial security, or even personal security, the concept of security is constantly evolving as it pertains to the business world and in the overall, global sense. Having recently joined the world of corporate IT security, I was immediately struck by the similarities between the evolution of corporate data, network, site and communications protection and the overall global evolution of security of state and citizen.

In many ways, the focus on IT security in a corporate environment mirrors and evolves along with the idea of security in general. The role of security professionals, whether that is in the IT world or physical world has changed with the evolution of the threat itself.

40 years ago a country could secure its borders, build a strong military, and be relatively safe and isolated from outside threats. Vigilance was reactive and often restricted to military, government, and police agencies within the country. The security of a corporate environment and communications was also a much simpler and more preventative effort.  A locked briefcase, locked doors, and secure passwords on rudimentary communication systems were generally enough to thwart attacks which were often limited to one-off rewards.

The landscape has changed and as security professionals providing security services in today’s market, our roles have evolved to include those of educators, innovators, as well as defenders. We have been shown, quite regrettably and dramatically, that in the modern world, a strong military, a great border defence program, and advanced counter espionage programs are not enough to guarantee indemnity from threats. Dedicated and organised attackers will find ways around those defences and will strike at the hearts of our most vulnerable systems and sites.

This also holds true for the modern corporation. Firewalls, authentication systems, communications monitoring, UTM appliances and software controls are all good and necessary preventative measures, but it is the ongoing vigilance, proactive posture, and prepared response plans that will ultimately provide the best security for our clients.

What does this mean for us in the security provider world?

It means a heightened responsibility and a mandated goal to stay ahead of the curve in combating threats. The challenge for us is understanding our clients and their tendencies. 

It also means we have a great opportunity. We have the opportunity to be critically integrated into the organisms which are our clients’ corporate environments. Having a defensive responsibility that stretches from the server, to the endpoints, and to the cloud, means there is an abundance of opportunities for us to be creative, inventive, vigilant and consistent in our approach to protecting our clients from the threats that exist and evolve daily.

The concept of security in 2011 is constantly changing and is just as dynamic as the world around us. The notion of “not if – but when”, offers us a unique chance to truly act as trusted advisors and as mission critical resources to our clients. Despite all of our efforts, the adversary is organized, relentless, and in many cases unpredictable due to non-specificity. Hackers will often repeatedly attack multiple targets looking for weakness that may or may not exist until, at some point, they eventually succeed at finding a way past the defences.

The key to our value is not how we stop all breaches of security; we cannot do that. The key is how we help our clients minimize that risk through deployment of  best-of-breed preparations  and a strong response plan that spells out how we will react organizationally, from CEO to end-user, when the risk confronts us as a reality. A corporation that accepts responsibility for ‘response’ along with the obligatory risk management tasks will improve overall security and reduce losses and damages in the long run.

Our role and enduring professional mission is to help our clients and our industry evolve our collective thinking in line with these goals. This presents both a great challenge and a fantastic opportunity, which makes the security industry an exciting place to work and live.

Paul Robbins

Permalink | Leave a comment  »

In the past few days we have seen a few news stories where tweeting has got the senders into the headlines for all the wrong reasons.

One such example is when a Palestinian envoy to Canada was called home for a controversial tweet that the Canadian federal government considered offensive to Jews. In her defence she claimed that the link to a video she retweeted could not be seen on her Blackberry. Unfortunately, when you are the “charge d’affaires’ and your job is being a diplomat there are not take backs. As I write this, the envoy is on her way home.

What have we learned? Think before you hit that tweet button.

A second story in the news comes to us from @LAMurderCop, a 30-year police veteran in LA who’s been in homicide for 25 years. Unfortunately for the public and his employers @LAMurderCop is a prolific tweeter at work and at home.  Recently one of his tweets had a picture attached showed a gang shooting victim lying dead on the street. The tweet said 'Guess where I'm at, it never ends'.  Currently the actions of @LAMurderCop are under review.

Other than the obvious issues of how it’s affecting the administration of justice and bringing policing into disrepute in LA, what have we learned about tweeting?  Over sharing is not acceptable. This is especially true when you are in a profession where confidentiality is of the utmost importance.

I am not personally a big of Twitter user. I have a hard enough time managing the rest of my digital life and who knows what new digital fads are around the corner. However, here are a few observations:

• Once you tweet there’s no taking it back – it is out there
• Most people really don’t care what you tweet
• And really, most things you tweet are not relevant (no one cares that you just ate a piece of toast)

Better to be thought a fool, than tweet and remove all doubt.

Marcel G.

What are your thoughts on the effects that Twitter, Facebook, or Google+ can have on our personal and work lives? Do you think social media has had a positive or negative effect on our day-to-day lives?  

Permalink | Leave a comment  »

Back in August I posted my thoughts on some different ways to measure the success of a WLAN deployment. My main argument was that we needed to start finding ways to measure the overall user experience (UX) in addition to all the speeds and feeds. To my delight, my thoughts were generally well received in the wireless industry and the overall consensus was that UX should be one of the primary concerns when designing a WLAN. With that in mind, I think it is time to take this to the next level and try to come up with a standard way of measuring and communicating the UX of a WLAN; I call it the Universal Wireless User Experience Index (UWUX).

To highlight the potential value of this type of index, begin by asking yourself the following two questions. If you answer yes to either of them, then having a UWUX could have helped you.

1. Consultants: Have you ever tried to talk a client out of certain WLAN UX design choices but failed because you couldn’t find a way to communicate just how user-unfriendly their WLAN was going to turn out?
2. Administrators: Have you ever been forced to go back and redesign the way your end users register, sign-in, authenticate, and gain authorization to your WLAN after it has already been deployed? Was it, by chance, because the users complained that the WLAN was just too hard or complicated to use?

As I stated above, having a standard way of scoring the UX of WLAN and showing how it compares to other networks could be a very valuable tool when it comes to design and deploying an end product that will live or die by the opinions and comments of the end users. Imagine being able to demonstrate how requiring proxy settings changes on an uncontrolled guest WLAN will lower the UWUX score below a certain threshold; resulting in a dramatic increase in helpdesk requests. The results could be shown in a numerical format and a graphical scale formatso that anyone could understand regardless of technical knowledge.

The benefits of the UWUX Index increase dramatically as more people adopt it. It’s a lot like IQ scoring since no single score has any real meaning. Only when we compare a score to the rest of the scores in the index are we able to start deriving meaning. It's because of this that I’ve decided to share my plans with the community in the hopes that there will be others who want to help design a universal index that can be used by all WLAN professionals and administrators regardless of company affiliation. 

Will it be a challenge to come up with repeatable measurements? Yes.

Will it be hard to create an index that serves everyone’s needs? Yes, but the goal is to have an index that serves most common needs instead of all needs.

Will the end result be incredibly useful? Time will tell but I think the answer is yes. In my opinion, if the end result is that we all focus more on designing for user and business needs, then it is well worth it.

More to come…

Dan C. (@SimplyWifi)

If you would like to contribute ideas on what the UWUX Index should include please feel free to leave a comment below, DM me, or contact me through our website. I already have some ideas but am in the very early brainstorming stages so all ideas will be considered. Also, if you think this could fly, please retweet or share the post with WLAN, UX designers, or end-users so that we can gather ideas from as many different viewpoints as possible.

Permalink | Leave a comment  »

IT security is one of the largest growing sectors in the IT field overall and as such IT security professionals are in high demand. As a result, security field employers are using certifications more and more as their baseline for evaluating and comparing security professional position candidates. As an IT security professional, I have gone through many certifications in my career.

Here is an overview of the major IT and security certifications I have obtained:

Cisco Track CCNA, CCNP: As many Security professionals, my journey in IT certifications started with Cisco routing and switching track, as I was in the networking field prior to the security field. Cisco certifications are highly technical and very demanding in terms of hands-on abilities on routers and switches. Cisco certifications gave me a strong knowledge on networking technologies and a deep understanding of routing protocols. Currently to obtain the CCNP certification, three exams are required (routing, switching and troubleshooting) after CCNA. Like all Cisco certifications, CCNP is valid for three years and requires taking a professional level exam or expert level written exam before expiration date, in order to renew certification.

Security+: This is the first certification to think of for a junior IT professional aiming to specialize in IT security field. CompTIA Security+ is an international, vendor-neutral certification that demonstrates competency mainly in network security, threats and vulnerabilities, access control and identity management. This was my first step in the IT security world. It was not highly technical; instead, it was more focused on learning the terminology and basic security concepts used by security professionals. Security+ is valid for three years and requires taking the exam in order to renew certification before expiration date.

CISSP: After gaining the required five years experience in the security field (with a strong networking flavour), I took the CISSP exam. This is a very demanding certification with a large volume of documentation to walk through. It took me about 4 months to finish the Shon Harris study guide (studied only during the weekends), then about a month to practice CISSP exam like questions. CISSP is not the most technical certification but by far the most complete one in terms of security subjects’ coverage. It took me around four hours to finish the 250 questions of the exam. CISSP is valid for three years and gaining CPEs is required to maintain and renew the certification.

CEH: It is much more technical than the Security+ certification and focused on penetration testing methodology and various hacking tools. I can’t say I learned pen testing with CEH. Indeed, prior to taking the CEH exam, I already had some experience on pen testing and security assessments, CEH gave me a strong knowledge on methodology and the targets to be defined for each step in the pen testing process. CEHv6.0 was more focused on tools whereas the new CEH curriculum CEH v7.0 is more focused on methodology with an OWASP flavour. CEH certification is valid for three years and CPEs are required in order to maintain the certification.

CISA: CISA is a well known audit certification, most probably the oldest certification in the field of information systems audit. The CISA exam was focused on IT governance, Risk management and General IT audit process & methodology. Unlike the CISSP exam, which I found to be pretty easy; this exam was hard, really hard. Indeed, few questions were of a technical nature and the business process and risk management related questions were very subjective and ambiguous. Just like CISSP, CISA is valid for three years and gaining CPEs is required to maintain and renew the certification.

The journey is not finished yet; this year I’m targeting GIAC certifications and will focus more on audit process, risk and security program management.

Maher G.

What has your certification path been like? Are there any certifications you would highly recommend? Do you agree or disagree with emphasis and importance that employers place on certifications during the hiring process?

Permalink | Leave a comment  »

In case you didn’t know, a patent troll is a company that licenses patents without actually producing any products of their own. They will typically buy up patents and wait until unsuspecting companies infringe on their broad patent portfolio. Recently, a Delaware-based company named Innovatio IP Ventures has been doing exactly that and taking on small companies that offer free WiFi service to their patrons. Innovatio has demanded that small businesses such as coffee shops and restaurants provide a one-time licensing payment for the ability to provide their customers with free WiFi services. These settlements typically cost anywhere from $2300 to $5000 and are significantly cheaper than how much it would cost to hire a lawyer and fight the lawsuit. As a result, most businesses are happy to just settle because who really wants to go through the trouble and astronomical legal costs for such a small licensing fee. A good summary of the situation was written by Gregory Thomas on The Patent Examiner website. Innovatio claims they will not be targeting individual residential homes however there does not appear to be much stopping them at the moment.

Patent Trolls are not just costing small to medium sized businesses time and money. They are seriously harming technical innovation. A recent study from Boston University researchers have concluded that patent trolls have cost innovators half a trillion dollars since 1990. In the past four years the costs have risen to 83 billion per year. This doesn’t even count the massive legal battles between the major tech giants such as Apple and Microsoft. The patent system is supposed to be helping to provide incentives to be creative and stimulate innovation but the flurry of patent lawsuits are arguably hurting innovation. You cannot tap the full potential of your creativity when you are worried about some suit wearing trolls emerging from under their bridges to take you to court.

I recommend reading the study from Boston University as it provides some interesting insight into the current state of these frivolous patent lawsuits. I personally hope that these issues can be addressed from a legislation standpoint and be fixed to provide businesses with a little breathing room to be as creative as they want without fear of taking on legal trolls.

Steve S.

What are your thoughts on the effects of the patent system on innovation? Leave a comment if you have anything you'd like to add to the conversation.

Permalink | Leave a comment  »

The congress was held Sept 19-22 at the Orange Country Convention Center in Orlando. This was (ISC)²’s first annual Security Congress, hopefully not the last! It was co-located with the ASIS International’s 57^th annual seminar and exhibits, a move that recognizes the convergence of physical and information security.

After attending this congress, I realized how big the physical security world is. To give you the numbers, there were 280 attendees from (ISC)² versus 20,000 from ASIS, and enough exhibitors for this crowd to visit: 700.

There were 3 hour-long educational sessions per day, with about 25 topics to choose from for each session.

What were they talking about?

The 3 topics that was heard and discussed and debated on in almost every session (among the 10 or so (ISC)² sessions that I attended) were:

1. Cloud Security
2. Mobile Device Security
3. Social Media

The trend and the focus for the information security industry in the next couple of years will be on addressing the above 3 topics with policies, regulations, products, and services. Below I’ll expand a little bit on why each area is attractive, and what are the security risks. 

1. Cloud Security

Why cloud? - Flexibility and scalability, cost savings, availability and disaster recovery

Threats? - Data loss/leakage, abuse of cloud, account/service hijacking, shared technology

What to do? - Like any other technology, cloud has risks associated with its benefits. All the classic principals of information security should be applied to it, having it in mind from the design/architecture phase. Have an incident response plan. Consider private/community/public/hybrid cloud options. 

2. Mobile Device Security

Why mobile devices? - Business rewards (response time, availability, flexibility), employee experience (ubiquitous mobile devices, employee owned), executive adoption

Threats? - Data loss/leakage, employee privacy concerns, compromise of corporate network from mobile device

What to do? - Look into device ownership (= liability) issues, have a corporate and a personal mobile device use policy, provide training to go along with that policy, harden mobile devices 

3. Social Media

Why social media? - It’s ubiquitous and unavoidable, it is the basis for Web 2.0, it has great potential to be used as a marketing and customer communication tool for the enterprise

Threats? - Faster spread of malware through the ‘trust’ factor, phishing attacks, worms, shortened URL’s, Evil Twin attack, session hijacking, identity theft, all leading to information leak and corporate liability issues

What to do? - Social media use policy (AUP), education and awareness, use of content filtering and DLP products to control traffic to and from social media sites

Some interesting notes:

• Security is not about security, it’s about risk management
• What is the perimeter of your network? It’s the end user!
• A smartphone on your network should not be treated ANY differently from any other computer on your network
• 1 out of 5 tweets names a product brand
• Facebook mobile users are 50% more active than other users of the site
• Sources of social media risk include: clients, employees, vendors, competitors, activists, and cyber criminals

Some interesting links:

• Cloud Security Alliance
• British Computer Society - Five Ways to Stay Safe with Social Networks
• Mobile Active Defense
• Trend Micro 2Q 2011 Threat Roundup

Some interesting speakers:

• Jeb Bush, Former Governor of Florida
• Vicente Fox, former president of Mexico
• Burt Rutan, designer of SpaceShipOne
• Janet Napolitano, US DHS Secretary
• Winn Schwartau, celebrity and power thinker on security/privacy/infowar/cyber-terrorism
• Charlie Blanchard, Manager of Security & Privacy Services, Deloitte & Touche LLP
• Simon Hunt, VP and CTO, Endpoint Security, McAfee
• Shayne Bates, Director Security Cloud Strategy, Microsoft Global Security
• James Hewitt, Director of Security Governance, CGI Federal

Vahid A.

Permalink | Leave a comment  »

Standing in a check-out line at the grocery store; that is where I was when I heard the news that Steve Jobs had passed away, and I doubt this is something that I will ever forget.

I will not say very much, as I do not believe I have the right words to describe what an incredible dent Steve has put in our universe. Look around and you can see it for yourself. Instead, I will simply leave you with Steve’s 2005 Stanford Commencement Address, and challenge you to try to bring the same level of passion, vision, and innovation to your personal and work lives.

“The only way to be truly satisfied is to do what you believe is great work. And the only way to do great work is to love what you do. If you haven’t found it yet, keep looking.” – Steve Jobs

Farewell, Steve. For many people, the search for “it” still continues, but your life has been a roadmap to what to do when you find it.

Dan C.

Permalink | Leave a comment  »

Question: Maintenance, is it worth the money we need to pay every year?

Answer: Yes, unless you want to stale date your technology to the date of purchase.

Maintenance renewals can seem costly but are necessary to reap the rewards of the ever changing and adapting technologies. Manufacturers use this annual income to support R&D of their solution and continue to provide you with the best technology of that moment.

Think of it like your car or home insurance, you might not need it on a daily basis but when you do, it is available and there for you.

Renewing your maintenance should be easy, consistent, accurate and on time. Here are some of my processes that help me to assist our customers.

1. Prepare renewals 2 – 3 months before expiry: This allows our customers time to process and provide a Purchase Order prior to expiry
2. Co-Term expiry dates:  I work closely with our sales team, manufacturers/vendors and distributors to coordinate renewal end dates that best suit our client’s needs. Whether it’s annual, semi-annual or whenever the customer’s budget dictates.
3. Always work with the customer’s requirements in mind, not the manufacturer

Renew your maintenance and keep your assets up to date with technology. If you do not receive updates, patches, access to upgrades, or access to added functionality, you may no longer be receiving the level of protection required for your environment.

Call us today, I will show you how easy it can be to renew.

Kathy H.

Permalink | Leave a comment  »