April 22, 2014

Security Manager's Journal: Virtual machines, real mess
We found that those virtual machines were not running any antivirus software and hadn't been patched in more than two years, so we ran a virus scan of one of the virtual machines. Suddenly, everything became very clear. The virtual machine was infected with a virus whose characteristics matched the activity that caused the denial of service to the office. In fact, all 30 desktops in the classroom were infected. But that's not the worst of it. The installed images were derived from a base image maintained at a cloud provider. That base image contained the virus, which explains how 30 machines became infected.

Microsoft Azure SQL Database Security - Firewall Configuration
Deployment of cloud-based technologies introduces a wide range of challenges; however few of them are subjected to the same degree of scrutiny, concern, and public debate as security. In order to properly analyze security related challenges, it is important to note that they encompass several distinct but interrelated concepts, such as data integrity and confidentiality, access control, authentication, and authorization. In this article, we will start reviewing them in the context of Microsoft Azure Software as a Service-based SQL Database, focusing in particular on the SQL Server and database-level firewall access control functionality and methods that can be employed to implement it.

New iOS malware highlights threat to Apple mobile devices
The malware is designed to listen for outgoing connections. Once it recognises an Apple ID and password, it sends these unencrypted IDs and passwords to the cyber criminals behind the malware. The Unflod malware also highlights the risks of installing unknown apps on jailbroken iPhones. Reports of the malware targeting Apple iOS emerged in posts on reddit by iOS users hit by repeated system crashes after installing iOS customisations that were not part of the official Cydia market. A developer for the Cydia market, an alternative to the Apple App Store, has responded to news by in a reddit comment, saying that the probability of Unflod coming from a default Cydia repository is fairly low.

It’s Official: 2013 Was the Busiest Year Yet for Cyber Criminals
The finding comes in a report from the security arm of the telecom giant Verizon set to be published on Wednesday. The Verizon annual Data Breach Investigations Report is one of the most highly regarded in the industry and is now in its tenth year. It contains data on attacks from 50 companies and organizations, covering more than 63,000 computer security incidents and 1,347 confirmed breaches in 95 countries. As these things go, the report contains more data to analyze than any other report of its kind, said Jay Jacobs, a Verizon analyst and one of the report’s co-authors. If combating nine kinds of attacks sounds too ambitious, then maybe this will make it sound a little easier: On average, roughly 72 percent of all attacks were carried out using one of three methods, though the specifics tend to vary by industry.

What Is A Distributed Database And Why Do You Need One?
Grab this technical whitepaper to learn more about the NuoDB distributed database. Learn more about how NuoDB: Cracked the code and finally built a distributed database; Conceived the Durable Distributed Architecture (DDC) by studying the shortcomings of traditional designs; Built a database designed to scale-out on demand in the cloud; and Can provide your app with on-demand scale out, geo-distributed data management and resilience to failure

Managing the Demand for IT Infrastructure
To save costs and prepare for adoption of next-generation infrastructure technology and hybrid-cloud models, leading organizations are adopting commercial-style demand and service management that has two key characteristics. The first is a standard services catalog with clearly priced offerings that can be consumed on a price-times-quantity basis. Such a catalog requires creating bottom-up unit costs for each service based on a detailed bill of materials. This means that unit costs should be an aggregation of all the components making up the service and not an arbitrarily stipulated cost mostly based on averages and allocations.

Business success increasingly hinges on supply chain innovation and procurement advantages
The power of data-driven business networks and the analytics derived from them are increasing, but how do enterprises best leverage that intelligence as they seek new services, products and efficiency? How do automation and intelligence enter the picture for better matching buyers and sellers? BriefingsDirect had an opportunity to learn first-hand at the recent 2014 Ariba LIVE Conference. To learn more about how business—led by procurement—is changing and evolving, and how to best exploit this new wave of innovation, we sat down with Rachel Spasser, Senior Vice President and Chief Marketing Officer at Ariba, and Andrew Bartolini, Chief Research Officer at Ardent Partners.

SEC seeks data on cyber security policies at Wall Street firms
The SEC Office of Compliance Inspections and Examinations (OCIE) will review each company's tools and policies regarding governance, risk identification and assessment, network and data security controls, remote access and third party cyber risks. In a security alert released last week, the SEC said the effort was launched after participants at an SEC-sponsored roundtable discussion in March stressed the importance of strong cybersecurity controls at Wall Street firms. During the roundtable, SEC Commissioner Luis Aguilar recommended that the Commission collect information from broker-dealers and other financial firms about their cyber readiness.

Now is the time to switch back to Firefox
Mozilla's commitments to your privacy and to the open web are much more important than what any of its staff might have done in the past. In any case, Mozilla co-founder and former chief executive Brendan Eich has already quit, and Mozilla chairman Mitchell Baker has very publicly apologised. At this point, anybody who still thinks boycotting Firefox is a good idea is behind the times. It needs -- and deserves -- your support. Businesses, of course, tend to judge things on merit, which is where the argument for Firefox is strongest. I switched back to Mozilla Firefox in the middle of last summer, when it first became a better browser than Chrome, at least for me.

Intuitive, Robust Date and Time Handling, Finally Comes to Java
When dealing with dates and times we usually think in terms of years, months, days, hours minutes and seconds. However, this is only one model of time, one I refer to as “human”. The second common model is “machine” or “continuous” time. In this model, a point on the time-line is represented by a single large number. This approach is easy for computers to deal with, and is seen in the UNIX count of seconds from 1970, matched in Java by the millisecond count from 1970. The java.time API provides a machine view of time via the Instant value type. It provides the ability to represent a point on the time-line without any other contextual information, such as a time-zone.

Quote for the day:

"People grow through experience if they meet life honestly and courageously. This is how character is built." -- Eleanor Roosevelt

April 21, 2014

802.11ac standard: How did we get here?
Wireless technology began developing in the early 1970s and has since become an everyday necessity for both consumer and enterprise. The 802.11 standard, which governs the technology's development, has gone through several facelifts in the 17 years since the specification was first created. Today, unfettered access to data has revolutionized the industrial world, fueling the growth of efficiency, productivity and ultimately revenues for businesses worldwide. SearchNetworking created this visual timeline that illustrates key events in the evolution of the 802.11 standard.

The enterprise products with disruptive potential for 2014
Innovation in productivity and collaboration applications have continued apace and I omitted most of them here, since I'll cover them separately in a future exploration. However, despite growing enthusiasm, I find that workers often don't do well with excessive novelty when it comes to their business applications. While there are many interesting new tools emerging all the time, most of them are likely to fade away as they fail to find an audience. Nevertheless, it's one of the more exciting areas, especially as the innovation level at the top end of the product space is more limited.

Contributions of Individual Programming Languages to Software Development
In this blog post, I look at the contributions of several different programming languages to our discipline. In most cases, the listed language was not the very first to introduce the concept or feature, but was the first to make it popular or "mainstream." The purpose of this post is NOT to state which programming language is best or why one is the best thing since sliced bread while another is the worse thing to ever happen to a software developer. I also don't cover markup "languages" such as XML or HTML in this post, though they obviously have had significant influence on software development.

3 Benefits of Mining POS Gold
When retailers were asked to name their best systems or operations decision in 2013, the top answer was focusing on mobile and traditional Point of Sale (POS). In the same 2014 Tech Spending Survey from Integrated Solutions for Retailers (ISR), POS hardware and software headed the list of projected planned investments for this year. Those results shouldn’t be surprising. Advanced POS technology now enables retailers to collect an array of granular data on customer activity and product sales. Putting this information to work can provide retailers with a critical strategic edge. Here are three areas where POS information can make a difference:

Even Good Employees Hoard Great Ideas
What most companies should focus on first is creating an environment, or a culture, that fosters innovation. For example, in the case of the employee wanting an NDA before sharing her idea, the underlying issue may not have been money, but rather commitment and trust. For some reason, this employee didn’t feel that part of her job was to help the company come up with new ways of working, and she wasn’t excited about helping the company improve; she was only innovating because it was good for her. At the same time, she didn’t trust her manager or colleagues to explore or implement her idea, because she was afraid that she wouldn’t be recognized for her contribution. Paying her for the idea likely wouldn’t resolve these issues; rather, it might reinforce them.

Satellite communication systems are rife with security flaws, vulnerable to hackers
"We uncovered what would appear to be multiple backdoors, hardcoded credentials, undocumented and/or insecure protocols, and weak encryption algorithms." "These vulnerabilities allow remote, unauthenticated attackers to compromise the affected products," the researchers said. "In certain cases no user interaction is required to exploit the vulnerability; just sending a simple SMS or specially crafted message from one ship to another ship would be successful for some of the SATCOM systems."

Dark alleys ahead when SDN automation meets Internet of Things
For IoT to work, we'll have to turn our network security strategies upside down. Today's networks are unapologetically skeptical, even hostile. If someone wants bandwidth, if they intend to pass traffic, we place the burden on proof-of-policy compliance that involves the device, the user, or a contextual combination of the two. If we define an endpoint as a person/process, plus context, plus device, we find that we put enough hoops in place that it's relatively expensive for endpoints to add themselves to a network of their choosing. Today endpoints need sponsors.

Bart Perkins: How to keep projects on track
The problems didn't come out of nowhere, of course. But IT leadership can fix problems only if they're known. And problems that fester are more difficult to fix. Unfortunately, project staff can feel strong but subtle pressure to keep problems to themselves. They worry that they won't be perceived as team players if they report any concerns. Less experienced staff can feel an unfounded optimism that convinces them that the project team will be able to recover from missed deadlines by working harder. In the case of the Fortune 500 company cited above, all six failing projects had executive sponsors who were politically powerful and known to attack bearers of bad news. Nobody wanted to raise a red flag and admit that their project was in trouble.

'BYOS' Should Replace BYOD
Wearables take us to that next level of mobility: the fully connected life, where information is available anywhere, anytime. That's a serious concern for those of us who need to manage the BYOS world. If you think smartphones present challenges when it comes to management and security, what are we supposed to do when executives want to access corporate data from their connected cars? Almost half of Baby Boomers consider it vital to access the phone in the vehicle for business and applications, according to an IDC research report.

10 Top Information Security Threats for the Next Two Years
The information security threat landscape is constantly evolving. To help you navigate the terrain, each year the Internet Security Forum (ISF) -- a nonprofit association that assesses security and risk management issues on behalf of its members -- issues its Threat Horizon report to provide members with a forward-looking view of the biggest security threats over a two-year horizon. What follows are the 10 biggest threats on the horizon through 2016 that your organization may have to manage and mitigate, along with commentary from Steve Durbin, the ISF's global vice president.

Quote for the day:

"You have reached the pinnacle of success as soon as you become uninterested in money, compliments, or publicity." -- Thomas Wolfe

April 20, 2014

Data Governance for Regulated Industries
Securely and cost-effectively managing petabytes of data from siloed systems is both a threat and opportunity for banking, healthcare, and other organizations in highly regulated industries. Technology advancements and the changing economics of storage and compute have made it possible to leverage this data to do more far-reaching and sophisticated analysis. However, sweeping changes to privacy and transparency laws have heightened the importance of data governance.

Shiny Objects and the Senior Management Team
Effective management teams learn to recognize the signs of a breakdown in discipline and they redouble their efforts to promote clarity and minimize the tendency to fill ambiguity with unqualified activities. These groups recognize the dangers of hubris born of success (Jim Collins) or the tendency to flail in search of quick answers when things go wrong. They understand that they are accountable for setting direction and ensuring that each and every choice to apply company resources must create the right kind of value. And they accept that determining just what the right kind of value truly is, is an exercise that can only be resolved through debate and deliberation.

How to Detect Criminal Gangs Using Mobile Phone Data
Criminal networks are just as social as friendship or business networks. So the same techniques that can tease apart the links between our friends and colleagues should also work for thieves, drug dealers, and organized crime in general. But how would your ordinary law enforcement officer go about collecting and analyzing data in this way? Today, we get an answer thanks to the work of Emilio Ferrara at Indiana University in Bloomington and a few pals. These guys have created a bespoke software platform that can bring together information from mobile phone records, from police databases and from the knowledge and expertise of agents themselves to recreate detailed networks behind criminal organizations.

Dynamic Generation of Client Proxy at Runtime in WCF using a Single Factory
In conventional method, if client proxy for a WCF service is required to be generated at runtime programmatically, an instance of ChannelFactory (generic type) is created passing the interface type of the service (contract) as parameter to the generic class. This requires different implementation for different services for generating client proxy which reduces the generic scope. This article describes a method to create a factory class which generates client proxy at runtime from the type of the service contract received as parameter. This will eliminate separate implementation requirement by using a single factory class with the help of .NET reflection.

The dilution of enterprise-architecture
SA is a job title used by systems integrators in the bid, and sometimes delivery phase. The person responsible for solution outline or high-level design. Must join everything up into a coherent solution architecture, identify and mitigate all manner of technical risks, with the delivery time and cost in mind. EA is a job title used by people for the manager, leader or member of a strategic and cross-organisational function, responsible for optimisation of the enterprise system estate. Often, the job is described as requiring engagement with senior executives and their strategies.

6 Top Information Governance Certifications: Don’t Have One? Well You Should
There are numerous information governance certifications you can get to advance your career. Depending on the professional value of each certification, how long it takes to complete it, the cost and the level of difficulty, some certifications might be more necessary for you than others. After learning more about your options, including the popular certifications below, you can be a better judge of what will suit your needs and professional goals.

Biometric identification that goes beyond finger prints
The past few years have seen a great biometric leap forward, as the saturation of smartphones and biotech advances have expanded the universe of potential biomarkers and applications. It's not just the iPhone 5's fingerprint sensors or Fujitsu's plan to embed a palm vein scanner into its mobiles. We're talking scanning the irises of all 1.2 billion Indians, as well as long-range iris scans, gait-recognition systems that use your smartphone's accelerometer to identify you while you pace, electrocardiogram wristbands rigged to open your door and, yes, the butt and body odor scans. Some applications raise amusing reliability questions: How effective would a body odor ID system be if you were to eat a lot of garlic or wear a new perfume?

The data platform for a new era
At the event we celebrated the launch of SQL Server 2014. With this version we now have in-memory capabilities across all data workloads delivering breakthrough performance for applications in throughput and latency. Our relational database in SQL Server has been handling data warehouse workloads in the terabytes to petabyte scale using in-memory columnar data management. With the release of SQL Server 2014, we have added in-memory Online Transaction Processing. In-memory technology has been allowing users to manipulate millions of records at the speed of thought, and scaling analytics solutions to billions of records in SQL Server Analysis Services.

Cisco and Microsoft SQL Server 2014
Cisco and Microsoft, with our strategic storage partners EMC and NetApp, have worked to create Cisco Validated Designs built on Microsoft reference architectures. All solutions and reference architectures are field tested and validated with a primary objective to help simplify implementation and the deployment of Microsoft SQL Server workloads on Cisco UCS. Our integrated infrastructures with our partner EMC are banded ‘VSPEX’ while our solutions with our partner NetApp are branded ‘FlexPod’. With the release of SQL Server 2014, our inventory of SQL Server solutions will grow as we bring to market in spring 2014 reference architectures to support consolidation and high availability scenarios.

Nashorn - The Combined Power of Java and JavaScript in JDK 8
Starting with the JDK 8 Nashorn replaces Rhino as Java’s embedded JavaScript engine. Nashorn supports the full ECMAScript 5.1 specification plus some extensions. It compiles JavaScript to Java bytecode using new language features based on JSR 292, including invokedynamic, that were introduced in JDK 7. This brings a 2 to 10x performance boost over the former Rhino implementation, although it is still somewhat short of V8, the engine inside Chrome and Node.js. If you are interested in details of the implementation you can have a look at these slides from the 2013 JVM Language Summit.

Quote for the day:

"When you have exhausted all possibilities, remember this: You haven't." -- Thomas Edison