it-security

When you have salah and Allah, everything really does fall in to place.
In the past before embracing Islam. Everything was always planned, I liked to plan things out. I didn’t like the unexpected. When things would catch me off guard, I would hate it.
When you have Allah, you have to put your trust in Him. That way, no matter what comes at you in life you can handle it. Like I’ve learnt that when I get up for fajr I can already have things planned for the day but I know for sure that can all change to something else, other things that Allah has planned for me instead and I have to be okay with that.
He knows what’s best for me, He may be protecting me. Allah knows best.
When you have that trust in Allah and the peace salah gives you. You can honestly handle anything that gets thrown at you. That’s when patience comes in.
Sabr, trust and be open minded for Allah’s plans.

Virtualization and Enterprise Architecture

“[Virtualization is] a technique for hiding the physical characteristics of computing resources from the way in which other systems, applications, or end users interact with those resources. This includes making a single physical resource (such as a server, an operating system, an application, or storage device) appear to function as multiple logical resources; or it can include making multiple physical resources (such as storage devices or servers) appear as a single logical resource.” (Mann, Andi, Virtualization 101, Enterprise Management Associates (EMA), Retrieved on 29 October 2007 according to Wikipedia)

Virtualization places an intermediary between consumers and providers; it is an interface between the two. The interface allows a multiplicity of consumers to interact with one provider, or one consumer to interact with a multiplicity of providers, or both, with only the intermediary being aware of multiplicities. (adapted from Wikipedia)

ComputerWorld, 24 September 2007, reports in “Virtual Machines deployed on the Sly” that according to an InfoPro survey “28% of the respondents said they expect that half of all new servers installed at their companies this year will host virtual applications. And about 50% said that, by 2010, at least half of their new servers will likely host virtual software.

What are the major concerns in going virtual?

  • Service levels—users are concerned that performance will suffer without having dedicated hardware to run their applications.
  • Security—there is concern that application and information security will be compromised in a virtual environment.
  • Vendor support—“some vendors won’t support their software at all if it’s run on virtual machines.”
  • Pricing—pricing for software licensing utilized in a virtual environment can be higher due to added complexity of support.

From a User-centric Enterprise Architecture perspective, plan on moving to virtual machines. There is potential for significant cost savings from consolidating IT infrastructure that includes reducing the number of servers, reducing related facility costs, as well as increasing overall utilization rates of machines and balancing loads to achieve greater efficiency. Soon there is no need for a dedicated server to host applications anymore.

External image
Security Tips

     First let me introduce myself.  I am Josh Roseberry of Greensburg, Indiana.  I have lived in this small town my entire life.  I made the so wise decision to attend online courses at Phoenix University.  Yes I realize Phoenix is not exactly a well respect school.  I also realize online courses don’t gain a lot of respect either.  I spend a good portion of my time studying Information Technology concepts.  I am pursuing my Bachelors of Science in Information Technology with a focus on Networking and Telecommunications.

     I currently live in a one bedroom apartment complex.  This makes wireless security a bit of a concern for me as all my devices are currently wireless.  I currently have a Cisco® Lynksys WRT320N Dual Band wireless-n gigabit router.  I do use WPA2 security mode yet with a recent firmware upgrade I no longer have the choice to select encryption and authentication protocols.  This is a shame because I do prefer TKIP over AES.

     I can provide some tips.  If you live in a crowded area and are concerned about other people getting into your network through a wireless router do some of these steps.  Make sure you use a strong pass phrase.  It should be between 8 and 10 characters long and include both upper and lower case letters as well as numbers.  To take the security higher through in some special characters as well.  Some special characters that are commonly used are $%#@^&.

     The next step is to use mac filtering and reservation.  On my home network only mac addresses I enter into the wireless mac filter will be allowed wireless access.  Adding a DHCP mac reservation for those mac addresses will give you an idea of what is connected to which IP.  This takes a bit more setup but is perfect for smaller networks.

     While these tips should be common sense to IT experts, not all consumers are aware.  I will be back later with some more tips.

FDCC and Enterprise Architecture

Setting standards help us to reduce complexity, contain costs, build interoperability, and secure the enterprise.

The Air Force is leading the way in setting standard configurations for the Federal government for computers, servers, printers, and cell phones.

Government Computer News, 4 August 2008, reports that “The Air Force started taking delivery in July on the first of 150,000 new PCs…the first to come equipped with their Windows Vista operating systems, including Internet Explorer 7, preset to meet Federal Desktop Core Configuration (FDCC) 2.1 standards.”

The FDCC is an outgrowth of the Air Force’s IT Commodity Council (ITCC) “efforts with Microsoft in 2006 to test and develop a standard software configuration.” This was coordinated with NIST, NSA, and DISA, and other agencies. Further, OMB “required agencies to implement FDCC’s Windows XP and Vista standards by Feb, 1, 2008.”

Now ITCC is working with DISA, NSA, Army, Navy, Marine, and Coast Guard to build Server configurations. Microsoft is taking these base configurations and “will develop configurations for ‘roles placed on top,’ says Michael Harper, Microsoft Service Director.

“Those will include the file and print servers, the domain controller, Exchange, SQL server, SharePoint, Web, and Windows deployment services.”

FDCC is “forcing the software industry to pay greater attention to the default settings of its products”. This is helping to reduce security vulnerabilities, and reducing costs.

Some examples of reducing costs and achieving other benefits from FDCC include:

  • “Preinstalling software at the factory rather than retrofitting a machine.”

  • Reducing energy costs by “preconfiguring Vista’s energy management settings.”
  • Steamlining the number of…device categories.”
  • “Standardizing…software…makes it easier to manage network and document security.”

FDCC has been so successful that ITCC is now moving forward with doing the same standardization for mobile devices.

FDCC is a step forward in terms of inter-agency collaboration, working with the vendor community, and creating an enterprise architecture that hits the mark for improved IT planning and governance.

External image
Planning your career path

If you have just completed your studies, it is time to sit down and think of jobs and a long-term career strategy, we have some tips to help.

1. Your first career plan-of-action is to identify jobs where locals are preferred. Such jobs usually combine some technical expertise (known in HR jargon as “domain knowledge”) and lots of leadership and people-relationship skill.

An example is IT Project Management, such as upgrading all the computers in institutions or building a Web portal for a shopping mall. For that matter, any project management career is highly desirable.

Other areas where it would be much preferable to hire locals include:

  • Managing IT security, Web and social media and computer-based creative tasks
  • Working in the creative and media industries – publishing, Web content design writing and production, mass media communication, and of course good old fashion journalism
  • Training and teaching, counselling, human resource development and social work.

2. Next, identify your own skills and inclinations, which would include those outside of your current school studies. Think of all the things you would dearly love to do even if you have no idea how to do them.

3. Do research on those skill sets that you don’t have, but like to, and find out where you can acquire them. Set out a timeline on how and when you intend to accomplish it.

Note that your timeline is not cast in concrete. It is an evolving plan, and it will have to be amended continually after you’ve graduated and started on your first job.

There are many more tasks and challenges ahead in your career strategy planning. The one key message you must remember is to avoid setting out on a career path where the available jobs are often outsourced to foreign talents who may be asking only a fraction of what you expect.

Remote Desktop Services Listening Ports

Occasionally the need arises to allow access to multiple Remote Desktop Services computers from behind a NAT device.  In a small business context this often means allowing access to a Small Business Server whilst allowing users access to a traditional RDS or TS host.

If you’re working on this problem you may well find a number of references to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp  … this does work as a solution, however it’s not advisable. A better option is usually to alter the port mapping on the NAT device itself.  Almost all NAT capable routers also port redirection, so start looking here.

The issue is not a technical but an entirely human one.  Forcing administrators that follow you (and in almost every case there will be an administrator who will have to follow you at some stage) to hunt through the myriad of registry keys just to discover your port mappings is bad practice.  If you keep all of your mappings from outside of the network stored in a single location - such as the NAT table of the router then they have only to glance down and locate the appropriate setting.

Also consider whether your external access is really necessary.  Remember any thing that adds convenience to your life also has the potential to reduce your networks security, and the last thing you want is a quick jumping off point on to one of your domain controllers.   

Internet Apocalypse and Enterprise Architecture

It is the 21st century and we are a nation dependent on everything internet. We rely on the internet for communications, like email, text messaging, and even voice over IP. We also use the internet for getting news and information, social networking, storing and sharing blogs, videos, music, and photos, accessing various applications, shopping, and conducting financial transactions.

What happens if the internet is attacked or otherwise fails us?

This is the question asked in ComputerWorld, 21 January 2008: “If the internet goes down will you be ready?”

ComputerWorld states: “It’s likely that the internet will soon experience a catastrophic failure, a multiday outage that will cost the U.S. economy billions of dollars. Or maybe it isn’t likely. In any case, companies are not prepared for such a possibility.”

The Business Roundtable says: “The threat is ‘urgent and real.’ There is a 10% to 20% chance of a ‘breakdown of the critical information infrastructure’ in the next 1o years brought on by ‘malicious code, coding error, natural disaster, [or] attacks by terrorists and other adversaries.’”

What will be the effect of a major internet interruption?

An internet meltdown would result in reduced productivity and profits, falling stock prices, erosion of consumer spending, and potentially a liquidity crisis.” It would disrupt our everyday ability to communicate, get and share information, work and conduct transactions. And let’s not forget the effect on the human psyche—there would be chaos.

Why have we not prepared ourselves adequately?

The Business Roundtable says that “business executives often fail to realize how dependent they have become on the public network—for email, collaboration, e-commerce, public-facing and internal Web sites, and information retrieval by employees.”

Where are we most vulnerable?

The Internet Corporation for Assigned Names and Numbers (ICANN) says that “the Internet is pretty robust at the physical layer. There are just too many alternate paths available. But the Internet is not so robust at other layers.” Hence, the risk of operating system failures, penetration by worms, and denial of service attacks.

Is there any reason for optimism?

The CIO of Yuma County, Arizona, reminds us that the Internet “having been based on the Arpanet [from DoD] and designed to keep functioning when pieces are broken, it seems less likely that the entire Internet would stop working.”

What can enterprises do to prepare for the worst?

Of course, all organizations need to fully address security concerns in terms of managerial, operational, and technical controls.

They need the best and brightest security personnel.

Additionally, they need to perform regular risk assessments, vulnerability testing, intrusion detection and prevention, back-up and recovery.

They need to have strict access controls, security awareness training of employees and contractors, and an IT security policy.

Our organizations need a comittment to continuity of operations planning (COOP).

ComputerWorld points out that the financial services sector is out in front in making preparations Here’s some of the architectural preparations that financial companies have undertaken:

  • Dedicated networks—“set up dedicated networks independent of phone companies.”
  • Guaranteed diverse routing—“negotiate more aggressively with communications companies to guarantee diverse routing.”
  • Geographic dispersal—“separate data centers and communications centers more widely geographically.”

In general, enterprises need “diversity and redundancy” of communications.

Most importantly, we need to recognize the risks out there and prepare, prepare, prepare.

External image
How $26 Can Buy You A Billion-Dollar Surveillance System

If $26 software can give our enemies on the ground access to our drone feeds and cyber warfare can inflict indefinite havoc on our critical infrastructure, we need to rethink what technological superiority means and how we keep it.

No defense system is foolproof. That’s why we build redundancy into the system and layer our defenses with “defense in depth,” so that just because the enemy infiltrates one layer, doesn’t mean that our defenses are laid bare.

When in fact, we become aware that our systems have been compromised, it is only responsible for us to re-secure them, bolster them with additional defenses, or take those systems out of commission.

It was shocking to learn this week in multiple reports in the Wall Street Journal that our UAV drones and their surveillance systems that have been so critical in our fight against terror in Iraq and Afghanistan were compromised, and the feeds intercepted by $25.95 software sold over the Internet. These feeds were found on the laptops of the very militants we were fighting against. Reportedly, we knew about this vulnerability ever since the war in Bosnia.

It is incredible to imagine our massive multi-billion dollar defense investments and technological know-how being upended by some commercial-off-the-shelf software bought online for the price of a family dinner at McDonalds. But what makes it even worse is that we knew for nearly two decades that the enemy had compromised our systems, yet we did not fix the problem.

A number of reasons have been circulated about why the necessary encryption was not added to the drones, as follows:

- It would have resulted in an increase in cost to the development and deployment of the systems.

- There would be a detriment to our being able to quickly share surveillance information within the U.S. military and with allies.

- There was immediate battlefield need for the drones because of the immediate concern about roadside bombs and therefore there was apparently no time to address this issue.

Based on the above, one may possibly be able to understand why the Joint Chiefs “largely dismissed” the need to repair the drones’ security flaw. However, it also seems that they were overconfident. For any “Are You Smarter Than A Fifth Grader” contestant can tell you that if the enemy can see and hear what we see and hear, then they can take action to subvert our military and intelligence resources, and the critical element of surprise is gone—the mission is compromised.

Of course as civilians we are not privy to all the information that our leaders have. And one can say that if all you have are compromised drones, then those are what you must use. Nevertheless, officials interviewed by the Journal point to the hubris that influenced the decision in this situation – as the report states:

“The Pentagon assumed that local adversaries [in Iraq and Afghanistan] wouldn’t know how to exploit” the vulnerability. So, the result was that we kept building and deploying the same vulnerable systems, over a long period of time!

This is not the first time that we have both been overconfident in our technological superiority and underestimated competitors and opponents in foreign countries—with disastrous results. There are the human tragedies of Pearl Harbor and 9/11, to name just two. And then there are the economic challenges of global competition, such as in the automobile industry and overseas manufacturing in general.

And if some terrorist cells on the run can so clearly compromise our technical know-how, shouldn’t we be even more concerned about established nations who are well financed and determined to undermine our security? For example, just this week, a group calling itself the “Iranian Cyber Army” hacked and defaced Twitter and we were helpless to prevent it. Also noteworthy is that this same week, it was reported that our defense plans with respect to South Korea, including operational details, were hacked into and stolen by North Korea.

Unfortunately, however, we do not even seem to take threats from other nations as seriously as we should: As the Journal reported, “senior U.S. military officers working for the Joint Chiefs of Staff discussed the danger of Russia and China intercepting and doctoring video from the drone aircraft in 2004, but the Pentagon didn’t begin securing signals until this year.”

I am deeply respectful of our military and the men and women who put their lives on the line for our nation. It is because of that deep respect that I reach out with concern about our overconfidence that we are technologically superior, and about our dismissal and underestimation of the resolve of our enemies.


External image