On September 15 2008, top US investment bank Lehman Brothers filed for Chapter 11 bankruptcy protection. Founded in 1850, in 2007 Lehman Brothers achieved record net revenues, net income and earnings per common share for the fourth consecutive year. In less than one year Lehman Brothers saw their once record net revenue plunge to $6 billion in the red. The question isn’t how does a mammoth organisation such as Lehman Brothers find themselves in this position but, in the current climate where seemingly financially stable firms are filing for bankruptcy, who is your business safe with?

Many businesses outsource (their IT) for various reasons; cost savings, operational expertise, capacity management to name a few. Outsourcing firms also often offer other services, such as business continuity planning and disaster recovery plans. Replication between multiple data centres, redundant links, work space relocation, ISO 27001 and BS 7799 are all good, but what happens when the company providing that service ceases to trade? Suddenly you’re in a position where it takes weeks to get equipment back, you struggle to get support and the whole affair leads to hundreds of hour’s worth of downtime, and possibly bankruptcy for your own company. The possibilities are endless and the scenarios frightening.

So, how can you safeguard your business? To start with, you need to think about how the company would cope if its provider ceased trading. This means you need to have your own BCP/DR plan created by your company or a 3rd party, but not by the provider. You also need to ensure that your provider has its own BCP/DR plan, and that it includes any equipment/services it provides you. Remember, nothing is impossible, and the more eventualities you can factor for the better.

In the current economic climate many companies may see outsourcing as a way to reduce costs, however it should be remembered that you must never outsource accountability; at the end of the day, the senior managers/directors of a company are where buck stops, solely accountable to the business, its customers and its employees.

Keeping your critical systems in-house and employing internal IT staff capable of running these systems is one way to ensure business continuity. Helpdesk and minor systems (a system that can be down for a week, or can be easily migrated) can be outsourced, but keep these systems simple so if needs be you can move providers quickly and efficiently. Keep your options open and keep an eye on your providers for signs of potential problems. This shouldn’t fall under the IT Managers remit only however, senior manager and directors need to take a real interest in providers and, after all, they have the relevant skills to assess the provider’s stability.

In today’s gloomy economy anything is possible and the seemingly mighty have, and will continue, to fall. A dynamic, reserved approach to outsourcing whilst maintaining internal ownership of critical systems and over all accountability, internally and externally, is essential. This will enable your business to make savings and ensure business continuity -and survival- in these turbulent times.

Tom Farrar is an experienced IT Engineer with several years’ tier 2 data centre / tier 2 carrier experience and a wide knowledge products/solution; Tom is practised in DNS zone management, enterprise anti-spam techniques, packet shaping and penetration testing. Tom is an a technical member of the Institute of Engineering and Technology and a Red Hat Certified Engineer.

Article Source: http://EzineArticles.com/?expert=Tom_Farrar

With the advent of personal computers and the Internet, valuable information has never been more at risk than before. Hackers and other people who try to infiltrate a computer-generated system, or even manually getting information through “spies” are elements you may want to watch out for when securing your data. There is enough reason for you to check security performance with the necessary procedures to ensure safety of your confidential data.

Why do data breaches happen? There are top five reasons why this special case happens in some companies. Data breach happens because of (1) some significant error that occurred in the system, (2) hacking and intrusions, (3) the incorporation of malicious codes, (4) the exploitation of vulnerability, and (5) physical threats. Given the fact that these attacks are out there, it is a wise decision for organizations to focus on ensuring security by gaining control over the entire organization and setting some security policies. If you are handling a huge company and you have to secure data that is confidential, - some of them might be financial or company strategic plans - then you might as well have these things secured at the very best that you can.

However, in today’s modern society, it is a tough job and a real challenge to protect information and keep track of these things. The basic principle is very simple - if you do not know where to find the data you want to keep track, then it would be difficult for you to protect or hide it. To reduce the likeness of compromising data, these confidential items must be located, catalogued, tracked, and assessed in preventing the risk of any information going in and out of the information filters.

Having strict and high security performance does not always assure you of being free from those external and internal elements that could compromise your data. Errors also happen, like technical errors, user errors, misconfiguration, and accidental disclosure of information. The security attack that most people are really scared about pertains to hackers. In the cyber underworld, there are hackers who are notorious not only because they steal from you, but they also destroy your system afterwards; while others get only what they need and go about their merry criminal way. However, after that, they then use the things they gather for their personal goals and gains. According to some studies, these hackers commonly attack applications, available software, and services. Next to these are the attacks on the operating systems, server levels, and platforms. They also spot traces of backdoor entry and prolonged access on systems with hackers scooping out large amount of information.

Knowing the things that would compromise your business’ security, you must take the next logical step. Design security measures within the organization, or even outside, and check security performance every now and then. Plainly relying on the automated and installed anti-spy and anti-hacker applications is not enough to keep your security metrics up-to-date. Forums and discussions are good ways where you can find good strategies that worked best for other companies or for other people.

If you are interested in Check Security Performance, check this web-site to learn more about check security scorecard.

With many individuals and businesses connecting to the internet using wireless devices, and the reported cases of security breach and identity theft, having an awareness of wireless security measures to improve system security is a must. Many wireless users simply do not know that they are open and exposed to system penetration and bandwidth theft. Here are several suggestions to prevent your system from becoming a wireless hotspot.

(i) Change the password on your router. All routers come with preset service identifiers. Hackers are familiar with these protocols. You should change the password to something that is difficult to guess. Do not change the passwords to something as simple as myrouter which is easy to guess. You can rotate passwords frequently as an extra precaution.

(ii) Enable encryption. You should follow the encryption procedures provided by your routing device. WEP and WPA2 are the two preferred encryption measures with WPA2 the preferred and most up to date option. This technology encrypts traffic and scrambles it so that unauthorized third parties can’t make use of it throwing a spanner in the works for packet sniffers looking to procure sensitive details.

(iii) Keep a close check on remote access points. For companies that run web interfaces or remote system access points, security protocols should be established. Password access should be changed frequently.

(iv) Avoid using unsecured wireless hotspots in public locations. Malicious third parties frequently setup traps that are designed to route traffic through setups that are used to screen traffic with the intention of securing sensitive details.

(v) Always scrub all hardware that is sold or disposed of. This eliminates the chance that a third party can discover sensitive data or passwords that can be used for identity theft, financial crime or to gain access to corporate systems.

(vi) Use wireless security software. Whether you’re an individual or a corporation, this software has many benefits. A program such as Mcafee wireless home network security uses automatic security key rotation every three hours for encryption purposes. The software also secures your router and provides event logging and alert monitoring to scrutinize for terminals attempting to gain access. Institutions should consider more advanced software such a Manage Engine Wifi Manager.

Taking the time to plan and implement security measures prior to wireless use is the best way to protect yourself. A little extra time during setup is time well worth spent.

Andrew Winthorp owns and operates http://www.wireless-network-tutorials.com Wireless Network Tutorials - Learn more about key aspects of wireless setup and security.

Article Source: http://EzineArticles.com/?expert=Andrew_Winthorp

Few companies would argue about the value of a comprehensive Disaster Recovery plan that covers all areas of the business and holds the key to successfully resuming day to day business activity should the worst happen.

Most businesses would be pretty unlucky to suffer from major downtime due to things like fire, flood or theft. Terrorism generates a huge amount of column inches and the effects of something like 911 are truly devastating however even in the current climate these occurrences are thankfully few and for between.

What is more likely to happen is an email server failure, a corrupt database or the network being compromised by a virus. Guarding against this type of outage should be the bare minimum a company should cater for, even though most of us could cope for a few hours without email, for some businesses this would lead to a huge loss in revenue.

If a server failed completely, most IT Departments wouldn’t promise delivery of the service back up and running normally in anything less that a day because this would mean relying on tape backups to rebuild the data held by the server. Commonly accepted logic is that tape isn’t all that reliable (a side issue is that most companies don’t perform regular tape restores, so don’t know how good the data on the tape is - even if they can get is back).

If a company can ‘get by’ for a couple of days without the server in place then this tells us how critical to the business this particular server or application is. For these servers using tape isn’t probably too much of a problem, but for other more mission critical application, hanging around while the hardware is rebuilt is unlikely to have the FD jumping with joy.

For critical applications think about some ‘on-site’ data replication. What this means in simple terms is that the data on Server A is replicated real time to Server B. Should server A fail, it’s a simple matter to failover to Server B, normally within a couple of minutes. Because the data has been replicated up to point of failure the users won’t lose lots of data and the system will be up and running much quicker.

Of course, this provides local high availability which although gives protection against server failure it doesn’t provide any real Disaster Recovery, if the office burns to the ground, the data will be lost. However, having invested in this local high availability solution it’s a relatively simple process to replicate the data off-site as well and deliver a true local and remote high availability and Disaster Recovery solution.

Disaster Recovery can be seen as an expensive luxury but it really depends on how you view it and more importantly how you implement it. In the current economic climate you can probably think of lots of other things to spend your limited budget on, however can you really afford for your main business systems to be off line? The good news is that you identify the key processes that make up your business and the IT platforms that support it, you have your starting point and like all things, it doesn’t have to cost the earth.

One last thought for those who see Disaster Recovery a bit like insurance, do any of you regard house insurance as unnecessary?

Andy Roberts (andy.roberts@networkutilities.co.uk) is an IT Consultant and Practitioner with over 10 years experience helping clients with Disaster Recovery and Data Replication.

Read the original article in context at http://www.networkutilities.co.uk/double-take-software/articles

Article Source: http://EzineArticles.com/?expert=Andy_Peter_Roberts

Security policies and posters you can download include:

• Clean Desk Policy
• Mobile Device Encryption Policy
• Workstation Security Policy
• Software Installation Policy
• Server Malware Protection Policy

Plus there are lots more policies you can download.

Check it out!

WARNING:

The information provided is for educationally purposes only and not to be used for malicious use.

Before digging into what actually SQL Injection is, let me explain you what is SQL itself.

What is SQL?

Structured Query Language (SQL) is a specialized programming language for sending queries to databases. Most small and industrial- strength database applications can be accessed using SQL statements. SQL is both an ANSI and an ISO standard. However, many database products supporting SQL do so with proprietary extensions to the standard language. Web applications may use user-supplied input to create custom SQL statements for dynamic web page requests.

What is SQL Injection?

SQL injection is a technique that exploits a security vulnerability occurring in the database layer of a web application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

“SQL Injection” is subset of the unverified/unsanitized user input vulnerability (”buffer overflows” are a different subset), and the idea is to convince the application to run SQL code that was not intended. If the application is creating SQL strings naively on the fly and then running them, it’s straightforward to create some real surprises.

Many organization’s web servers has been compromised just because of SQL Injections, including big names which I would not like to mention here, you can search it easily on Internet.

What is Blind SQL Injection?

This particular type of attack is called a blind SQL injection attack, because the attacker cannot take advantage of detailed error messages from the server or other sources of information about the application. Getting the SQL syntax right is usually the trickiest part of the blind SQL injection process and may require a lot of trial and error. But, by adding more conditions to the SQL statement and evaluating the Web application’s output, an attacker will eventually determine whether the application is vulnerable to SQL injection.

Blind SQL injection a special case that plays on the web developers or website owners sense of security. While they may think that everything on the server is tightly guarded a Blind SQL injection attack will silently be playing truth or consequences with the web server. This type of attack though very time consuming is one that provides the most potentially damaging security hole. This is because an attacker gets not only access but is provided with an enormous amount of knowledge about the database and can potentially gain access to a servers file system. This type of attack is one that is automated and requires good amount of setup to succeed. But once it is done it does not require a great deal of effort to repeat.

What is Error message SQL Injection?

Web applications commonly use SQL queries with client-supplied input in the WHERE clause to retrieve data from a database. When a Web application executes such queries without validating or scanning the user-supplied data to ensure it’s not harmful, a SQL injection attack can occur. By sending unexpected data, an attacker can generate and submit SQL queries to a web applications database. A test for SQL injection vulnerabilities takes place by sending the application data that generates an invalid SQL query. If the server returns an error message, that information can be used to try to gain uncontrolled access to the database. This is the basis of one of the most popular SQL injection attacks.

Hiding error messages does not stop the SQL injection attack. What typically happens is the attacker will use the knowledge gained from the failure of this attack to change tactics. What they turn to is blind SQL injection.

Why SQL Injection?

When a web application fails to properly sanitize user-supplied input, it is possible for an attacker to alter the construction of backend SQL statements. When an attacker is able to modify a SQL statement, the process will run with the same permissions as the component that executed the command. (E.g. Database server, Web application server, Web server, etc.). The impact of this attack can allow attackers to gain total control of the database or even execute commands on the system.

When a machine has only port 80 opened, your most trusted vulnerability scanner cannot return anything useful, and you know that the admin always patch his server, this is the point where malicious hacker would turn to web hacking. SQL injection is one of type of web hacking that require nothing but port 80 and it might just work even if the admin is patch-happy. It attacks on the web application (like ASP, JSP, PHP, CGI, etc) itself rather than on the web server or services running in the OS.

Types of SQL Injections:

There are four main categories of SQL Injection attacks against databases layer in Web Application

1. SQL Manipulation: manipulation is process of modifying the SQL statements by using various operations such as UNION .Another way for implementing SQL Injection using SQL Manipulation method is by changing the where clause of the SQL statement to get different results.

2. Code Injection: Code injection is process of inserting new SQL statements or database commands into the vulnerable SQL statement. One of the code injection attacks is to append a SQL Server EXECUTE command to the vulnerable SQL statement. This type of attack is only possible when multiple SQL statements per database request are supported.

3. Function Call Injection: Function call injection is process of inserting various database function calls into a vulnerable SQL statement. These function calls could be making operating system calls or manipulate data in the database.

4. Buffer Overflows: Buffer overflow is caused by using function call injection. For most of the commercial and open source databases, patches are available. This type of attack is possible when the server is un-patched

SQL Injection Prevention Techniques:

Mitigation of SQL injection vulnerability would be taking one of the two paths i.e. either using stored procedures along with callable statements or using prepared statements with dynamic SQL commands. Whichever way is adopted the data validation is must.

a. Input validation

Data sanitization is key. Best way to sanitize data is to use default deny, regular expression. Write specific filters. As far as possible use numbers, numbers and letters. If there is a need to include punctuation marks of any kind, convert them by HTML encoding them. SO that ” become “”" or > becomes “>” For instance if the user is submitting the E-mail address allow only @, -, . And _ in addition to numbers and letters to be used and only after they have been converted to their HTML substitutes

b. Use of prepared statement

The prepared statements should be used when the stored procedures cannot be used for whatever reason and dynamic SQL commands have to be used.

Use a Prepared Statement to send precompiled SQL statements with one or more parameters. Parameter place holders in a prepared statement are represented by the? And are called bind variables. Prepared statement are generally immune to SQL Injection attacks as the database will use the value of the bind variable exclusively and not interpret the contents of the variable in any way. PL/SQL and JDBC allow for prepared statements. Prepared statements should be extensively used for both security and performance reasons.

c. Use minimum privileges

Make sure that application user has specific bare minimum rights on the database server. If the application user on the database uses ROOT/SA/dbadmin/dbo on the database then; it surely needs to be reconsidered if application user really needs such high amount of privileges or can they be reduced. Do not give the application user permission to access system stored procedures allow access to the ones that are user created.

d. Stored procedures

To secure an application against SQL injection, developers must never allow client-supplied data to modify the syntax of SQL statements. In fact, the best protection is to isolate the web application from SQL altogether. All SQL statements required by the application should be in stored procedures and kept on the database server. The application should execute the stored procedures using a safe interface such as Callable statements of JDBC or CommandObject of ADO.

And many more ….

article by Raheel Ahmad, CISSP

Article Source: http://EzineArticles.com/?expert=Raheel_Ahmad

Planning, creating, and building a data centre can be one of the most expensive tasks an IT director can face. In order to maximize cost effectiveness and achieve optimum performance, reliability is key.

Data centre size can range from one room in an office to an entire building, but there are some basic requirements which must be implemented to ensure system reliability. When designing a data centre, efficient planning is very important. A number of areas must be addressed to ensure a dependable and efficient system which is capable of continued operation.

Understand the potential causes of failure

There are a number of areas cited as the most common causes of data centre failure:

• Environmental problems
• Software failure - for example, memory leaks
• Hardware failure - such as storage or processing problems
• Operator or procedural error
• Poor network reliability
• Security breaches - for example hacker attack

Environmental considerations

When planning a data centre, there are a number of physical and architectural design features which must be implemented to ensure reliability:

• Adequate Air Supply: temperature must be maintained between 20 and 25 ºC and humidity between 40 and 60 %. Too much humidity can cause water to condense on internal components. However if the air is too dry, this can cause static electricity to discharge. Malfunction is likely if the above ranges are not maintained. This is one of the prime causes of data centre malfunction. Implementation of adequate air conditioning and correct architectural design to allow for air circulation between units is vital. Particular care needs to be taken to prevent “hotspots” from occurring.

• Safeguard against power loss: external environmental factors such as hurricane or snowstorm can cause power black outs. It is vital to have a generator to ensure continued function, as well as an uninterruptible power supply (UPS) for emergency power. These should be of sufficient size to power cooling systems.

• Fire protection systems: the simplest forms of fire protection are smoke detectors, for early detection of a fire. It is also vital to ensure fire containment to prevent the spread of a fire to the entire data centre. For example: Contained sprinkler systems or gaseous fire suppression.

Software, hardware or network failure

Tested and quality assured hardware and software from reputable brands can help increase reliability. Common malfunction in one component, such as an internal fan or storage disc, can quickly lead to failure in another. Ensuring network performance and reliability can also have a huge impact on the performance of the data system.

Operational procedures

It is impossible to completely rule out human error and operational issues. However, devising an operations procedure to not only maximize performance but also track reliability and malfunction is key. Conduct regular back-ups on each production server to ensure quick file repair in the event of damage. Provide adequate operator training to implement protocol and avoid the most basic of errors such as leaving discs in drives, which would prevent an auto-reboot in the event of system failure.

Data security

Particularly important in large data centres with sensitive information, is to ensure adequate physical security. Corporations may consider outsourcing their data centre to an off-site location with 24 hour security guards and video surveillance. System security also requires keeping up-to-date with the latest security and anti-virus software.

Avoid single point of failure

One final key consideration is to avoid having a single point of failure. Test the system before it goes operational and ensure that if one component fails there is sufficient backup to ensure the data centre can still function. Back-up will make sure that your important data is never lost.

Our company is SAS 70 certified… the highest standards for measuring and improving data centre operations and management. Providing clients with solutions for business continuity services, managed hosting, managed security and disaster recovery for organizational security.

Article Source: http://EzineArticles.com/?expert=Amy_Nutt

Photo credit: KAREN BLEIER/AFP/Getty Images

In breaking news directly related to data security policies, FoxNews is reporting that the World Bank has suffered possibly “the worst security breach ever at a global financial institution”:

 The World Bank Group’s computer network — one of the largest repositories of sensitive data about the economies of every nation — has been raided repeatedly by outsiders for more than a year, FOX News has learned.

It is still not known how much information was stolen. But sources inside the bank confirm that servers in the institution’s highly-restricted treasury unit were deeply penetrated with spy software last April. Invaders also had full access to the rest of the bank’s network for nearly a month in June and July.

In total, at least six major intrusions — two of them using the same group of IP addresses originating from China — have been detected at the World Bank since the summer of 2007, with the most recent breach occurring just last month.

While it remains unclear how much data has been pilfered from the bank, it’s a lot. According to internal memos, “a minimum of 18 servers have been compromised,” including some of the bank’s most sensitive systems — ranging from the bank’s security and password server to a Human Resources server “that contains scanned images of staff documents.”

One World Bank director tells FOX News that as many as 40 servers have been penetrated, including one that held contract-procurement data.

Despite the gravity of the break-ins, the bank is trying hard to pretend to outsiders it didn’t happen. “There were attempts to hack the bank’s computer systems last summer,” says a World Bank spokesman. “However, there was no compromise of confidential information.”

So if this actually happened, which data security policies could have helped prevent the “the worst security breach ever at a global financial institution”?

• Corporate Security Policy
• Incident Response Policy
• Network Security Policy
• Vulnerability Management Policy

Others?

Here’s an excerpt from the UK Computing article here:

A laptop owned by consultancy Deloitte which held information about staff under BSkyB’s pension plan has been stolen, Computing can reveal.

The computer was taken from a Deloitte employee in September at a public place and contained names, dates of birth and salary figures to be used for audit work on the broadcaster’s pension scheme.

BSkyB said the data did not include bank or address details and claimed it is highly unlikely that the information will be mishandled due to the laptop’s reliable data security set-up.

“The laptop was protected by a number of security measures, including passwords, user IDs and encryption of the majority of the information, so we are confident that the risk of data access or misuse is low,” said a BSkyB spokeswoman.

The fact that the spokeswoman says they used encryption on “the majority of the information” signals to me that they weren’t using whole disk encryption which is a common practice on laptops these days.

I’m sure if they were using full disk encryption they would have been 100% confident that the data was protected and they wouldn’t have had to notify the media about the loss.

What do you think?

By Joe Cole

Combating fraudulent transactions starts with creating and implementing your organization’s data security policy. Consumers expect that eCommerce merchants protect the personal payment information they provide during a transaction and that it will only be used for completing the transaction. They also expect that merchants explain the measures and procedures they have set in place to keep sensitive account data save. To address your customers’ expectations and to prevent fraudulent activities, eCommerce merchants shouldconsider implementing the following best practices regarding information security:

• Educate Consumers about your Security Practices. Create a page that details your website’s security practices and controls. Consider including in it the following:
  • A detailed explanation on how payment information is protected at all stages of the transaction process: during transmission, while on your server and at your physical work site.
  • Make the page available to all visitors to your website. You should consider placing a link to it in your home page. Placing a link in your header or footer will make the page accessible from any page of your website.
• Create a Security Section in your FAQ Page. If you have not already, you should create a FAQ page and include in it questions and answers on how customers can protect themselves while shopping online.
• Add the Logos of Fraud Prevention Services that you are Using. Place on your website the logos of all fraud prevention and data protection services that you are using.
• Warn Customers against Sending Payment Information by Email. Email is not a secure way to do business, however some customers are not aware of that. To better protect their personal information you should highlight your security practices on your website and in your email correspondence. Advise customers that: 
  • Email is an insecure method of communication and should never be used for transmitting account data or other sensitive information.
  • Your website is using SSL encryption services ensure that personal information is protected from unauthorized access and provides the safest way for shopping online.

Merchant Services

Business Merchant Account

Article Source: http://EzineArticles.com/?expert=Joe_Cole