>

January 31, 2008

New Poll

There is a new poll on the front page. Industry Certifications have always been debated, some feel they are great indicators of knowledge, others think they are a dime a dozen. Which do you think are worth while?

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google

January 30, 2008

MS Extends Second Shot Program

For those of you looking to get some Microsoft certifications, Microsoft Announced they will be extending their Second Shot Program. Essentially what Second Shot is, is a joint program between Microsoft and Prometric where they allow you to register for a second shot voucher before you take a Microsoft Certification exam, and then you enter that voucher number when you buy your test voucher via Prometric, and if you fail your exam, you can re-take it for free. Its a pretty good deal, especially if this is your first time taking any of the MS exams. There tests are different then a lot of other certifications, so knowing how to take their tests is something that helps you, and this gives you that opportunity you need to try it out without blowing a couple of hundred dollars if you find out you aren't ready just yet.

Press Release:

Microsoft™ has extended its Second Shot offer for certification exams.

You can now take advantage of the opportunity to get a free second chance
to pass a Microsoft IT Professional, Developer, or Microsoft Dynamics™
certification exam through June 30, 2008. This offer is available
worldwide, to anyone who registers for Second Shot and does not pass
their first attempt at one of these exams.

Step 1: Before taking your exam, register for Second Shot and receive
your exam voucher number.

Step 2: Using the voucher number, schedule and pay for your initial
exam via Prometric's web site, call center or test center locations. (To
qualify, you must have the voucher number prior to registering with
Prometric.)

Step 3: Take your exam.

Step 4: If you do not pass on your first attempt, register for your free
retake exam via Prometric's web site, call center or test center locations
using the same voucher number.

NOTE: To allow for test results to be entered into the system, please wait
one day after the failed exam to register for your Second Shot retake.

For more information, or to register, go to: http://www.microsoft.com/learning/mcp/offers/secondshot/default.mspx

The Microsoft Certification Team
© 2008 Microsoft Corporation
Terms of Use | Trademarks | Privacy Statement | Sign up for newsletters | Update your profile

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google

January 23, 2008

Achieving Information Security: Prevention (1 of 3)

The most valuable asset of most organizations is the information they hold. Whether it be top secret design plans for their next product, accounting information about future company acquisitions, or the personal information of your clients and employees. A breach in the security that protects these assets can and has resulted in companies going bankrupt due to loss of client confidence, law suits, and loss of competitive edge. There are three parts to achieving information security; they are Prevention, Detection and Response.


Prevention:
As the saying goes, an ounce of prevention is worth a pound of cure, and that is no different in the IT world. Preventing unauthorized users from gaining access to your confidential data should be priority one. There are several things that can and must be done to prevent unauthorized access to data. Not only do you need to consider digital security (passwords, user names, file permissions, etc) but also physical security.


Physical Security:
Physical security is often overlooked when we think about protecting information held on a computer, but the truth is, if somone gains physical access to your file server, they now own your data. So making sure you keep your server is protected and secured area is very important. Servers and data backups should be kept under lock and key at all times. Ideally you want a room with controlled access that is monitored electronically and by a human. Because a secure environment like this is not always available at your office, many companies choose to use data centers to house their servers. Data centers not only provide a great deal of security, but they can provide redundant power as well as fire suppression to protect your equipment. The level of security at data centers will vary based on the center you are working with, but most are very good.

For example, the data center I have used for clients in the past included the following security:

  • Biometric Palm Scanner + pin to get into the main door
  • Sign in with a security guard as you pass though the first set of doors (they check ID)
  • You go to your designated locker (they watch to be sure you are only near your lockers)
  • Key lock AND combination lock on the server rack doors.
  • Roaming security guard as well as CC security cameras.
  • After hours, before you could even enter the building, you had to be buzzed in by security
Now this may seem excessive, and it might be over kill depending on your business, but we dealt with accountants, lawyers, doctors, DOD contractors and other professions that data security was considered top priority. So it will be up to you to find a proper solution that matches the value of your data.

Digital Security:
Once you have a good physically secure location picked out and set up, you need to protect you data from people coming at it over the wire, and not through the doors. The method to which you choose to protect your data will again vary based on how valuable that data is, and it will be up to you to decide how much protection is enough. Your goal here is to make your data secure enough so those who aren't supposed to have can't, but those who need it can get it without too much trouble.

One of the easiest way to protect files in a windows domain environment, is by adding permissions to them. Not only can you select who has access to files, but you can choose what kind of access to the file they have. In some cases, many people may need to read a file, but only 1 or 2 need to be able to make changes to it, so you can give read permission to some and write or modify permissions to others. This allows a very customizable and secure security scheme. More information about windows Permissions can be found HERE.

File and folder permissions are great, but one of the major flaws in that type of set up is that the computer will assume anyone logged in as a user is indeed that person. So if Joe happens to know Susan's password and logs in as her, or Susan leaves her computer logged in and Joe sits at her desk, Joe will now have Susan's file permissions. So what we need here is called User Authentication. Essentially, user authentication is a way for a computer to verify who is actually sitting at the keyboard. The most common way to do this is via a Username/Password combination. More advanced and more secure ways include using Biometrics (fingerprints, palm prints, facial recognition) or a SmartCard. Many times people will use these different types of security in conjunction with each other (this is called multi-factor authentication) So like at my old data center, we used both Biometrics as well as a password (or PIN). This is a very common set up and the reason is it required not only two type of authentication, but two different types. So I needed something physically (my palm print) as well as something I knew (my pin). It might be easy for someone to steal a password or pin...but stealing a fingerprint or palm print is a lot more difficult.

Once you have your file security in place, you are pretty close so having a good security set up, but there is one last but very important piece of security that is constantly overlooked; The human element. In order to have any level of data security, you need to educate your staff on how to keep data secure. Employees need to know what data can be passed on to the public, what can be given to other employees or other departments and what must remain a secret or not be passed around. If you don't tell them, they wont know and the likelihood of an accidental breach is pretty big. A common way to keep track of what information can be given to different people is by giving different data a different level of clearance. For instance, in the military, and many large companies, they may label document confidential, secret, or top secret. Based on those designations, staff know that only people with top secret clearance can have access to top secret documents. Similarly, you may label some documents for "full public disclosure" where the data can be given out freely (this could be something like the phone number for the main office or a branch office) or "limited public disclosure" to control press releases and public announcements that can only be given with special permission.

Once you are able to control physical access, digital access, and are able to teach your employees on the proper way to handle data, you are well on your way to achieving a good level of information security.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google

January 16, 2008

Lack of Updates

Sorry for the lack of updates everyone, I have been buried with other work.

What exactly has been keeping me busy? Well, school is starting up again (I get my degree this year), I have been tasked with designing, then building a NOC at work (really fun, although highly time consuming, project) and I have been taking some certification exams (mostly so people stop asking me what certs I have and becasue my boss wants me to get some so he can convince the CEO to give me a raise). I take the exam for one of my Security certifications tomorrow, and then will finish up some posts I have been working on.

Coming up I have posts about:

  • The three parts of information security (3 part series)
  • Certification Exam prep tips
  • Building a NOC (Network Observation Center): My start to finish guide on the NOC I am building
All of these posts have been started adn are in different stages of completion, so hopefully you will see 1 or 2 by the end of the week, and the rest next week.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google

January 14, 2008

Pondering the universe

Of all the things in the world to ponder, I have always asked my self the same question; what is beyond the edge of the universe?

Throughout my years of schooling I have taken both science and philosophy courses, and have never been given a good answer to my question. I was asked to stop asking questions by my astronomy professor when I simply asked what was beyond the edge of the universe.

The universe is said to be the whole of everything. It is also stated to be 93 billion light years across. But how can something with a limit, be the whole of everything? in order to place a limit on something, it has to have a start and an end. To have a start, there must be something before it, or you couldn't judge the start. If there is an end, then there must be something beyond that point which a person claims to be the end.

If we state the the size of the universe is infinite, then our teachers have been lying all along.

In addition to this, it is said that the universe is expanding. Where is it expanding to, if it is the whole of everything?

Maybe the key is that the term universe can only be used to accurately describe all the known objects.

Think about it.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google

January 10, 2008

CompUSA LIVES!

TigerDirect plans on turning all of their stores (11 current 3 more opening) into CompUSA stores and join them with the 16 they just purchased. They will also keep the CompUSA website up and running. This means CompUSA lives!

Gilbert Fiorention acknowledges that CompUSA was doomed due to high over head (duh) because they insisted on keeping several levels of managers as well as a very heavy internal IT department. With all that overhead, it was very difficult to keep any store profitable. After cutting all the fat, they will have about 30 stores, and be profitable. check out the CNN Article for details.


Still no word on the fate of the Honolulu Stores. It looks like TD is trying to stay in the south east sector of the US, so I doubt they will be buying this store. Although Honolulu is highly profitable, it is a huge risk and involves a lot of extra overhead due to shipping and support requirements so the ROI may not be as good.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google

January 7, 2008

Benefits of Server Virtualization



As both software and hardware technology advances, and the dependence on technology as a tool becomes more and more apparent, companies have began facing new challenges. As more servers are needed, several things happen. First, there is the cost of the hardware, then you need space to store the hardware. You need to make sure that area stays cool and dry, you need a proper fire suppressant system (spraying water on a server is a bad idea). You need to pay for the electricity for all those servers, and you need to repair parts on those servers when they go bad. Over time these costs can become huge. How does virtualization help?

Benefits:

  • Less hardware to purchase. If you can run 3 servers on a single piece of server hardware, then you can save money.
  • Less hardware means less heat, which saves you money on cooling.
  • Fewer servers means lower electricity costs.
  • Less hardware to maintain
  • Less space taken up by servers
Disadvantages:
  • Concentrated points of failure. Previously, when 1 piece of hardware broke, you lost one server. Now several are down.
  • Extra software to purchase and configure (you need to buy VM software)
  • if in a really high traffic environment, bandwidth limitations on the NIC could become a problem, although this is highly unlikely and can be resolved by adding a second NIC and load balancing.
  • Not all software can run in a virtual environment. (this is rapidly changing)

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google

TigerDirect Purchases CompUSA

Official announcement that Systemax (TigerDirect) has purchased CompUSA

We believe the value of the CompUSA brand remains very high. The company has a long legacy of value pricing, service and customer loyalty among consumers nationwide, said Richard Leeds, Chief Executive Officer of Systemax. We view this acquisition as a strong complementary business to our TigerDirect operation.


So far it has been announced that the stores in Florida, Texas, and Puerto Rico are for sure, lets see if Honolulu is next.


Yahoo! Finance
Business Week
Reuters


UPDATE 01/07/08 4:oo pm:
Sources have stated that Circuit City should be making an announcement in the next few days about an acquisition of the Honolulu CompUSA location (basically opening a new circuit city in Honolulu) With recent announcements of their stock prices plummeting, this comes as a surprise to me, but it would make sense for Circuit City to create a larger presence in Honolulu. Look for that announcement soon.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google

January 5, 2008

Questions for Mint.com

If you have read my blog, you have probably seen the criticism I have aimed at companies like Mint.com. I feel the idea of their product is good, but the execution is poor. There are too many points of failure, but that is inherited in the type of service they offer. I decided to try and get some answers from Mint on several occasions becasue it really isn't fair to just bash a product without giving the makers a chance to respond. I emailed Mint.com's Support, and asked questions on message boards, and finally I got a response from a person at Mint who agreed to answer some questions for me, it was like the light at the end of the tunnel, this was in November. I sent a list of questions asking about the security of the software, what type of liability they have, their policies as far as holding customer info (since most of the information on their website was vague), and while I didn't expect all questions to be answered (for various reasons including proprietary processes needed to be safeguarded, security etc) I did expect some, and unfortunately I was given none.

The lack of assistance from the company, and their outright refusal to answer questions about their product is disturbing. With a regular piece of software this would be irritating, I don't think it is unreasonable to want to know how your information is handled, but with a piece of software that is designed to handle financial data, by a company who is asking you to trust them with all of your account information and your credentials to access that information, it is just scary that they are so hesitant to work with customers to settle their fears. Below are the questions I asked the representative of Mint.com, I received a reply saying they were working on it, then that somone would get back to me, then nothing. Now they are saying their marketing staff wanted to review the answers first. I'm hoping somone can provide some answers for me. As online financial aggregators become more popular (there are several already) they will become a major target of criminals, and I think it is important for customers to have as much information as possible about the services they provide and the steps they take to ensure the security of their clients data.



Mint.com if you read this, please feel free to reply in the comments or via an email to me and I will fill in the answers below.

I checked their website again, and it looks like they added more info, so I'm going to fill in some things that they already published answers for. Glad to see they are updating their website. Maybe my questions aren't falling on deaf ears.

Update: A Mint.com rep has responded and the answers they provided are in red below. My Comments are in parenthesis.

  1. Once an account is canceled, how long does Mint.com hold the information for?
    We delete the account within 48 hours from our primary production
    servers. We do not hold your information beyond that point.

  2. How long are backups held after an account is deleted?
    See above (if this is true, then either they dont keep backups for more than a day, or they delete your info from the backup...both seem unlikely)

  3. What is the policy for turning over information when requested by a 3rd party (police, lawyers, etc)?
    See link here: http://mint.com/privacy.html#a-10
    In addition, Mint, like any other corporate entity, would have to comply with any legal requests from law enforcement for information.

  4. What liability does mint.com have if there is ever a security breach and information is stolen? Where is Mint.com's liability explained?
    Liability is explained in the Terms of use (see link: http://mint.com/terms.html#a-16)
    Important note: If the concern is about identity theft in the very unlikely scenario of a security breach, customers are protected by various consumer protection laws, including regulation E, if they advise their financial institutions within a specific period of time.

  5. It states here that mint does not actually hold a users info, but that Yodlee does. How do Mint and Yodlee interact and ensure the user is seeing their information and not some others if there is no identifying data shared? We generate a random identifier for each Mint user and use that identifier when communicating with Yodlee

  6. What type of encryption is in place between Yodlee and Mint? 128 bit SSL

  7. Which company do you contract for your co-location? many "secure facilities" aren't all that secure. Can't Answer this (no answer was expected since saying we store our servers at X would be pretty dumb)

  8. Is it a shared facility? Do you share hardware as well or does Mint use dedicated servers? Mint uses dedicated servers in a dedicated location, with our own biometric locks.

  9. You also state here that no Mint staff have access to user credentials. Is this true for both user names and passwords, or just passwords? If they have access to neither, how can they assist a customer if they are having access problems? This addresses bank credentials, not mint.com credentials, so the answer makes sense.


  10. How will you notify customers if the terms and conditions/privacy policy change?
    See link: http://mint.com/privacy.html#a-18

  11. Do you share customer information with any affiliates?
    We will never share personal information. We will use aggregate data in various ways in the future, where it can be done to enhance the value of the service while
    maintaining privacy

  12. How will you notify customers if there is a security breach?
    Email

  13. You again state here that you don't store any cc info. So is it safe to assume then, that mint just acts as a "front end" so to speak for Yodlee?
    Mint leverages Yodlee's proven account aggregation service, as do most of the top US banks, MicroSoft Money, fidelity, etc. We then apply multiple patent-pending technologies to automatically categorize and analyze your transactions and find offers which will save you money.

  14. Has this been resolved? I can't say that it is very comforting that "administrators" are answering with "I think" instead of certainty. Or is this another case of Mint just being a front end and really we should be working with Yodlee?
    No, this hasn’t been resolved. Security dongles aren’t supported because they create a random password every xxx number of seconds. There’s no way to support this right now.

  15. Do you think it is unethical to recommend credit cards as well as other financial services without knowing the full financial situation of a customer?
    1. The offer is based on an algorithm about what we know about the customer at that time.
    2. The customer has no obligation to accept an offer.
    3. The customer doesn’t have to accept an offer to continue using the site.
    4. We present the best possible offer (based on what we know), even if we don’t make any money.

Now hopefully someone can help me fill in the rest of the answers.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google

January 4, 2008

Tiger Direct eye's CompUSA

This has been Confirmed


There has been some major noise about Tiger Direct buying CompUSA for some time now, but in recent days the internal noise has been growing. Daily Tech Reports some interesting Wikipedia Edits going on that point to a Tiger Direct acquisition, in addition the Gordon Brother realtor's were in our store (one of the most valuable and one of the few profitable CompUSA Stores around) showing some people around. The location we are in is by no means cheap and is considered prime real estate in Honolulu (rent of this building approaches 250k per month) so any buyer would need to be big and willing to make an investment.

In addition to this we have been consistently receiving merchandise despite most stores no longer receiving inventories.

The official closing date for CompUSA is March 1st, but that isnt to say somone won't buy out before then, but only time will tell.

Bookmark this post:
StumpleUpon DiggIt! Del.icio.us Yahoo Technorati Reddit Google