Recently in security Category

On this blog, the author posts a reply from Amazon about the level of PCI Security of EC2 and Amazone Web Services. 

As for PCI level 2 compliance, that requires external scanning via a 3rd party, PCI-approved vendor. It is possible for you to build a PCI level 2 compliant app in our AWS cloud using EC2 and S3, but you cannot achieve level 1 compliance. And you have to provide the appropriate encryption mechanisms and key management processes.

What strikes me as funny is that PCI Compliance is confusing enough without adding the cloud to it. Also, data security is almost a misnomer with the number of breaches that professional cyber-criminals perpetrate almost weekly. Cloud or no cloud, security is breached. 

I guess its like spam: we'll always have it. And unlike PGP encryption: hardly used at all.

I'm getting ready to run downstairs to the Florida Venture Forum 2009 Early Stage Venture Capital Conference outside Orlando at Omni ChampionsGate. Beautiful golf course.  It will be interesting to see who is here. I am hoping 2 companies made it in.

eCycling which recycles business electronics, eCycling has a deal with Fedex as their distribution partner. You can drop off unwanted electronics at Fedex locations for recycling. Save the planet!

NullBound is an exciting network security start-up. Put one of NullBound's boxes at the edge of your network and never worry about malware, spyware or virii again. It stops them intelligiently before they can come into your network. No client software needed! (Take that McAfee!)

Well, got to run. The money folks are waiting.

Robert Half interviewed 1400 CIO's for a research study (press release here), It's not a surprising list: Security, VOIP, Virtualization, SAAS, and data center efficiency. Considering power costs much more than space, getting energy and hardware efficient means cost savings. Oh, wait, that's virtualization too. And Software as a service and VOIP. 

In summary, the top tech investments of CIO of companies with 100 or more employees is IT Security and cost cutting initiatives.

As I skim the Verizon Business 2009 Data Breach Investigations Report (PDF) to find that "295 million records were compromised and there were 90 confirmed breaches last year", I think where is the security? The Intrusion Detection Systems, the firewalls, the vigilant admins. Oh, wait, most companies don't have that. What else is missing? A Password Policy and a skilled technician who doesn't use the default settings for gear.

I'm generalizing of course, but there wouldn't be so many breaches if systems, policies, and security was intact. Mind you, this is reported breaches; some known breaches do not get reported and probably a good many breaches are undetected.

As we move to cloud computing, virtualization, SAAS, Web 2.0 and other examples of applications and corresponding data located on an Internet connected server, security will become paramount. It will be too costly to lose data.

Mind you, it's not 16 year old hackers who are the issue. It's organized crime cartels internationally who make billions off stolen data. Yes, Billions.

Managed security services are available. Almost every telco and ISP sell some - from managed firewall to IDS to managed router. My recent experience with a managed AT&T router tells me that perhaps that's not the way to go, but certainly there are MSP's who specialize in network monitoring.

Another idea would be to sell MPLS in place of IP-VPN or Internet based VPN. Yes it costs more, but isn't the peace of mind worth it?

Businesses that accept credit cards also have to worry about security due to liability and punishment. The credit card companies have established guidelines for PCI Data Security.

As a business, if there is a breach, you will be fined, your reputation tarnished and you will be left holding the bag for damages as well. Ask TJX.

John Todd is an Asterisk evangelist and works for Digium. VoIP Users Conference reposted John's 7 steps to better SIP Security on Asterik (here). The reason for the 7 steps now?

"In the last few months, a number of new tools have made it easy for knuckle-draggers to attack and defraud SIP endpoints, Asterisk-based systems included. There are easily-available tools that scan networks looking for SIP hosts, and then scan hosts looking for valid extensions, and then scan valid extensions looking for passwords. You can take steps, NOW, to eliminate many of these problems."

It's not just Asterisk either. There are holes in every PBX and softswitch. There is long distance fraud, especially in International calling. You should be checking your CDR's at least daily - or run a script to pick up anomalies.

Security in entirety will become extremely important this year. New tools; a tanking world economy; criminals will be looking for every lever to make money or get something free.  So will disgruntled employees, so network admins need to be on top of any changes in human resources.

"SMB Nation is a community of over 35,000 small and medium business (SMB) technology consultants, channel partners, sponsors and resellers. With an impressive 10-year history serving as a trusted advisor and mentor to the SMB consulting and  reseller channel, SMB Nation has been able to consistently reinvent itself based upon changing market conditions." SMB Nation did a VoIP survey with NGT. 260 responded (results here).

These are the services they currently provide:

• Networking infrastructure (91.1%)
• Mobility sales, services, support (52.7%)
• VoIP-specific sales, services, support (44.2%)
• Telephony sales, services, and support (35.3%)
• Line of business applications (35.7%)
• Database development/programming/development (32.6%)
• Web hosting (27.5%)
• Host e-mail (26.7%)

These are the services they will add:

• VoIP sales, service, support (56.2%)
• Security (36.6%)
• Telephony sales, services, and support (28.1%)
• Web hosting, hosted services (25.5%)

It's interesting that Telecom Agents sell circuits and very few want to sell non-telecom services, but VAR's and MSP's are marching in to take over the Agent Arena.

I am on Peter Shankman's HARO list. This morning there is a UK reporter from Future Intelligence looking for anyone working on Encrypted VoIP in Europe. (Deadline is 9/15). The Editor, Peter Warren, is looking for: "I am looking for any companies that are working in this area and would be very interested in talking to them about why and what they think the opportunities are."

We all know that Skype has some kind of encryption present (AES?), but still has a CALEA back-door.

There is the Zfone project. Zfone (which uses ZRTP) is an open standard. "One of the drawbacks of Zfone technology. In order for a call to be secure, both users have to have the program installed." [VoIPNow]

The other ways to encrypt it are to use VPN, Secure RTP, Transport Layer Security (TLS) and IP Security (IPSec).

In addition, here in Tampa Bay, we have a the developer of DOD (Defence Dept.) level security for VoIP Calls. It is called myKryptofon by ID Rank Security, who promises NSA level security - and is providing that for the DOD now.

We had the huge DNS security hole a couple of weeks ago. Now we have the BGP security flaw. What next?

Well, according to a presentation by VOIPSA, there are threats out there to target SIP. BTW, VOIPSA is the VoIP Security Alliance.

We have heard about SPIT ("SPam over Internet Telephony") and according to the presentation, "Makes for great headlines, but not yet a significant threat." Then comes Vomit and Asteroid? VOMIT is voice over misconfigured internet telephones. Asteroid is a SIP Denial of Service Tool.

It was an interesting look because I am certain that people are preying on weaknesses, but I don't hear too much from ITSP's about security, prevention or awareness. Do you?

two extra notes: The Voice Over IP Security Alliance can be found hackingvoip.com.

Nominum Solves Kaminsky Attack

Qwest sent me an invite to a webinar: PCI MOVING FORWARD: Best Practices to Achieve and Maintain Compliance.

PCI compliance is a constantly changing security requirement for all businesses that process, store or transmit consumer credit card information. Shifting parameters, looming deadlines and increasing responsibilities all pose a challenge to becoming compliant and staying that way. This joint webinar between Qwest Business and Cisco Systems will introduce ways to reduce risk and shorten the journey to compliance.

Date: Wednesday, September 10, 2008

Time: 10:00 a.m. Pacific/1:00 p.m. Eastern

Register here: www.pcinext.com/partner

Network World has a story about how an online storage site, Linkup, formerly known as MediaMax, shut down this week after 45% of the data was lost. Who's fault is it? Well, the article tries to figure that out.

As we have seen, outages are everywhere - Amazon, Google, etc. Five Nines is difficult especially now. My thoughts are that there are more hackers worldwide with broadband. More compromised machines. Less security precautions. Buggy, bloated software that goes unpatched. Less common sense.

All these free services have a cost to deliver. If they don't have a revenue model that is working (like Google or Amazon), then how can they afford to provide secure services to you for free? As we have seen, even GOOG and AMAZ who not only can afford it, hire top notch talent to manage it have issues that cannot be avoided. Power outages. Broken parts. Redundant failures. As any data center tech can tell you, these things happen.

A CLEC client called today with a DS3 card outage on his class 5 switch - and the redundant switch-over wouldn't work. What can you do?

Plan for the worst. Test. Communicate with your customers in the case of an event.