Anthony Ricigliano Business Blog

While most companies have several security defenses in place to guard against threats, such as firewalls and antiviral software, a very important question is still left on the table: Exactly how effective are these measures? Although it is a deceptively simple question, every company must find their own answer to this essential question. Without this critical information, your organization could be left wide open to incoming threats because of unknown vulnerabilities. Let’s investigate a few ways to effectively evaluate your organization’s data security:Penetration TestsA penetration test, or pentest, is basically an attempt to hack into the system from outside the network. This simulated attack analyzes the system for any potential vulnerability points that could result from configuration problems, hardware or software defects, or poor operational procedures. A penetration test will typically look for vulnerable points not only from outside attackers, but also from the inside. If an employee can view unauthorized data, it can be just as dangerous as allowing a hacker to gain access. Penetration tests can be classified as either Black Box, the tester knows nothing about the system, or White Box, the tester has complete knowledge about the system infrastructure. Of course, some installations have used modified rules and referred to it as Grey Box testing. Every system that connects to the internet or allows access from any other external source should use penetration testing on a regular basis.Network Discovery AssessmentsA network discovery assessment analyzes your network’s infrastructure to identify every device that is connected to your network and search for configuration weaknesses. By clearly identifying each machine within a continuous IP address range, the system engineers can detect any new or unexpected devices that are connected to the network. While an unknown machine usually occurs because an incorrect IP address was assigned or a cabling error was made, a network discovery assessment will also point out any truly unauthorized computer, such as a hacker, that is connecting to your company’s network.Network SniffingA network sniffer can be either a hardware device or a piece of software that intercepts and logs traffic passing over a network in order to capture information about each packet’s final destination. Some network sniffers have the ability to generate errors within the system to test for the ability to handle error conditions. Depending on the capabilities of the individual network sniffer, it can be configured in the following ways:• Wired Broadcast LANs – A network sniffer can monitor traffic traveling across either the entire network or on specific parts of the network from one machine. To minimize a potential bottleneck, ARP spoofing or monitoring ports can be used.• Wireless LANs – A network sniffer can monitor the traffic on one specific channel.• Promiscuous Mode – If the network sniffer supports this feature, the network adapter can be set to promiscuous mode to allow the sniffer to monitor multicast traffic sent to a group of machines that the adapter is listening to.• Monitor Mode – This is a step up from promiscuous mode. It allows the sniffer to process everything that it could in promiscuous mode plus packets for other service sets.In terms of information security, network sniffers provide value by detecting network intruders, discovering network misuse by internal and external users, and isolating exploited systems. On the other side of the coin, hackers can use network sniffers to learn information to effect a network intrusion and to collect passwords or other sensitive information.Checking Password SecurityBecause most users will choose a password that’s easy to remember, instead of one that’s hard to guess, password security is critical to overall information technology security. After all, once a hacker has a valid user id and password, much of the system is readily available. Passwords should be encrypted within the system, and rules should be put into place to reflect the potential security risk of an individual system. If the risk is low, it might be enough to require the user to create an eight-byte password with at least one character and one number that expires at 30 days. At the other end of the spectrum, the password should expire every week and require the user to use a mix of upper case, lower case, numeric, and special characters while restricting the use of any word found in a standard dictionary and consecutive keyboard characters.Checking Wireless SecurityWireless access is a growing trend in today’s business world, but it comes with huge risks for security vulnerabilities. As long as a hacker is within the zone of your company’s wireless signals, they can connect to your system and attempt to login. If a wireless network adapter isn’t configured properly, it can leave the door wide open to attacks, and the hacker may be able to get in with a simple admin/password sign on. In addition to securing each known wireless access point, the network should be searched for unauthorized wireless ports that may have been leftover from testing, set up by accident, or created with malicious intentions.Anthony Ricigliano

Modern data management is rapidly changing to accommodate the economic downturn and the growth of new technology. To reduce expenses, many IT shops are reusing legacy storage devices in addition to taking advantage of pay-as-you-go, cloud-based services. However, these distributed systems must be managed effectively to provide viable, affordable solutions to data management.

The Exciting Challenges of the New Infrastructure
This new strategy isn’t without challenges and opportunities. Today’s system designers must determine how to fully leverage the strengths of on-demand hardware to build the best data management platforms for their IT shop. At a minimum, these solutions must:
• Provide a high degree of scalability and a low level of latency by taking full advantage of parallel processing and memory capabilities.
• Provide fast and easy methods to expand and contract resources as demand changes.
• Provide exceptional up-time with minimal outages. The system should be designed to expect errors and recover accordingly without impacts to the end-user.
• Create a global experience spanning both time zones and geographical boundaries to unite business systems and partners.
• Support a variety of workload types including transactional, analytic, pull, and push.
• Increase effectiveness, efficiency, and affordability while promoting growth.

The CAP Theorem
A popular theory called the CAP Theorem states that it is not possible for a distributed storage system to be “consistent, available, and partition tolerant” at the same time. At any given point, only two of these goals are achievable. Because of this, tradeoffs must be made when distributed systems are designed and implemented.

The Eventually-Consistent Design Strategy
Some web developers are trading consistency for uptime when designing their applications. In anticipation of the need to partition the network as the system grows, they have relaxed consistency requirements in order to guarantee a higher degree of availability during and after the partitioning. This means that individual network outages could result in stale data or other minor problems instead of a nonfunctional website. These “eventually consistent platforms” were inspired by online icons like Google, Microsoft, and Amazon; many cloud-based services and open-source projects offer products that use this design structure.

A Different Approach: Enterprise Data Fabric
Although the eventually-consistent design is acceptable for many applications, it’s not a viable solution for any process where consistency is a key concern. For example, inconsistent processing in a financial system could spell disaster with multiple downstream impacts to data accuracy and consistency. There will always be some form of CAP tradeoff in a distributed system, but a new approach called EDF, or enterprise data fabric, promises to provide a better solution for core business functions.

EDF solutions use a shared-nothing approach to scalability. Partitioning uses nodes that are connected to create a seamless and expandable “fabric” that can span application, geographic, and machine boundaries. To scale the available storage space horizontally, EDF simply connects additional machine nodes. Within these data partitions, entries are composed of key/value pairs with an exceptional level of thread-based consistency.

By isolating data, related partitions can be organized and grouped into service entities. This larger unit is deployed on a single storage device where it can be accessed transactionally with complete independence from other service entities. This approach allows the EDF to create fault tolerance using a partial failure mode with fault isolation.

EDF-based systems exploit the variable nature of data by building flexible configurations that allow for consistency, partition-tolerance, and availability tradeoffs based on when and where the application workflow processes the information. When implemented correctly, EDF strategies allow businesses to reach all three CAP goals, but not at the same time or in the same place.

With the right approach, data management across a distributed system can be an effective and affordable solution for modern IT departments. Before choosing a strategy, consider the benefits and potential issues that each one brings to the table.

The Business threat from Spyware
Anyone who uses a modern computer today is aware of spyware. To most people, spyware is a petty annoyance generated by less-than-ethical advertisers, search engine designers, software distributors and hardware manufacturers. Spyware is used to track, record and report activities of interest to third parties, usually without the consent or knowledge of the persons being monitored. Casual home computer users rarely need to worry about spyware; however, in business applications, spyware can be used to devastating effect by the competition’s corporate spies and analysts.

Spyware Identification and Some Simple Solutions

Spyware is generally encountered in three major distinctive forms: Hardware, firmware and software. All three types have various characteristics which can make defeating spyware difficult.

Hardware Spyware

An example of hardware spyware is the unique identification number of an Intel Pentium or later class of CPU. This number can be used to specifically identify any CPU. When combined with appropriate software, this number can be directly linked to an IP address and the precise location – if not the exact user – can be determined. The solution for this problem is using computer motherboards with BIOS setting that are capable of disabling access to those numbers. The solution for hardware devices can be complex, as most firmware and hardware is designed not to be detected nor disabled.

Firmware Spyware

Firmware spyware is semi-permanent software running at the machine hardware level. The BIOS CMOS chip is where it usually resides. Most is relatively innocuous; however, someone with malicious intent can replace the BIOS with a custom-made copy which can contain code to enable access to the computer. The best defense is to use factory-authorized and distributed firmware.

Software Operating System Spyware

Software spyware can exist in either the operating system or in applications. An example of operating system spyware was the recent disclosure of an operating system file that was inaccessible to casual users that recorded the GPS locations of where the device was physically located through its existence. The Apple iPad tablet and other similar PDAs used similar technology. After the spyware was brought to the public’s attention, the manufacturer quickly released a patch to the operating system that disabled the file.

Applications Spyware

This is code embedded within a program which can track and report a user’s activity. Typically, a file is generated within the application’s limited access areas, however, cookies can also be generated such that when the device is online, the recorded data – often in an encrypted form to hide its nature – can be accessed with ease. In theory, the EULA is supposed to disclose any use of data derived from use of an application, however, the legal wording is tedious to follow and it is almost universally ignored by the user installing the application. There are a number of spyware scrubbers available for retail sale that can clean up residual traces of activity and help ensure some modicum of privacy. But, as with any other software backup system, it is only good when it is regularly and routinely run.

The Business Challenge

Awareness and education are the critical components of fighting spyware. It is insufficient to simply install a software application and rest assured in the knowledge that the computer is protected. It is not. It would do absolutely nothing to prevent a spy from installing a wireless hardware keystroke logger into a keyboard and downloading a complete log of all of the keyboard activity on demand and by remote control. Passwords, account numbers, sensitive corporate data all would be compromised. Physical security, situational awareness and constant vigilance are a business’s best and only adequate defense.

In an age of data explosion, adequate storage is essential. However, finding the right balance between reliability, cost, and performance is difficult. As technology continues to evolve, trends in storage media are moving from localized storage units to distributed arrays that better support disaster-recovery plans. Let’s take a look at how fibre channel SAN compares to tier one storage:

Fibre Channel SAN
With a fibre channel SAN, space and distance is no longer a restriction. By utilizing IP protocols, the various storage devices that make up the SAN, or storage area network, can now be distributed over long distances to take advantage of remote data centers and even facilitate disaster recover efforts. Additional benefits include simplified storage administration, increased flexibility with minimal needs for recabling to shift storage resources from one bank of servers to another, and the ability to boot a faulty server from information stored on the SAN.

Tier One Storage
Based on the criticality of the data and the required uptime, computer centers rate their storage from tier one to tier four. While tier four is mission-critical information with the highest level of uptime and often requires redundant storage devices to protect the enterprise from hardware failures, tier one storage is much simpler. Most companies continue to expect that tier one data can be accessed the majority of the time, and operations won’t grind to a halt if they have to make do without it for a short period of time.

Fibre Channel SAN vs. Tier One Storage
When comparing these two types of storage methods, fibre channel San is generally more expensive, more reliable, and higher performing than tier one storage. However, that doesn’t mean it’s necessarily better. For each project, the organization’s needs and goals should be carefully evaluated before deciding whether to implement a new system using fibre channel SAN or tier one storage based on the following criteria:
• Is this a mission-critical task?
• What are the availability requirements?
• What is the cost of an unscheduled outage?
• What level of performance is required?
• Is there an effective and efficient work-around in the event of an outage?

The Current IT Reality
With the current state of the economy, IT budgets are tight and many companies are making do with what they have. For some shops, this situation creates a conflict of interest in that only mission-critical projects are being pursued, but there is little to no room in most budgets for new hardware. This can mean that systems requiring maximum uptime with a high level of risk in the event of data loss are being implemented on tier one storage units at this time. This can lead to higher maintenance costs, frustration for users and business partners, and even the loss of important information.

The Next Wave
We’ve all marveled at how far flash drives have came in a relatively short period of time. Not so long ago, we were amazed by the ability to store gigabytes of data on a thumb drive. Now, this technology has evolved into terabyte hard drives, and Apple has started including solid-state memory in many Macbooks. The next step for this reliable storage media is the banks of tier one storage devices. These new devices are expected to be faster, cheaper, and more reliable than even the best fibre channel SAN units.

Although fibre channel SAN storage provides a higher level of reliability and performance, it does so at a substantially-higher cost. Depending on the system requirements, tier one storage can be just as effective while lowering the overall implementation costs. Of course, both of these technologies will ultimately be replaced with something newer, better, and cheaper.

As IT best practices are rapidly transitioning from good ideas to legal requirements, companies are finding that retaining and archiving business-related communications is a necessity as opposed to a nice-to-have. To be clear, archiving is not the same as backing up your email server. A backup is typically only used to restore the system after a failure or to revert back to a previous state. An archive is semi-permanent storage of mission-critical documents and other emails that are required to be kept for regulatory compliance or other reasons. Let’s take a closer look at this growing concern:

Industry Regulations
Certain industries are required by law to maintain records of certain transactions for very specific time periods or face strict penalties. To complicate this matter, an individual business may face a different set of regulations on the local, state, federal, and even international level. Although these laws don’t generally refer to emails specifically, this medium is now recognized as the standard mechanism for trading both information and documents. Instead of the banks of file cabinets that were seen in a past era, companies with strict regulatory requirements should now be maintaining a bank of servers dedicated to not only storing business-critical emails, but also providing a fast and easy search and retrieval method.

Businesses that don’t comply with the rules when it comes to maintaining copies of legal documents and financial transactions run the risk of penalties imposed by organizations like the Securities and Exchange Commission, Sarbanes-Oxley, and a host of other government agencies. Not only can these agencies impose strict monetary penalties, they can also halt company operations in many cases.

Other Legal Issues
While the vast majority of businesses do not fall under the shadow of government regulation, every enterprise runs the risk of legal action as a general cost of doing business. These days, even the most impeccably-managed company has virtually no chance of staying out of the courtroom forever. As mentioned previously, email has become the accepted standard for both corporate and personal communications. With this evolution, court-ordered discovery motions have began asking for copies of emails more and more frequently.

If an organization can prove that it has a strict policy of always permanently deleting email messages under certain circumstances, like after a certain time period, they may be able to convince the court that the email messages simply can not be reproduced. However, if there is even one exception to this rule, the company can be subject to sanctions and even losing the case if they do not produce the requested evidence during the discovery period. Of course, an ethical company has nothing to lose by producing the requested emails, and the documents could earn a judgment in their favor. Without them, it could be a very different outcome.

Archival and Retrieval Issues
Although most companies realize that the archival and retrieval of business-critical email communications is necessary, many haven’t taken the necessary steps to implement an effective system. Some companies rely on individual users to maintain their own system of saving important emails. Historically, they have established size limitations on user-level mailboxes to force individuals to file critical messages and delete unimportant communications in a timely manner or face problems processing their incoming and outgoing messages. As document size has grown dramatically, this method is not nearly as effective as it once was as users spend an inordinate amount of time managing their mailboxes.

A more effective method involves an automatic archival system that transparently moves emails to the archive server after a certain amount of time. Although the information is no longer physically stored in the user’s primary mailbox, they continue to be able to access the emails in a timely manner through the retrieval process. The users no longer waste time managing their mailbox, the enterprise has a reliable archival method in place, and all legal requirements are covered.

The one drawback to this method is that many companies are seeing a dramatic growth in storage requirements. To combat this problem, newer methods to separate mission-critical business documents from meeting notices, day-to-day communications, and personal messages are needed. Instead of programming these complicated policies into the archival routine, dedicated mailboxes could be established to hold legal documents and other important communications.

To protect businesses from legal and regulatory repercussions, effective methods to both archive and retrieve business-critical emails must be implemented. By neglecting this important task, companies run the risk of sanctions, monetary penalties, and lost law suits.

Because companies today conduct more and more of their core business functions across the Internet, it’s rare than any employee doesn’t have full access to the web. While it’s easy to restrict access to certain sites that contain specific content, it can be hard to keep employees from visiting other places that not only waste valuable work hours but also eat up bandwidth and other computer resources. One of the most damaging results of this unregulated browsing is the installation and execution of unauthorized software on company-owned devices.

The Security Risk of Unauthorized Software
Although most users think that running a self-discovered piece of software is harmless, it can expose the company to viruses and hackers. Freeware may appear to offer valuable tools, but hackers often hide malicious code behind a useful program. It’s true that the user may receive some benefit, but it will be overshadowed by the spyware running behind the scenes that eats company resources and searches for confidential information. In this case, the best scenario could be that the original offender’s machine eventually grinds to a halt. The worst thing that could happen is that a hacker accesses the company’s internal files. Several public relations disasters have made the national news when companies allowed their entire customer database containing personal financial information to become compromised. Not only did this ruin the company’s reputation, it also cost a pretty penny in paying for credit protection for the affected individuals.

What Are Workers Downloading Anyway?
In some cases, employees are downloading tools that they feel they need to do their job. It’s often difficult for non-IT workers to know how to request new software tools, and decreasing budgets are making it harder to purchase new licenses even when the enterprise realizes new software is needed. Whether it’s out of ignorance or out of desperation, some workers feel that they have no choice but to look for free programs to meet their needs. In other cases, employees are using their spare time to continue activities they may enjoy during their off-hours. If they’ve been using peer-to-peer programs for messaging or finding free music at home without a problem, they may not see an issue with loading it on their work machine. The same goes for various browser plug-in and video games. However, this wide-scale practice of installing unauthorized software comes at a steep price to the company. Even if security isn’t breached, these programs often conflict with company-authorized code becoming a maintenance nightmare that only increases support costs. The bandwidth that is used for non-business purposes can even interfere with a customer’s ability to reach the corporate website and result in decreased levels of customer service.

The Need to Lockdown Desktops
Any security-conscious organization should make locking down user desktops to prevent the installation and execution of unauthorized software a high priority. Without using automated methods to prevent these actions, users can risk the health of legitimate applications. This can result in the diversion of valuable resources from revenue generating tasks and quickly impact the bottom line. As a result, customers could be lost and jobs could disappear.

Lockdown Methods
Depending on the needs of the business and the types of desktops in use, several methods can be used to lockdown each machine. Here are a few of the recommended lockdown methods:
• Restricting User Rights
• Setting Software Restriction Policies
• Creating Certificate Rules, Hash Rules, and Path Rules
• Installing Scanning Software that Monitors Programs Installed on any Computer connected to the Network
While each method has pros and cons, security experts are hard at work developing new methods to help IT departments control the actions of their users to protect the core system and reduce costs.

In order to protect company resources, every business, both large and small, must implement a network access policy to secure both confidential information and core computer systems. If this task is ignored, the net effect is to implement a network access policy that grants full permissions to anyone who connects to the system. As each organization defines their network access policy, decisions should be based on a variety of attributes that identify each user who is allowed to connect to the network including their role, the connection device, and their location.

Network Access Policy Defined
While most system professionals understand the need for network security, they may confuse the network access policy itself with network access policy tools. The policy is separate from any tool that is used to implement, enforce, or monitor the rules. In addition to identifying users, devices, and locations, the network access policy should also specify exactly which resources each user can access and at what level. For example, only a small number of employees should be allowed to access human resources or payroll information, and an even smaller number should be able to modify the data. Network access policies should also define the expiration timeframe for user passwords, whether or not users can unlock their own accounts, and rules for new password creation. The network access policy should include strict rules for on-site connections, but even stricter requirements for remote connections. A company policy on connections to outside resources, like the Internet and ftp transfers, could also be included in the network access policy, as well as the virus protection software that must be used by each device. Without defining the network access policy, evaluating and choosing a tool that fully meets the needs of the enterprise is a difficult task.

Improved Network Visibility
While a secure system that prevents unauthorized access is the goal, network access policies should never be so strict that they prevent the efficient use of the system. In some cases, IT shops have locked down their company’s electronic recourses to the point that even the developers could not do their job effectively. By using network access tools, the IT group can expand their network visibility to improve security, easily comply with system security regulations, and enable both the system and users to work together in an efficient manner to achieve the ultimate goals of the individual business model.

Flexibility is Key
When evaluating new network access policy tools, the IT team must look for flexibility. If the new tool does not integrate with existing business processes, customized applications, and the current network infrastructure, the evaluation team should discard it as a potential solution and continue their search. Regardless of the included features or expected value, redesigning the entire enterprise to meet the needs of a new network access policy tool would be cost prohibitive. Even when a specific tool comes highly recommended by another organization, each IT department must decide if it fits their specific needs. Because no two IT shops are exactly the same, each one requires a unique solution to meet their security needs. Of course, the tools with the most built-in flexibility will be able to fit the widest range of system specifications.

Cost Reduction is Another Goal
In addition to a flexible product, the evaluation team should identify ways that a proposed network access policy tool can reduce company expenses. The tool should allow the IT security group to easily and quickly locate and authenticate both users and devices within the network. If security personnel find the new product to be clumsy and slower than their current method, the implementation team will face resistance to its use during installation and training. In addition to ease-of-use and security team buy-in, the network access policy tool that is ultimately chosen should also provide extensive information about each user’s identity and location to reduce the time dedicated to IT support and troubleshooting while minimizing the risk of security breaches to the enterprise.

As high-tech electronic devices become more and more pervasive throughout everyone’s personal life, IT workers are practically demanding that their employers provide the same technology in the workplace as they use in their personal life. Instead of being tied to their desks for a traditional workday, employees prefer to be able to take their work with them as they live their lives. While this can provide a benefit to the IT shop that requires 24X7 coverage, the unattached, alternative-platform worker also presents certain challenges and risks to a company that allows the consumerization of their IT department through the use of WiFi, Smart Phones, and other consumer-based technologies.

WiFi and Data Security
One of the biggest security threats with enabling a mobile workforce is insecure WiFi access. Although an IT shop can secure their on-site WiFi network, employees that use external networks are a whole different story. If an employee decides to work on their presentation over coffee before meeting with their next customer, anything could happen. All it takes is one breach on a machine that contains sensitive data to compromise the entire company. Although the ever-increasing availability of free WiFi offers an attractive option for companies that are trying to trim expenses in every way possible, it can be an expensive savings. While security measures can be put in place on mobile devices, an aircard might be a better way to go. As long as the device is within range of a mobile phone signal, the aircard is just as secure as any other dedicated broadband connection. As additional protection, companies should install utilities on mobile devices that perform scans for viruses and malware each time a connection is made to the corporate network.

Employee-Owned Devices
When employees would prefer to use their own devices on the corporate network, it can present a multitude of challenges. In fact, many companies specifically prohibit anyone from connecting to their network with personal devices due to the security risks. The following list details some of the risks and challenges involved with allowing employees to use their own equipment for work:
• Controlling Access – An employee’s spouse, children, friends, or even a virtual stranger may be given access to their personally-owned devices. Even the most innocent use could result in exposure of sensitive data.
• Virus Infection – As employees use the internet or install programs for their own use, they may infect their electronic devices with viruses or malware that can affect the corporate system.
• Supporting Multiple Platforms – If an employee insists on using an Apple-based laptop and an iPhone when the rest of the company uses PCs and Blackberrys, support can become an issue. The company may incur additional costs if they must support alternative versions of software or provide tech support for hardware problems.

Supporting Diverse Programs
In most cases, employees will install a variety of applications for both personal and business use. From instant messaging (IM) programs to applications that remember personal information, the employee may believe that the new programs help them to do their job better and faster. All may be good until there is a problem. An IT support desk has enough problems when they are in complete control of the type of devices and programs that operate under their corporate umbrella. Consumerization of IT opens the floodgates for an anything-goes attitude. While productivity can be impacted if someone’s personal device is rendered unusable, the entire IT shop can experience an outage when an unsafe application compromises a critical system or database on the host. Rules, procedures, and systematic safety nets should be put into place to protect the corporate network, but what about the individual employee? There’s no simple solution to this problem. While it’s expensive to support a wide-open system, it’s not feasible to implement a use-at-your-own-risk rule for employee-installed programs.

Employee Productivity
In most cases, if a manager can see their employee, they can be assured that they are performing their job responsibilities to some degree. While most workers will appreciate the opportunity to work from home or catch up on a project while they’re waiting for their child’s game to start, some will take advantage of this new job benefit. By monitoring mobile usage through new programs, a company can get an idea of whether or not their employee is working or hanging out on social networking sites. As the programs are refined, it might be possible to tell if someone is actually attending a special training class or if they’re hanging out in the bar around the corner.

The consumerization of IT is an inevitable development. To maintain efficiency and security, corporate IT shops will be forced to change the way that they look at employee productivity, system support, and network security.

While most companies have several security defenses in place to guard against threats, such as firewalls and antiviral software, a very important question is still left on the table: Exactly how effective are these measures? Although it is a deceptively simple question, every company must find their own answer to this essential question. Without this critical information, your organization could be left wide open to incoming threats because of unknown vulnerabilities. Let’s investigate a few ways to effectively evaluate your organization’s data security:

Penetration Tests
A penetration test, or pentest, is basically an attempt to hack into the system from outside the network. This simulated attack analyzes the system for any potential vulnerability points that could result from configuration problems, hardware or software defects, or poor operational procedures. A penetration test will typically look for vulnerable points not only from outside attackers, but also from the inside. If an employee can view unauthorized data, it can be just as dangerous as allowing a hacker to gain access. Penetration tests can be classified as either Black Box, the tester knows nothing about the system, or White Box, the tester has complete knowledge about the system infrastructure. Of course, some installations have used modified rules and referred to it as Grey Box testing. Every system that connects to the internet or allows access from any other external source should use penetration testing on a regular basis.

Network Discovery Assessments
A network discovery assessment analyzes your network’s infrastructure to identify every device that is connected to your network and search for configuration weaknesses. By clearly identifying each machine within a continuous IP address range, the system engineers can detect any new or unexpected devices that are connected to the network. While an unknown machine usually occurs because an incorrect IP address was assigned or a cabling error was made, a network discovery assessment will also point out any truly unauthorized computer, such as a hacker, that is connecting to your company’s network.

Network Sniffing
A network sniffer can be either a hardware device or a piece of software that intercepts and logs traffic passing over a network in order to capture information about each packet’s final destination. Some network sniffers have the ability to generate errors within the system to test for the ability to handle error conditions. Depending on the capabilities of the individual network sniffer, it can be configured in the following ways:
• Wired Broadcast LANs – A network sniffer can monitor traffic traveling across either the entire network or on specific parts of the network from one machine. To minimize a potential bottleneck, ARP spoofing or monitoring ports can be used.
• Wireless LANs – A network sniffer can monitor the traffic on one specific channel.
• Promiscuous Mode – If the network sniffer supports this feature, the network adapter can be set to promiscuous mode to allow the sniffer to monitor multicast traffic sent to a group of machines that the adapter is listening to.
• Monitor Mode – This is a step up from promiscuous mode. It allows the sniffer to process everything that it could in promiscuous mode plus packets for other service sets.
In terms of information security, network sniffers provide value by detecting network intruders, discovering network misuse by internal and external users, and isolating exploited systems. On the other side of the coin, hackers can use network sniffers to learn information to effect a network intrusion and to collect passwords or other sensitive information.

Checking Password Security
Because most users will choose a password that’s easy to remember, instead of one that’s hard to guess, password security is critical to overall information technology security. After all, once a hacker has a valid user id and password, much of the system is readily available. Passwords should be encrypted within the system, and rules should be put into place to reflect the potential security risk of an individual system. If the risk is low, it might be enough to require the user to create an eight-byte password with at least one character and one number that expires at 30 days. At the other end of the spectrum, the password should expire every week and require the user to use a mix of upper case, lower case, numeric, and special characters while restricting the use of any word found in a standard dictionary and consecutive keyboard characters.

Checking Wireless Security
Wireless access is a growing trend in today’s business world, but it comes with huge risks for security vulnerabilities. As long as a hacker is within the zone of your company’s wireless signals, they can connect to your system and attempt to login. If a wireless network adapter isn’t configured properly, it can leave the door wide open to attacks, and the hacker may be able to get in with a simple admin/password sign on. In addition to securing each known wireless access point, the network should be searched for unauthorized wireless ports that may have been leftover from testing, set up by accident, or created with malicious intentions.

What does Server Virtualization Mean?
Server virtualization is the use of technology to separate software, including the operating system, from the hardware. This means that you can run several environments on the same physical server. In some installations, this could mean that several identical operating systems are run on the same machine. Other shops could decide to run a Windows platform, a Linux system, and an UNIX environment on a single server.

Advantages of Server Virtualization
In today’s demanding business environment, server virtualization offers many different advantages. Not only does virtualization allow servers and data to be more mobile than ever, it also provides a cost-effective way to balance flat or shrinking budgets. The following list details the major benefits:
• Consolidation – Most large servers run applications that only take up a small percentage of their processing power. Even busy software packages usually only have small peak times that utilize over 50% of their CPU capabilities. The rest of the time, the capacity is unused. By virtualizing the server so that additional systems can take advantage of under-utilized resources, IT shops can increase their return-on-investment (ROI). Although some companies have reported a consolidation ratio as high as 12:1, most shops can easily show a 3:1 to 4:1 rate.
• Decreased Footprint – By decreasing the number of physical servers, the size of the computer room can be reduced and utility costs should decrease.
• Lower Hardware Costs – The utilization of a higher percentage of existing hardware resources will reduce the total number of physical servers that are needed. This will save money on the upfront expense of purchasing hardware and the long-term cost of maintenance.
• Flexibility – Server virtualization allows an IT shop to be much more flexible. Instead of waiting for new hardware to arrive before implementing a new system, a new virtual server can be created on an existing machine. This also provides a more flexible method for migration and disaster recovery.
• Easier Testing and Development – Historically, IT installations have used separate physical servers for their development, acceptance testing, and production environments. With virtualization, it is an easy process to create either different or identical operating environments on the same server. This allows developers to compare performance on several different environments without impacting the stability of the production system.

Virtualization and Disaster Recovery
The growth in both international business and large-scale natural disasters has many organizations closely analyzing their disaster recovery plans and general hardware malfunction procedures. In either event, it is critical to be back up and running in a very short period of time. Most modern IT shops require consistent up-time 24-hours a day to maintain their core operations, or their business will be severely impacted. Both reliability and accessibility are greatly improved when server virtualization is used to its fullest potential.

By reducing the total number of servers needed to duplicate the production environment, it is much less expensive to create and test an off-site disaster recovery environment. Hardware, space, and backup expenses are dramatically reduced. It’s easy to see how setting up 30 or 40 pieces of hardware would be both easier and cheaper than configuring 100 items.

Along the same lines, a hardware malfunction will be less of an issue with server virtualization. While many more systems will run on the same piece of hardware, most shops find that they can easily duplicate physical servers for automatic rollover in the event of a hardware failure when they virtualize.

Major Virtualization Products
While there are always smaller players in any new technology, VMware and Microsoft Virtual Server are the biggest providers of server virtualization products.
• VMware offers the free VMware Server package or the more robust VMware ESX and ESXi products. Systems that are virtualized by VMware products are extremely portable and can be installed on virtually any new piece of hardware with a low incidence of complications. The system can be suspended on one machine, moved to another one, and immediately resume operations at the suspense point when restarted.
• Microsoft Virtual Server is a virtualization product that works best with the Windows operating systems, but can also run other systems like the popular Linux OS.