Syrinx Technologies

Syrinx Technologies is turning TWO.

2009-08-17T11:38:00.003-04:00

Syrinx Technologies is turning TWO on August 31. To say thanks to everyone who made it possible Syrinx Technologies is drawing 3 names from all past and present clients. Syrinx Technologies will make a donation of $200 to the charity of choice by the first name selected, $100 to the second name and $50 to the third name.

The drawing will take place on 8/29 and winners will be notified on 8/31.

"Don't Be a Box Checker" article is released

2009-08-10T13:55:00.002-04:00

I felt compelled to write an article describing my views on the current state of compliance. Let me remind you that the views are solely mine and represent MY view of compliance in the area in which I live and work. I'm not trying to make any grand statements, just to express my opinion and frustration.

Check it out: http://www.syrinxtech.com/files/Don't_Be_a_Box_Checker.pdf

Your comments are always welcome.

New Podcast Episodes Now Available

2009-08-10T13:52:00.003-04:00

Since my last blog I have recorded several new podcast episodes and released them for your listening pleasure. The following new podcasts are available:

Randy Barnett - "The Hybrid IT Model"
Paula Gulak - "Taking Advantage of Social Media"
Randy Marchany - "Building a CSOC on the Cheap".

Next week will feature Cathie Brown discussing "What is ITIL?".

Check out the entire podcast schedule at: http://www.syrinxtech.com/podcasts/schedule.html

Exciting New Podcasts Are Announced

2009-07-02T08:25:00.003-04:00

Syrinx Technologies is excited about the upcoming podcasts that have been scheduled for release. Interesting and timely topics such as "SaaS", "Web 2.0", "Personal Branding" and "Virtualization and VDI" are on the newly updated schedule. For more information and specific dates refer to the official schedule at:

http://www.syrinxtech.com/podcasts/schedule.html

As always, Syrinx Technologies is always looking for interesting topics for upcoming episodes. If you have something interesting to say, get in touch with Syrinx Technologies at mailto:bryan@syrinxtech.com. The topic doesn't have to be IT-related as long as it discusses some business topic. For remote users we can record the podcast over Skype.

Old Dogs and New Tricks

2009-07-02T08:18:00.004-04:00

I come before you humbly to admit that I was possibly wrong on my stance of the use of Twitter for business. I say possibly because I haven't fully decided yet if it will be useful or not. But, I think the key point here is that I was able to overlook my obvious bias and give it a shot. I must admit I have always been a strong advocate for LinkedIn for hardcore business use. I've been using it for almost 2 years and can definitely see the many benefits.

On the other hand, I have never seen the benefits of some of the other social networking sites such as Twitter and Facebook for business use. I've heard that some businesses naturally lend themselves to such applications but I never believed mine was one of them. After nearly 2 years of fighting, I gave in and registered on Twitter. My account is @SyrinxTech and I already have some followers, most of them I don't know. How is that, I wonder. Perhaps that's the beauty of Twitter, but that will remain to be seen.

Time will tell whether or not this experiment will reap any benefits for either my followers or for my business. Actually, I already consider myself a winner since I was able to overcome a long-standing bias and will see for myself what all the excitement is about. Stay tuned.

Personal Branding and Social Networking

2009-06-18T08:29:00.002-04:00

Unless you've been living under a rock lately you're probably well aware of the whole "social networking" craze. Whether you're a fan of Facebook, LinkedIn or Twitter doesn't matter to me. Everyone has to make their own choices as to where, when and how much they spend their time on each of these diversions. For me the choice is clear, I'm a LinkedIn fan because of my business. I don't have friends or children in remote lands and I'm a little old for the dating scene. I use LinkedIn strictly for business to connect with my current and future clients.

In Richmond there have been several articles in the past couple of days regarding the whole phenomenon. As you might expect there are lots of people ready to line up on both sides. Decide for yourself...there is no right or wrong answer. If you're interested in reading the local chatter check out these two links:

http://www.richmondbizsense.com/2009/06/17/richmond-20-tweeting-for-business/

http://www.richmondbizsense.com/2009/06/18/hello-will-you-be-my-friend/

Syrinx Technologies also recently interviewed Paula Gulak on the topics of "Personal Branding" and "Taking Advantage of Social Media". The first episode is now available at:

http://www.syrinxtech.com/podcasts/rss.html

The second episode will be available sometime in the near future. Paula has over 25 years of experience and in both episodes she discusses her thoughts on the social networking issue.

Read about Voice over IP (VoIP) Security

2009-06-08T17:58:00.002-04:00

This week's Syrinx Technologies podcast involves a discussion on VoIP security. The guest is Sandro Gauci of EnableSecurity. Check out this episode at:

http://www.syrinxtech.com/podcasts/090609SYR.mp3

Look for the schedule of all available podcasts at:

http://www.syrinxtech.com/podcasts/schedule.html

New Podcast - Data Breach Notification Laws

2009-06-01T16:58:00.003-04:00

If you've heard of Data Breach Notification Laws and aren't sure about what they are or what they cover, check out the latest Syrinx Technologies podcast episode. Cathie Brown of IT Governance Solutions discusses the issues involved with the laws in Virginia and how they relate to national laws. You can check out all the podcast episodes at:

http://www.syrinxtech.com/podcasts/schedule.html

Visit the Syrinx Technologies website for more general security information.

http://www.syrinxtech.com

Get Your Head Out of Your Business

2009-05-28T10:13:00.002-04:00

Let me state right off the bat that I'm "old school" regarding many things yet try to remain open-minded and I do believe you can teach an old dog new tricks. I'm a student of the game (whatever the game is at the moment) and love to read, people watch, answer questions and generally like to observe my surroundings. I'm also a small business owner trying to make it in the world like everyone else.

I am fortunate to know a lot of other small business owners around town (mostly in IT). I feel compelled to write this blog entry to invite all business owners, small and large, to step back from the forest and make sure you still recognize the trees. Yes, as a cliche it's been said many times but I feel it's worth repeating. In my opinion, too many small business owners get so wrapped up in making money and worrying about bills and responsibilities that they forget to admire the view along the way.

Business owners need to stop occasionally and smell the roses. Remind yourself why you're in business for yourself instead of working for someone else. Sure, it's hard. If it was easy everyone would do it. Remember that running a successful business today requires you to wear many hats, and many of them don't really fit all that well. You have to be a marketer, web designer, blogger, social networking guru, accountant, tax expert and, oh by the way, you still have to take time to bill for your products and services.

My advice, take several hours out of one day a week and focus on something you've been ignoring. Usually, that's your web site. Nobody wants to visit your site and see an announcement for a hot webcast from last year. Take a little time and update things. If you don't have time or the necessary skill set, pay someone to do it. Sure, sometimes that is easier said than done, but consider bartering (check out my Business Bartering blog entry). Update the look of your business card and remember "branding". Try spending 30 minutes a week and write something in your blog (you do have one, don't you?).

Whatever you do, do something. Don't sit around and gripe and complain about business slowing down when all you do is sit and wait for the phone to ring or the fax to suddenly start spouting purchase orders. Step back and look at your business from your client's eyes. Take a real hard look and see what spring cleaning can be done to improve your overall image. You'll be glad you did.

The Case for Business Bartering

2009-05-28T09:57:00.003-04:00

Being a small business owner has always been tough, but it certainly seems tougher in today's economic climate. Most businesses seem to fail during the first year and most aren't considered "legitimate" by the banking industry until you have at least 2 years under your belt. When you consider all of the hats that the small business owner must wear (if only for a short time each day) it is no wonder some things always seem to fall through the proverbial cracks.

I often get asked about mundane tasks such as web site maintenance, daily bookkeeping, marketing, social networking chores and simple IT chores like backup, anti-virus recommendations, etc. If you happen to be a long-time hardcore geek like myself most of these things seem like second nature to you (except for the bookkeeping chores).

Occasionally a small business owner (often in some IT-related field) will ask me about making simple changes to their web site. My response is usually, "Oh, it's not too bad, just make a change to the HTML". This answer usually provokes the head-tilting most usually seen with young puppies when asked why they did something on the rug. I have to remind myself that not every business owner actually PREFERS to do their own web site, create their own marketing, spend hours creating press releases, handouts, etc.

How do we fix this problem? I'm advocating a call for "business bartering". Now, I'm not talking about giving away lots of hard work for free. Bartering is as old as business itself so I'm certainly not breaking any new ground here. There are lots of bartering associations around the country that have very formal rules for participation and I'm sure they work very well. However, I'm advocating a much more laid back approach. In my world, small business owners would trade "favors" and help each other out. If I needed a simple change to my web site I might get help from a web designer who might need help installing a tape drive and backup software.

This informal bartering system will only work when the following conditions are met:

Small business owners admit they need help with a specific issue.
These same small business owners are willing to help out other small business owners with tasks in which they have expertise.

Could it work, sure. If you have any interest in participating in such a bartering system in the Richmond area, drop me a line.

New Podcast Release

2009-05-26T13:22:00.003-04:00

The latest Syrinx Technologies podcast entitled "Basic Computer Security" is now available. This episode interviews Lisa Green with Green Technologies. Lisa discusses various common sense approaches to protecting your home PC and small business PC. Check out the entire podcast schedule at:

http://www.syrinxtech.com/podcasts/schedule.html

Look for the next podcast which will feature Cathie Brown discussing "Data Breach Notification Laws".

New Podcasts Are Available

2009-05-14T15:55:00.003-04:00

There are now a total of four podcasts available. Recent additions include:

Compliance vs. Security with Rick Popp of Argo Strategic Management
PCI Compliance in Retail Grocery Stores with Randy Barnett of Bruno's Supermarkets

Check out the schedule at http://www.syrinxtech.com/podcasts/schedule.html

Upcoming episodes will include the following:

Basic Computer Security
What is ITIL
Social Media
Personal Branding

A Cheetah named Gremlin

2009-05-06T09:38:00.002-04:00

This won't be your typical "techie" blog entry. It's about a friend of mine that I never met, half a world away. No, he's not a man or a woman. He is a cheetah named Gremlin. I adopted him through the Cheetah Conservation Fund. I picked him from all of the other cheetah's because he, like many African animals, had a hard life growing up. I sponsored him and received his picture. Unfortunately, I received an email saying that Gremlin was dead. Poachers, other cheetahs, lions, disease? No, the nice person who was darting him to perform a health check. Unfortunately the dart fractured his front leg and it eventually required him to be euthanized. How sad it is when the thing designed to prolong your life actually causes the end. Gremlin, you will be missed.

Episode Three is now available

2009-05-06T09:35:00.002-04:00

The third installment of the Syrinx Technologies podcast series is now available. The topic this week is "Compliance vs. Security" with Rick Popp, Principal of Argo Strategic Management. Rick has been in the industry for a long time and has unique perspectives on the issue. Does compliance with regulatory commandments such as HIPAA, SOX, PCI, etc. really imply security? What can be done to increase the standards? Should a company who is compliant be held liable for a data breach?

Check out the latest installment at http://www.syrinxtech.com/podcasts/rss.html

New podcasts are available

2009-05-04T09:01:00.003-04:00

Two new podcasts have been released. The second episode is entitled "Go Green!" and features Chuck Renfro from Thinking CAP Technologies. The third episode is entitled "SAS 70 Type II Audits" and features Mark Williams from NetTelcos. Rick Popp from Argo Systems Management will be the next featured interviewee.

You can listen or subscribe to the Syrinx Technologies podcast series in several ways. You can use your Outlook client or other RSS feed program by connecting to http://www.syrinxtech.com/podcasts/rss.xml. You can also subscribe via iTunes by searching for "Syrinx Technologies" in the podcast area. Finally, if you just want to listen to the podcasts you can point your web browser to http://www.syrinxtech.com/podcasts/rss.html. Also, check out http://www.syrinxtech.com/podcasts/schedule.html for a listing of current and upcoming podcast episodes.

The podcast series is officially underway

2009-04-17T09:51:00.005-04:00

Many thanks to Sandro Gauci for helping me kick off the Syrinx Technologies podcast series. Sandro is the CEO of EnableSecurity and the author of the SIPVicious tool. We recorded two podcast episodes today from Virginia and Malta. The first episode on web application security, including web application firewalls, will be posted on the Syrinx Technologies website on April 21, 2009. Many other local and regional companies and individuals will be interviewed in the coming weeks.

Check out the Syrinx Technologies web site for more information. On the main page you'll find an RSS button so you can subscribe to the RSS feed for future podcasts.

http://www.syrinxtech.com

Conficker?

2009-04-13T08:04:00.004-04:00

Well folks, it looks like we've collectively dodged another bullet. April 1st came and went and the Internet didn't melt down. Planes still took off and landed, Twitters were still tweeting and online gamers could still get to their Second Life avatars. Whew. What did we learn? Nothing?

Well, unfortunately some of you learned that you can be slack in your security posture and get away with it. Many of you are probably still vulnerable or actually infected and don't know it. Will this worm raise it's ugly head and strike sometime in the future? Only time will tell. How long will it be before the next generation worm begins to infect it's way into the world's networks? It's probably doing it as we speak.

L0phtCrack is back (yawn)

2009-03-18T07:44:00.003-04:00

Well, it appears after several years of hiatus that L0phtCrack is back with version 6. For those of you who don't know what L0phtCrack is or does, click "Back" on your browser now. Every hacker used it in the old days when it was known as "LCx". I started with LC3 which then became LC4 and then LC5. In 2000, the team responsible for L0phtCrack became a "legitimate" business under the name of @stake. In 2004 Symantec purchased the company and then in typical big company fashion immediately canned the whole project.

My gripe is that like many other people, the company I was working for at the time had purchased LC5. When Symantec purchased the program and let it die, they let down a lot of people using it. We all had to scramble and find something else to do the job. Well, since then many other tools have taken it's place such as Ophcrack using Rainbow Tables. Now the original developers have reacquired the rights to the program and have released it again. The boys from Boston need to remember that such tools are now a "real" business industry and you can't simply just stop selling and supporting a tool that people have paid real money for without notice.

Time will tell what kind of reception this new release will enjoy.

Stop Rewarding Failure!

2009-03-18T07:39:00.003-04:00

If I watch or read about one more financial company CEO crying that they have to pay their hotshot employees millions of dollars to keep them from jumping ship I'm going to throw up violently. When are they going to realize it's the hotshots that got them into the situation they're in currently? AIG is only the latest to do this with their publicly debated bonuses over the past weekend. It's one thing to pay people who consistently make money for your company, but I don't understand the logic of paying people who helped run your company into the ground and requiring hundreds of BILLIONS of dollars from myself and other taxpaying Americans.

Just the other day a local college sports coach was fired for having the worst record in recent school history. What did they do, well of course they paid him several million dollars. Will some body start writing employment contracts that give you money when you have a winning season, go to some form of championship, graduate the entire sports team or maybe not have any legal incidents with your players for the whole year?

Just a thought....I'm off to find a job where I can totally screw up and still expect millions to keep me from going somewhere else.

CISSP class offered through Richmond ISSA Chapter

2009-02-24T14:35:00.003-05:00

Spring 2009 CISSP Study Course this Spring in the Richmond Area

When: Tuesday Nights 5:30 - 8:30pm. Starting March 24th - June 16th
Where: Richmond Public Library (E Franklin St.)
Cost: $350 for members [Note: ISSA Membership required]
Sign up at our website: http://www.issa-centralva.org/training.html

It's a 13 Week course modeled on the very successful Northern Virginia CISSP Study Course. It will conclude with a CISSP exam scheduled in the Summer, exact date TBD.

Here are some quotes from past students:

*************************************************************************************
"The class was a great tool, in fact I know people that took a $5,000 week long boot camp (with test included at the end of the boot camp) and did not pass, so that tells you something."

-James Parks, Wellpoint

*************************************************************************************
"I passed!!! Thank you very much for the excellent slides, instruction, and advice on test strategy. Also I am thankful for the encouragement and support your course provided me, right up to the actual test day!

- Kelly Yamiguchi

*************************************************************************************
"The class helped me to focus on the specific areas I needed most. One specific area that was very beneficial was the thought process to use for reading the questions and how to relate the answers to the question. "

-Tim Bailey, Wellpoint

*************************************************************************************
"I had already decided that, at this stage of my life, I wasn’t going to face that exam again. Its nice to have it go my way. Read the material but spend most of your time taking practice exams, tracking the questions you miss, reviewing the suggested answers, and re-taking the practice exams at increasing levels of difficulty."

- Cameron Caffe, VDOT

Random information dump

2009-02-21T21:10:00.002-05:00

I'm publishing a couple of documents that I've created over the past couple of months. The first is what I like to call a "PCI Cheat Sheet". Since there remains a lot of confusion over exactly who, what, when, where and how regarding PCI, I created a "simple" spreadsheet detailing some of the most important data. Check it out here:

http://www.syrinxtech.com/files/PCI_Compliance_Cheat_Sheet.pdf

The second is a presentation I gave regarding web and database server best practices. I cover the basic OS, Apache, IIS, MS SQL, Oracle and MySQL. If you find it useful, great. If you have suggestions to make it better, I'd love to hear them. Check it out here:

http://www.syrinxtech.com/files/Web-Database_Server_Best_Practices.pdf

Enjoy.

Backtrack 4 Beta

2009-02-21T21:07:00.001-05:00

The long awaited beta of Backtrack 4 has been released. My peeps tell me it's running Ubuntu and is a major improvement, if that's possible. Check it out!

http://www.remote-exploit.org/backtrack_download.html

What's up with the Antivirus vendors?

2009-02-21T20:12:00.001-05:00

So, what have we had....4 large and very popular antivirus vendors get hit with various forms of insecurities in their websites. From what I've read, Kaspersky Labs, F-Secure, Bitdefender and Symantec have had recent issues. Some of these issues involved various forms of information disclosure. If we can't trust the guys we pay to protect us from viruses, worms, trojans, etc. to keep their own house in order, who can we trust?

We'll see if any of these data disclosures really mean anything, or will it just float down the stream into the bit bucket.

Memberships - How many is too many?

2009-02-10T11:57:00.000-05:00

I was recently on LinkedIn and saw a question posed by someone that read something like this. "Are organizations charging too much for memberships?" My response was, "Well, not too much if you're a small company like myself and only have one to pay". However, most companies are not small like me and it can easily costs thousands of dollars for all of the various memberships. Most organizations charge by the employee count, so you are charged whether any or all of your employees want to attend the functions. And, since we are bombarded by advertising everyday that we must be everywhere, most companies are members of at least 2-3 different professional, social and other work-related groups. When you combine these costs they can become a real issue for many companies.

I know for myself that when I first started my company I joined 4-5 organizations expecting to attend all of the meetings and other gatherings. I was going to conquer the social networking game and rake in the clients. A year later I have dropped all but 2 of those groups and just today joined the Retail Merchants Association (RMA). I found that I could easily spend 1/3 of my waking hours just responding to emails, webinars, attending weekly/monthly meetings and generally being a good member. However, when I stopped to really analyze that time I found that very little of it contributed directly to my bottom line.

I'm very optimistic about the RMA. I know there are a lot of companies that could use my services, and now it's my job to explain why and how. I look forward to that challenge and I'll let you know next year how many groups to which I still belong.

The Outlook for 2009

2009-01-30T07:30:00.001-05:00

Well, the historic campaign is over and it's time to get back to business. The commercial markets are crumbling, massive layoffs, plant closings, small business credit is almost impossible to get and the Cardinals are in the SuperBowl? These are surely the last days.

Let's hope that the new administration can truly bring about "CHANGE". What exactly that means and how it's going to look is unknown at this time, but certainly I think we can all agree that something has to happen. With talk of 3/4 of a trillion dollars being bantered about like it was $50, I know for myself that these are truly scary times.

When it comes to smaller concerns for me as a business owner, I fall back on the values that got me here and hopefully will sustain me during these hard times. Values such as faith, hope, honesty, integrity, and an honest concern for my clients and their well-being.

Good luck to all business owners, both small and large. The strong will survive.

Why is security so taboo?

2008-11-19T08:11:00.000-05:00

I've often wondered why it is that so many clients seem to feel ashamed when asking for help with IT-security projects. I've been on the client side of the desk for almost 10 years and on the consultant side for 10 years. What never ceases to amaze me is the number of clients that have no problem asking for help in Active Directory design, SAN optimization, getting their BGP connections to an ISP up and running but completely choke when asking for a penetration test or vulnerability analysis? Can somebody tell me the difference?

It's almost as if the clients somehow feel less "masculine" when asking for help on security-related topics. I can't count the number of times that clients make such a big deal about keeping the whole process hush-hush. You might think that a company that actively cares about security and takes a proactive approach would be applauded. Unfortunately, in this society it appears that approach indicates weakness. Is it somehow related to the male component of society that feels like they must be in charge, taking care of their woman and family without needing help? Is that why so many men drop dead of heart attacks?

I've always said the bad guys will always have the upper hand because they share things they learn. The good guys keep everything a secret, heaven forbid that somebody finds out they were compromised. The lessons they learned could be useful to another company but that information will never see the light of day. But on the other hand they have no issue paying out large sums of money to useless CXO's, asking the government for a bailout and generally exhibiting poor management skills.

Go figure.

Death of an Icon

2008-11-10T09:52:00.001-05:00

Like many people, I wasn't shocked by the recent announcements of Circuit City. Having worked there during the heydays of the early 90's I could see the writing on the wall a long time ago. I started there in July of '93 and worked there until January '97. I then worked at DiVX from January of '97 until April of '98. When I first got there I realized that this place was the coolest place to work in town. Capital One hadn't started sucking all of the good people away yet. I worked in IT and came to become part of a group of guys that are still around in Richmond IT, although scattered to the four winds.

Our group was extremely tight, closer than many families. Everyone knew that if you picked on one you had the whole group to fight. We even had the nickname of "LAN GODS". I told everyone during those years that they would have to pry the keyboard out of my cold, dead hands to get me to leave. That was of course, youthful ignorance talking as in later years corporate (and others) greed began to seep its way into things. Promises were broken, shady things began to happen and overall it became a lot less fun to work there.

When DiVX came along I jumped at the chance to try something new. I had helped from an IT perspective to start CarMax, Answer City and other failed opportunities like the home security, furniture and other ventures. I bought into DiVX hook, line and sinker. Again, it was a very cool job and I worked with many great people. The problem came when I found out that the major studios had gone back on their promises of releasing "DiVX-only" formats. As soon as I heard that I began looking for a job. Of course, I got the traditional "you're not a team player" speech. Six months after I left DiVX folded....you tell me.

I wish I could say it was surprising that CC has imploded in the last 10 years but it isn't. Even when I worked at CC I wouldn't shop there. When you went into a store it was so loud with rap music blaring from the car stereo section you could barely hear. You would look around for someone to help and find them all crowded around just talking to each other. Honestly, like a lot of people I would do my shopping online at Crutchfield and then go buy what I wanted from Best Buy. The only time I shopped at CC was in the early days when they used to let employees buy at cost. Once that went away I stopped shopping there altogether.

I feel bad for some of my old friends who have remained there for these past 10 years. I know lots of people who left and came back several times. Others went to more stable jobs at Capital One, the Federal Reserve and now VITA and Northrup Grumman. I have many opinions on why this happened but I think I'll keep them to myself.

RIP.

Ah, the good old days

2008-11-03T09:18:00.000-05:00

I saw in the Internet news that this weekend marked the 20th anniversary of the Morris worm. I guess most people reading that didn't have a clue as to what it meant or the significance of the event. It was, by most accounts, the beginning of the "security problem" on the Internet. I remember that day very well. I was a "newbie" network engineer at VCU in Richmond, VA. I remember things slowing down on the Internet and then stopping almost altogether. It wasn't until several days later that we found out that some goober had turned a "worm" loose. What the heck was that?

Well, 20 years later many things have changed and some things haven't. There are still many goobers turning worms loose on the Internet. Even the current Microsoft generation knows about them, unlike their predecessor 20 years ago. I feel honored that I was around back then and am still around today. I wonder what types of things will be turned loose on the Internet in another 20 years?

Why "lowest price" isn't always the best deal!

2008-10-19T10:11:00.000-04:00

When are Federal, state and local purchasing departments going to understand that sometimes it's not in their best interest to buy things from the cheapest vendor? Sure, if you're buying #2 yellow pencils, by all means, buy them from the cheapest vendor. That's what we call a commodity item, they're all the same so why not save 5 cents on each pencil when you can.

However, when you're dealing with technology, cheapest isn't always the best deal. Sure, you have to have some checks to make sure you're not paying $500 for toilet seat. If you're rushed to the hospital for emergency, life-saving surgery do you want the doctor who graduated first in his class or the guy who got his degree from the Internet because it was cheaper?

There has to be a better way for purchasing departments to pick the overall winner for technology bids other than simply picking the cheapest. Why not develop a point system where you get points for things such as: Years in business, documented processes and tools, certifications and credentials of those people doing the work, references and yes, price. That way you might not pick the cheapest vendor but you're ensuring that overall you're going to get the best deal possible.

Just my $0.02. Oh wait, maybe I should make that $0.01 before someone else cuts his rate to get the business.

We need more ISSA members!

2008-10-16T17:19:00.000-04:00

This message is going out to anyone who is remotely interested in computer and/or network security in the Richmond, VA vicinity. The local chapter of the ISSA meets on the first Wednesday of every month at LandAmerica in Innsbrook. We usually have coffee and snacks from 7:30-8am and the presentation goes from 8-9am. We try to have informative speakers without sales pitches.

Here is the URL for the local chapter:

http://www.issa-centralva.org/

We are currently holding a class for the upcoming CISSP test in January which is going to be held somewhere in Richmond. Having memberships such as this looks good on your resume and you get to network with a lot of people in the industry.

Hope to see you there.

PCI DSS Version 1.2 is released

2008-10-06T11:34:00.000-04:00

Well, the much anticipated DSS standard update to 1.2 was finally released as promised on October 1. Much of the changes is cosmetic and clarifies a lot of wording. Only a couple of changes actually change anything and most of them are related to wireless technologies. One of the ones that comes to mind is the removal of the requirement to not broadcast the wireless SSID. There are so many ways to get that information that it doesn't make a lot of difference either way. Not broadcasting the SSID would only protect you from the simplest of attackers with NO knowledge at all. Hardly the case in today's world.

A wet blanket?

2008-10-01T07:14:00.000-04:00

I read a great article in the Sept. 30th edition of the WSJ. Yes, I do occasionally, but not very often, read the WSJ. In the Technology section there was an article by Ben Worthen describing the security group in many organizations and they bad rap they receive. It seems that we security practitioners are sometimes perceived as a "...wet blanket, often swooping in at the last minute to put the kibosh on a project." How rude.

The article goes on to quote several industry folks and some pithy quotes. Bottom line, business people, if you don't want us to stomp all over your precious projects try involving us more than a week from the rollout date of your project. I know the drill, you have a fantastic new web site that's going to increase revenue by 1000% and you don't want the Security group mucking it up. So, you "conveniently" drag your feet showing the specs to the security guys until you think it's too late for them to complain. Imagine your surprise when they find enough security holes to make your project look like Swiss cheese. If you had instead brought them in during the design, coding and testing phases they could have pointed out these issues and they could have been resolved. After all, we all want the same thing.

Get out and Vote!!!

2008-10-01T07:08:00.000-04:00

Yes, it's true. For this election I'm actually going to register and vote in the presidential election. It's also true that this will be the first time I've ever registered to vote in over 40 years of living on this planet. Why? I feel strongly enough that I have to cast my vote so whatever happens I can say that I did everything I could to influence the election. Yes, now I'll be subject to getting called for jury duty. Yes, I'll be "on the grid" a little more for the MAN who's watching these things. BUT, I do feel so strongly this time that I can't sit by and watch others do my work. I used to be one of those people that thought my vote wouldn't make a difference, and I guess the Bush/Gore fiasco of several years ago proved that's true, but nonetheless I'm going to try. For my child's sake I have to try.

I challenge all my brethren in the various techie fields to register and vote. I don't care who you vote for, just get out and do it. If I can, you can.

A breakthrough for DNSSEC

2008-09-24T06:38:00.001-04:00

It appears the US government is making some strides to help in the adoption of DNSSEC. Hopefully you're familiar with the issues regarding DNS that have appeared lately, namely the "Kaminsky bug". According to a recent post, the ".gov" domain will institute DNSSEC by the end of next year. Read the article here:

http://www.networkworld.com/news/2008/092208-government-web-security.html

This is great news because somebody has to go first. Once this domain is converted other organizations will start following their lead. Also, as the article points out, once the government starts putting effort into the project vendors will start releasing products to make the transition easier for other organizations. The effort to convert the entire DNS infrastructure will be costly and time-consuming, so we need better and more automated tools to assist in the conversion.

In a related post it appears that Apple has finally released the bug fixes for the Kaminsky bug. A little slow, but hey, the new iPhones are cool and probably takes up a large part of their energy.

Oracle DBA's don't check logs?

2008-09-22T07:13:00.000-04:00

A recent article in Information Week indicated that not all Oracle DBA's routinely check their logs and other controls to ensure that unauthorized access to their data isn't occurring. Check out the article:

http://www.informationweek.com/news/security/app_security/showArticle.jhtml?articleID=210602800

As a pen tester for many years this isn't a shock at all, and it's certainly not limited to Oracle DBA's. I've worked on many dozens of tests involving different database systems and routinely find systems where the default account/password combinations haven't been changed. Or, the passwords are easily guessed or found in dictionary files. Another huge problem is incorrect permissions on database files that allow anyone with read access to the data. This allows anyone with any account on the system to at least view many databases to which they shouldn't have access.

What's the solution to this problem? The solution is the same for DBA's as it is for application developers, security awareness training. DBA's and application programmers need a basic course on security issues, with a focus on the current attack vectors used by the bad guys. Microsoft, love them or hate them, has spent a lot of money re-tooling their entire application development staff. DBA's need to know more than just how to create a database, optimize queries and ensure data availability. They need to know about patching, buffer overflows, SQL injection and the dangers of sloppy account management.

And don't get me started on reading those logs to detect unauthorized access attempts....

This Quote Sums It Up

2008-09-21T07:37:00.001-04:00

"If you spend more on coffee than on IT security, you will be hacked. What's more, you deserve to be hacked." - Former White House Cybersecurity Advisor Richard Clark

'Nuff said. If this is you...and you know who you are, you've been warned. Get help before it's too late. Start your journey at http://www.syrinxtech.com.

Why Compliant Isn't Necessarily Secure

2008-09-17T10:37:00.000-04:00

This is what I'm constantly preaching. Just passing a test doesn't by any means mean you're secure. Too many organizations stop at merely achieving compliance and think they're OK. The key is to remember what the compliance group is protecting....usually their interests, not the interest of your organization. Certainly you must comply with regulatory agencies but don't assume that means you're safe and secure.

http://www.theregister.co.uk/2008/04/15/pci_dss_compliance/

The Hannaford grocery chain found out when they were hacked after having passed their PCI compliance tests.

Find more information on PCI compliance at my website: http://www.syrinxtech.com

Cadillac Polo Match

2008-09-15T13:03:00.001-04:00

I just wanted to thank everyone who put on the Cadillac Polo Match over the weekend. It was a good time with lots of good food and drinks. The Virginia team won 11-9 in a good, hard fought match. They call it the "sport of kings". I don't know about all of that but it was a good time nonetheless.

If you missed it I have some pictures on my website under the "Events" tab.

http://www.syrinxtech.com

Watch out for FrontPage

2008-09-11T14:31:00.000-04:00

I know this isn't new to most system and web admins, but if you're using FrontPage and it's reachable from the Internet watch out. I'm working with a client who recently had some web defacements. Best advice, turn it off.

New Nmap is out

2008-09-10T07:14:00.000-04:00

For all of your security tool lovers out there, the new Nmap 4.75 is out.

Get your copy now at: http://www.nmap.org

While you're at it, check out my site at: http://www.syrinxtech.com

I've recently added a FAQ on virtualization security.

Go Hokies!

2008-09-07T09:48:00.000-04:00

My daughter and I made the pilgrimage to Blacksburg over the weekend. We enjoyed our first Va. Tech football game, watching the Hokies play Furhman and win 24-7. The weather was fantastic and our seats were incredible. Thanks Bob.

Walking around the campus took me back to my earlier college days when I went there to party with friends. It was quite moving to see the memorial to the students killed several years ago. The school did a good job on preserving the memory of the students. It was definitely weird walking past certain buildings and explaining to my daughter that so many people were killed right inside those doors.

On a lighter note, I can't wait to go back and catch another game. Go Hokies.

Security "silos"

2008-09-03T15:14:00.000-04:00

While watching a webinar on virtualization security I heard a term that made me say "aha"! It's the perfect term for what I've witnessed many times over my career in security auditing. The term was "security silo". I'm not even sure what they meant by the term but to me it describes perfectly the reason the "bad guys" will always have the advantage over the "good guys". What the hell am I trying to say? Well, there is a good reason why the folks who do bad things with computers are always going to have at least one advantage over the guys trying to protect us from them.

That reason is simple: Most IT organizations build their computing infrastructure into computing silos. There is a database silo, a network silo, a systems silo, a security silo, an applications silo and nowaways we're adding a VoIP silo and probably a storage/virtualization silo. What that means is security always comes into a project late or not at all. I have talked with many security folks and the answer is always the same when asked about policies and procedures. Sure, they get to make them, but rarely do they get to enforce them as written. Most upper management types abhor passwords of any kind. Here's a test, ask one of your security team members (you do have more than one person on the team, yes?) who the best networking or systems employee you have. They probably can't answer the question.

Why not? Because they don't interact with them. The security folks sit in their offices and read about buffer overflows, write useless policies and dream about going to DefCon. The systems folks believe that patching is somebody else's problem. The network guys don't talk to the systems people. The application developers don't ask for any help until they need to roll out an application that requires massive changes to access lists, directory services or security configurations. Nobody wants to deal with the nerdy geeks who control the firewalls. By that time management is already overrun with cost increases, delays in releasing the new application and pressure from customers.

Damn the security, full steam ahead.

Party!

2008-08-30T07:23:00.001-04:00

Well, it was a night of good food, good drinks and good company as Syrinx Technologies officially celebrated the one-year anniverary. Wine and champagne flowed as the business team enjoyed a great first year. The food was excellent and plans were discussed for making year #2 even better than the first.

We're turning One!

2008-08-29T07:58:00.000-04:00

I can't believe it's been a whole year. As any new business owner will tell you, it's been a year full of ups and downs. There were months when no business came in and you start to doubt yourself. Other months were overflowing with work and you wonder how you could ever do anything else. Overall, I wouldn't trade the last year for anything. I've learned so many things, met so many new people and it all makes me want to jump into year 2 with even more enthusiasm.

If you haven't seen what my company has to offer, check us out at:

http://www.syrinxtech.com

Scrub those old computers!

2008-08-29T07:54:00.000-04:00

Just another word of warning to companies and individuals who sell, give away or throw away old computers. Make sure you thoroughly scrub the hard drives please! Just yesterday I was helping a friend who purchased a laptop from a friend and didn't have the passwords necessary to login. After helping them determine the passwords we created a new user account and logged into the laptop. Behold my surprise when I saw the Cisco VPN client on the laptop with all of the configuration information necessary to connect to the old owner's corporate network!

I know everyone hears this all the time but corporate IT managers have to enact policies and procedures to ensure that old laptops are scrubbed before getting rid of them. Harder to control are personal computers used at home by employees outside of the control of IT. Just one unprotected laptop could cause major headaches for IT if it falls into the wrong hands.

Three Important Security Notices

2008-08-28T07:04:00.000-04:00

For all those of you using Ubuntu there is an important notice regarding a kernel bug. Check out the details at this link:

http://www.vnunet.com/vnunet/news/2224707/ubuntu-gets-major-security-fix

On another important security front, there is some good news on the DNSSEC adoption issue by the Federal government. Check out the details at:

http://www.sans.org/newsletters/newsbites/newsbites.php?vol=10&issue=67&rss=Y#sID200

Finally, there's a lot of buzz going around about the recently announced "issues" with BGP:

http://blog.wired.com/27bstroke6/2008/08/revealed-the-in.html

Keep those systems patched!

PCI Compliance

2008-08-27T18:12:00.000-04:00

If I may rant just a bit....for all of the organizations out there that don't know if you fall under the PCI guidelines, FIND OUT. Don't rely on your credit card processor to tell you. I talk with companies on a weekly basis who haven't yet heard of PCI and those that are told really crazy things by people they pay to process their credit cards. The rule is very simple, if you:

1) Process
2) Store
3) Transmit

cardholder data you fall under PCI. All of PCI. It's not an ala carte menu that you get to pick and choose from. If you are a level 1 or 2 merchant, you're already behind. Way behind. The rest of you better get moving. And yes, if you take cardholder data on your web site you were supposed to have an application layer firewall in front of every web server. And NO, that doesn't mean you simply slap a cheap ASA firewall in front and call that an application layer firewall. If you don't know the difference, ask someone.

Post-mortem on the Big Idea

2008-08-26T23:40:00.001-04:00

Well, my 5 minutes of fame is over. I made it on the Big Idea and I got a little taste of the TV business. I learned that I should probably focus on the small to medium client and stop chasing the big guy. I also learned that some people are impressed by persistence and other people would find it distasteful.

How do you ask your friends for business referrals without making yourself a nuisance? The last thing I want is my friends to run when I come around because they fear I'm going to constantly hit them up for business. On the other hand, if you can't get help from a friend, who can you ask?

Thoughts are welcome.

Whew, that was something!

2008-08-26T16:40:00.000-04:00

The taping for the Big Idea show was brutal! I was on hold for almost an hour waiting my turn to get to talk to DonnyD. The producers kept cutting in and reminding me to "pump up the volume". They wanted high energy and weren't afraid to ask for it. I must have been reminded about 25 times this morning. Also, the other edict was "no reading". So, you sit there, mouth getting dryer by the minute, waiting for your turn to ask your question.

It was a great experience and it taught me one lesson. I don't think I could do DonnyD's job! Having to come up with a fresh idea every night, interview all those people...some of which really, really need help. DonnyD is so energetic it almost makes you want to strangle him. I wish I had his energy!

Well, it's supposed to air tonight so we'll see how it plays on the big screen.

The Big Idea

2008-08-26T07:29:00.001-04:00

Well, my taping for the Big Idea show is today. They are supposed to call between 11am and 12:30pm. I have my script but I'm not supposed to read it. With any luck the show will air tonight and I'll be able to get an answer to my question. DonnyD is the man.

Last nights show mentioned a new web site that sounded interesting.....I'm going to check it out:

http://www.ypo.org

Real Courage

2008-08-26T07:25:00.000-04:00

Last night while waiting for WWE wrestling to come on I started watching a 2-hour show on the Discovery Channel about the Twin Towers. It showed what happened to specific groups of people in the towers and how some people selflessly gave their lives to save others. Real courage.

The show also mentioned that they are building a national memorial at the site in PA where the passengers brought down the plane before the terrorists had a chance to crash it into something. If you want to contribute the link is http://honorflight93.org.

Web 2.0 for me?

2008-08-25T10:42:00.000-04:00

I have to ask anyone out there reading my blogs for your opinion. I keep reading that in order to do business today you have to spend time on the social networking sites. I've been a long-time user on LinkedIn but haven't tried the others such as Twitter, Facebook, MySpace, etc. Do you really need to spend time there in order to grow a techie-based business? Does anybody over the age of 30 actually read that stuff? Just curious. Would reading something there make you want to visit their website or buy something from them?

My Company is turning one!

2008-08-25T06:51:00.001-04:00

I'm pretty excited about the upcoming 1-year anniversary of my company. I guess I've beaten the statistics and made it through one year. It's been a cool ride and I highly recommend it to anyone tired of working for someone else. Don't get me wrong, it's been challenging and not always stable. But like they say, a bad day owning your own company beats a great day working for someone else! Check out my web site at http://www.syrinxtech.com.

I'm supposed to be taping tomorrow for the Big Idea show. They wanted to make sure I bring a lot of passion to the call to keep the viewers interested. I don't think that's going to be a problem for me.

No More Olympics?

2008-08-23T05:27:00.000-04:00

Well, it looks like I'm really going to be on the Big Idea show on Tuesday. I had another call from the producers who encouraged me to bring the passion. Not a problem, I told her.

Two things have really gotten under my skin lately....companies that list email addresses but never answer them and companies that pretend they are too important to work with small companies. Every company started out small and regardless of how big and important you become you need to remember where you started.

Enough of that...let's be positive. I'm sad the Olympics are almost over. Now that my cable is finally working again I can actually see most of the last 2 days.

The Big Idea show on CNBC

2008-08-22T13:24:00.000-04:00

Looks like I'm going to be on the Big Idea on Tuesday, August 26! I tape on Tuesday morning and supposedly it's going to air that night. Very cool. I get to ask my question to Donny and have his guests help me out.

My first blog entry!

2008-08-22T09:04:00.001-04:00

Wow....43 years old and I've finally made it! I started in IT before there was an Internet and I'm blogging....who would have guessed? I guess I need to start getting my thoughts out onto this electronic canvas..