1. EDITORS CORNER
   • MS Tracks Media Player User Habits
2. TECH BRIEFING
   • Even Better Tech Support From Sunbelt
   • More About The Cisco Security Audit Tool
3. NT/2000 RELATED NEWS
   • New Microsoft Security Freeware Scans For Windows Holes
4. NT/2000 THIRD PARTY NEWS
   • The Human Factor in Security Management
5. W2Knews 'FAVE' LINKS
   • This Week's Links We Like. Tips, Hints And Fun Stuff
6. PRODUCT OF THE WEEK
   • Configuring ISA Server 2000

MS Tracks Media Player User Habits

This is just a heads-up. The latest version of MS's Media Player creates a list of the digital songs and movies that you have played. This can have some interesting consequences to say the least. The first thing I personally would do is find out where the heck that list sits and blow it away. It's nobody's business what I do in my free time in my own house. Whether that is visiting websites of competitors, do health research, or roam freely over the web.

The first person that emails me the way to empty this log without breaking Media Player will get an honorable mention in the coming issue.

Files like this, uncontrolled by any specific company that is responsible for their use, are goldmine for marketing companies, lawyers, even snooping spouses. And what if that WinXP machine gets cracked, a backdoor gets installed, and that trojan reports in real time what you are doing on the web? Yikes!

Associated Press reported that MS is now telling people Media Player does this, pretty much after the fact. Oh, and this latest version of MP comes free with WinXP: 73 million users this year alone. MS claims it has no plans to sell the data they collected. Yeah, right. They SHOULD have disclosed this up front.

Microsoft's original privacy statement informed customers that they were downloading the information about CDs but never stated the information was being stored in a log file on each computer.

Read the entire Associated Press article on Yahoo:
http://www.w2knews.com/rd/rd.cfm?id=020225ED-MediaPlayer

XBOX Winner: Alphonse Lemieux, Québec, Canada!
To win your own, go here and fill out this form:
http://www.W2Knews.com/lookup.cfm

Even Better Tech Support From Sunbelt

In the recent "download" SunPoll we did, it turned out that a large majority of you downloaded products that seem interesting and potential time savers, but had trouble finding the time to actually install them. We looked at that, and tried to find a way to help you. It is usually a matter of getting to an install and finishing it quickly. For some products that is easy. For others it can take a bit more work.

We found a solution in two tools that will help you get things moving faster. First, we are investing in an application that allows us to show you over the web how to do things. It allows us to share a desktop on our end, and show you the application in real-time, plus solve any problems that way. Second, for a few of the higher-end tools, we have installed a small add-on that will warn our tech guys that you started your install. That way they will be able to jump in faster with support.

With these new tools we hope to save you time in getting your system management tools set up faster, and start using these utilities to make your life easier. We're always trying to improve on the "mainframe-quality" tech support that we offer. And if you have suggestions, please let us know.

More About The Cisco Security Audit Tool

Karl Levinson sent me this: Essentially it goes through your router's config file looking for certain lines as recommended by the [NSA?] router config guide. The http://www.cisecurity.org web site has some data, and you can hear the 1-hour audio of the webcast that went with the slide show at http://www.sans.org.

New Microsoft Security Freeware Scans For Windows Holes

MS announced a freeware vulnerability-scanner this week at the RSA Conference 2002. This freebie is called Microsoft Baseline Security Advisor (MBSA). It's not available yet. ComputerWorld announced it in an article but they simply got it wrong, and also pointed people to the wrong link. They must have misunderstood the existing HotFixNet-Check for the new MBSA.

When I looked over the features, it looks like this is a very low-end, pretty much end-user oriented tool. It does help though to get more user security awareness though. MBSA checks for good password policy, and warns users for any insecure settings.

But compared to commercial scanners, MBSA falls way behind. It does not look at networks from the viewpoint of a cracker and scans for all possible holes. Instead, this mini-scanner looks for problems that are on the Microsoft security checklists.

How it works is that MBSA grabs the MS XML file (about 700K) from the MS-website. MS maintains this database for free, and security tools can grab this file and run scans. MBSA does just that. The advantage is that the holes in MS-stuff are maintained close to real-time. The drawback is the fact that there are MANY more holes in networks than just MS-created products. MBSA could create a false sense of security.

It also does not apply any hotfixes, but just reports if they are installed or not. Up to now MS has co-developed these tools with Shavlik Technologies. MS is of course being pressured to have the whole bugfix process fully automated, and invisible for the end user. This may be a good solution for an end-user with DSL or cable, but an enterprise domain being auto-fixed by MS is a recipe for disaster!

The MBSA is a first step in this direction, said Lara Soskonsky, a Microsoft security program manager. She was demonstrating it at the RSA conference. "We don't push out the patches, but we may add that feature as an option in Version 2.0. In future versions, we'll also add more applications, such as Internet Information Server 4.0, 5.0, SQL 7, Internet Explorer 5.0 and up, Office 97 and Office 2000, among others, and we'll add .Net [support] to Version 2.0."

MBSA really is a stripped-down version of Shavlik's own HFNetChk Pro AdminSuite 3.6, which can push out software patches and remotely install them in a scheduled fashion. It can check for weak passwords and weak administrative accounts. The latest version 3.6 of this tool became available this week.
http://www.w2knews.com/rd/rd.cfm?id=020225RN-AdminSuite

The Human Factor in Security Management

This is an article about the first and only software that puts you in control of security policy creation, distribution, education and tracking for compliance.

Security studies show that humans are consistently the weakest link in any security program. Your company can spend hundreds of thousands of dollars on firewalls, virus scanners and Network intrusion detection, but if users don't understand and comply with your security policies your data is at risk. A recent Information Week survey showed that only 9% of corporate employees understand their security policies, and that 75% of companies do not keep their policies up to date.

Are your security policies up to date with the latest risks and recent industry regulations? Can you be sure that every one of your employees, contractors and business partners has read and actually understands your security policy? If you have to update your Email policy, how long would it take you to verify that everyone has read it?

The VigilEnt Policy Center (VPC) from PentaSafe Security Technologies is the only security tool that addresses both the technical and human side of information security policies. This new web-based tool follows a life-cycle approach to policy management and automates each step in the process. VPC comes with industry leading practices from Charles Cresson Wood, and is expandable to include custom industry content for HIPAA or GLBA. VPC also provided incident reporting and tracking through a central database, making it an ideal tool for tracking compliance against security standards such as ISO 1-7799.

VPC addresses the 5 major Policy Management challenges you face today:

1. Creating and updating Policy,
2. Distributing Policy,
3. Users reading current Policy,
4. User awareness and retention of Policy information and
5. Tracking status and awareness level.

1. Creating and Updating Policy:
   VPC is an automated policy tool that provides leading practice security content from Charles Cresson Wood. Wizards and templates in a browser (HTML) interface allow users to easily create policies or import their own. Built-in workflow and tracking allow policy authors to track each document through review, approval/publish and archive stages.
2. Distributing Policy:
   VPC enables the quick and easy publishing of policies to an intranet that users can access via their web browser. Policy distribution is based on the user's role in the organization so that each employee receives only the relevant policies for their job function. Companies can easily integrate VPC to use existing users and groups from directories such as Active Directory, NT, Exchange, Lotus Notes, iPlanet, etc. so that users do not have to learn a new ID and password.
3. Users reading current Policy:
   VPC enables users to login to a secure web site where they can see new policies/quizzes and read them with a click of the mouse. They can accept/reject the policies and their response is kept in a tamper-evident log file. The VPC user site supports multiple languages and can be customized easily to the style of a corporate intranet. A simple web form allows users to submit policy violations to a central database for tracking and response.
4. User awareness and retention of Policy information:
   VPC enables the quick and easy creation of policy quizzes in multiple-choice format that assess a user's knowledge of the recently published policy. Both administrators and users are given quick feedback via quiz scores. VPC comes with a library of sample quizzes and a web-based editor for easy customization. Companies can integrate existing CBT modules into VPC and distribute them via hyperlinks on the user site.
5. Tracking status and awareness level:
   VPC provides out of the box compliance/tracking reports that enable an administrator to see who has read the policies or taken the quizzes and, more importantly, see who has not. Reports can be run at an organization level, or down to individual users and groups. Compliance and exception reports can be exported to Excel, HTML files or printed in management reports.

Adding to the people issues are the technical challenges of policy management. A common problem is ensuring that your technology is actually enforcing what your policies specify. For example, are our NT, AS/400 and Unix machines all enforcing our password policy? By integrating with the VigilEnt Security Manager and Pentasafe auditing agents, security policies and standards can automatically be translated into instructions for auditing the compliance of your machines.

Summary reports give you graphs of policy compliance across hundreds or thousands of different servers. By combining VPC and the other integrated Pentasafe tools, the security officer gets a first-time snapshot of both technical and machine compliance in one solution.

The function and role of information security has changed dramatically in the past year alone as the challenge of creating and implementing proper security policies becomes more complex. VPC has returned the definition of policy to its rightful place and provided a tool that recognizes the unique requirements of an ongoing, policy-based security management program. If you have an upcoming audit, or are trying to establish compliance with a security management program such as ISO 1-7799, VPC is indispensable.

This Week's Links We Like. Tips, Hints And Fun Stuff

Configuring ISA Server 2000