- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Thu, Mar 28, 2002 (Vol. 7, #25 - Issue #356)
Chief Security Officer Pay
  This issue of W2Knews™ contains:
  1. EDITORS CORNER
    • Phone Cracking Redux
  2. TECH BRIEFING
    • All about Wi-Fi, an 8-minute Primer
    • How Much Does A Chief Security Officer Make?
  3. NT/2000 RELATED NEWS
    • Promo Offer From MS Exchange Group
    • NTswitch Makes Server Out Of Windows 2000 Workstation
  4. NT/2000 THIRD PARTY NEWS
    • New: Assure Superior Security & Better User Password Service
    • Intel Uses Benchmark Studio To Show Xeon Performance
  5. W2Knews 'FAVE' LINKS
    • This Week's Links We Like. Tips, Hints And Fun Stuff
  6. PRODUCT OF THE WEEK
    • Hack Proofing Your Network (2nd Edition)
  SPONSOR: NEW SECURITY TOOLSET: ELM LOG MANAGER(tm) 3.0
ELM Log Manager(tm) 3.0 gives Security Administrators the power to see
event entries with unrivaled clarity. With or without installed Agents,
ELM efficiently monitors and collects events with separate, easy to
use, Monitor Items. Personal Views and scheduled Reports provide valuable
event summaries. And a unique Alerts feature, one of the 14 Notification
Methods, provides a single glance view of the most critical events
allowing prompt action. Download ELM and see "How the First-to-Know
Stay Ahead"(tm)
Visit NEW SECURITY TOOLSET: ELM LOG MANAGER(tm) 3.0 for more information.
  EDITORS CORNER

Phone Cracking Redux

A lot of people have been sending me email about this. It really has been going on for years and from that perspective it is "old news". But for many it was not really something they paid much attention to as it is "low tech" and does not directly seem to threaten the IT infrastructure. But make no mistakes. It often is the first point of entry, and continues from there. And with the current convergence between telephony and IT, it often is you and me as IT people that are now also managing the new telephone systems. So for some of us this is new.

All telephone systems can be hacked by social engineering, (even the very modern ones) or by weak passwords for the voice mail boxes. Many systems allow waaay too many features turned on, especially call forwarding to a cell phone. Systems like that can easily be hijacked.

The large phone companies are monitoring for irregular calling patterns and some even have fraud detecting software running to prevent these kinds of ripoff calls. AT&T has had systems like this in operation for years, and has free training seminars for employees to help prevent telecom fraud. I'm sure the other carriers have similar programs.

Every business phone system (PBX) has holes in it, if you know where to look. The biggest hole is the users! It is very, very similar to IT servers and networks. You need to upgrade frequently and patch the holes.

A British company at http://www.solitaire.co.uk has 80,000 PBX installations worldwide and developed especially HackerTracker software which allows you to set up 20 alarms, each with 7 fraud detection criteria, alerting you instantly of any attempt to hack the PBX.

Another outfit in Sweden at http://www.envox.com has a PBX development platform that allows you to build a phone system you have complete control of. There is a free product called SoftPBX that they give away to their customers. With that software, PBS cracks are much harder to achieve if at all.

To end off this series of three on phone cracking, one last point of advice. Security awareness and training extends to all parts of the company, not just the IT networks. But they do dovetail together, so leaving a hole in one area immediately weakens the others. Staff needs to be trained on all these aspects.

PS, You can't afford to keep managing password service and security manually: It's too risky, it's too costly, it's simply too inefficient. Here is a product that will allow you to automate staff training for all security aspects:
http://www.w2knews.com/rd/rd.cfm?id=020328ED-PentaSafe

Warm regards,
Stu Sjouwerman (email me with feedback: [email protected])

  SPONSOR: SCAN AND PATCH
SCAN AND PATCH SECURITY HOLES WITH UPDATEEXPERT
Do you have a reliable tool to secure your network with the latest
updates? UpdateEXPERT is a software patch vulnerability assessment tool
that scans your network for missing hotfixes, and FIXES discovered
weaknesses for increased network protection. Supporting Windows
NT/2000/XP, SQL Server, IE and other mission critical applications,
UpdateEXPERT helps enforce software security policies, enables you to
scan for patches, validates your installations for peace of mind, and
installs updates to all networked machines without an agent.
Visit SCAN AND PATCH for more information.
  TECH BRIEFING

All about Wi-Fi, an 8-minute Primer

Want to get up to speed quickly on 802.11b wireless, a.k.a Wi-Fi? Network World Fusion has a special selection showcasing what it is, gives you tips on setting up a Wi-Fi network and protecting it. It takes a look at how one medical center is using it. Plus, listen to a cute little Wireless LANs audio primer to get up to speed quickly on the various wireless technologies, then use the Wireless-LANs research page to get even more in-depth information.
http://www.w2knews.com/rd/rd.cfm?id=020328TB-WiFi

How Much Does A Chief Security Officer Make?

Plan to become a chief security officer? If you pick the right industry you could find yourself reporting to the CFO and pulling in upward of $400,000 per year, plus a 25 percent bonus. Pick the wrong industry, however, and you could find yourself in the $70,000- to $90,000-per-year range and reporting well down in the chain of command.

According to a new research report from Giga Information Group Inc., of Cambridge, Mass., CSOs in financial services companies are most likely to pull down the big bucks and to report to top management. Among financial services industry CSOs, those reporting to the CIO can expect to make between $125,000 and $270,000 per year plus a 15 percent to 25 percent bonus. Financial services industry CSOs reporting to the CFO or COO can earn up to $400,000 per year.

While financial services companies appear to be on the cutting edge when it comes to granting top status and pay to CSOs, high-tech manufacturing companies and software companies are not far behind, according to Steve Hunt, Giga vice president and head of the company's security practice. Full article over here:
http://www.w2knews.com/rd/rd.cfm?id=020328TB-CSOpay

  NT/2000 RELATED NEWS

Promo Offer From MS Exchange Group

The Microsoft Exchange Product Manager asked me to forward you this nice little promo offer. So I said "Sure". Here you go, the offer involves:

  • 100 FREE 1 year subscriptions to Windows & .NET magazine
  • 3 months of online access to Windows & .NET mag and Exchange & Outlook Administrator websites to anyone who elects to participate
This promo offer is available on the Exchange product site. (Click Connect People with Knowledge site).
http://www.w2knews.com/rd/rd.cfm?id=020328TB-ExchangeOffer

NTswitch Makes Server Out Of Windows 2000 Workstation

I don't know if you've heard of NTswitch, but listen to this comment on one of the Sunbelt Forums:

"I downloaded this tool and converted my Windows 2000 Pro laptop to Windows 2000 Server. My splash screen changed, the label on my start menu changed. I went into System Info and it said I was running server. The only thing I saw that was disappointing was that the Windows Components in Add/Remove programs was still the Pro version. No Terminal Services. At any rate, the point of this utility is to prove that the two OS's are really the same exact code base with the only difference being the registry settings."

"Interesting", we thought, and decided to test this in Sunbelt. We tried it on several machines. It totally trashed Windows XP, so do not try that at home. Win2K was indeed transformed, from WS to Server, and it allowed more than 10 connections. But we also found it broke other things, like it completely broke IIS Web Publishing Service so we do not recommend using this in a production environment. Apart from violating the license agreement, it is not something we think is stable. But the tool does prove a point. The two OS-en are practically identical. The site that was originally mentioned in the posting is off the air at the moment. One wonders why. [grin]

  THIRD PARTY NEWS

New: Assure Superior Security & Better User Password Service

Thanks to VUM/Password Management, when you implement this superior password security tool (apart from significantly stronger passwords), it also saves you or your helpdesk a significant amount of money. Your users get convenient self-service access to password resets via any online web browser. You as an admin configure, monitor and maintain password policy automatically and consistently. Help Desk personnel are relieved of routine reset requests but do have the administrative control when they need to assist users.

THE PROBLEM:

User access needs grow faster than Help Desk/IT systems can handle them

  • More users in more places than ever before
  • More users accessing more systems than ever before
  • 40% of Help Desk calls related to assisting users with passwords
  • Every password reset call costs an average of $25.00
  • Bottom Line: You can't afford to keep managing password service and security manually: It's too risky, it's too costly, it's simply too inefficient.
THE SOLUTION:

VigilEnt User Manager/Password Management (see link below)

  • Improve password security with automated access control
  • Deliver faster, more efficient user password resets with online self- service
  • Gain an immediate return on your password security investment
  • Integrate across heterogeneous platform environment
  • Easy to use, easy to deploy, easy to maintain
The VigilEnt User Manager/Password Management Solution

PentaSafe meets the challenge of enterprise password management with new VigilEnt User Manager/Password Management by providing password synchronization, self-service password reset, and enhanced central Help Desk and Administrative functionality via a user-friendly Web-based interface. VigilEnt User Manager's password management solution reduces your support costs and at the same time improves network security across the enterprise.

Password Synchronization

Password Synchronization provides users with consistent access to multiple systems while increasing enterprise security through the enforcement of stronger password policy.

Instead of having to go through the tedious process of logging into each application to conduct password changes, VigilEnt User Manager's password synchronization capabilities allow an end user to initiate a password change across all their systems and applications with a single action from the convenient Web-based interface. Once a password has been validated, the password change request is disseminated to all applicable user login systems ensuring a synchronized enterprise-wide password. The password change process is complete when users are notified of successful changes.

Self-Service Password Reset

Self-service password reset allows end users to reset their password upon authentication without help desk assistance. Not only does this reduce costly support calls, it also increases employee productivity while improving network security by enforcing authentication and other security procedures, which are often neglected by overburdened help desk staff.

If an end user's password expires or is forgotten, VigilEnt User Manager allows users to reset their own passwords upon authentication without having to rely on the help desk for support. Once a user's identity is verified by responding to a configurable number of challenge questions, they can replace a forgotten or expired password and the new password is synchronized across the enterprise.

Password Policy Enforcement

Perhaps one of the most difficult tasks of today's security admins is being able to effectively enforce password policy throughout the organization. Without an enforceable policy, users are more likely to utilize weak passwords resulting in a potential security gap. VigilEnt User Manager comes with default settings for password validation policy, but Administrators can configure the product to enforce their own password policy. If an end user attempts to log in with a password that does not match the password rules configured in the product, they will receive a validation error and be asked to provide a password that conforms to the password policy defined by the Administrator.

Online Tracking of Transactions

VigilEnt User Manager provides end users with online tracking of their password transactions on relevant systems. When an end user submits a password change, they are notified that the password change has been submitted and can view the status of the password change across all their systems to ensure that their transaction was executed enterprise-wide. This prevents users from encountering unexpected access denials that can result in unnecessary business interruptions.

Audit Trails and Logging

VigilEnt User Manager improves auditing and service management with automatic logging of all password management activity information. From a central location, Administrators can access a searchable and sortable audit trail that contains user information, transaction type, date, IP address and other configurable options.

Key Benefits:

  • Dramatically reduces help desk costs and increases employee productivity with self-service password reset, allowing end users to quickly and easily restore access to business-critical applications without help desk assistance.
  • Decreases the security risks associated with users having to remember multiple passwords, including the use of weak passwords or writing down passwords. Password synchronization requires that end users remember only one enterprise password.
  • Mandates and enforces enterprise-wide password strength policies to safeguard corporate data security by validating every new password against a set of rules configured by your organization's security administrator.
  • Increases security against unauthorized access by authenticating users each time they reset or synchronize a password with a set of challenge/response questions.
  • Improve your organization's overall security by providing complete audit trails, logging and reporting on password change activities.
  • Improve service quality by relieving over-burdened help desks from having to attend to numerous password resets calls and allowing them to focus on more complex projects in a timely manner, which allows the end user to reset their own passwords without waiting in a long queue-minimizing overall business interruption.
Unique advantages of VigilEnt User Manager/Password Management
  • Integrates into our VigilEnt Security Management console for centralized management across your entire security infrastructure. No need for multiple consoles and separate password system management and logging.
  • Offers greater platform breadth than most other password products. Includes major operating systems, web servers, web applications, databases, and more, plus Lotus Notes and most custom applications using the VigilEnt Universal Agent[tm].
Go to the PentaSafe page, fill out the "30-day CD Eval" form and indicate you want info about VigilEnt User Manager/Password Mgmt.
http://www.w2knews.com/rd/rd.cfm?id=020328TP-VUM_PM

Intel Uses Benchmark Studio To Show Xeon Performance

When Intel Corporation needed a scalable solution for demonstrating the performance of its new Xeon processors, they turned to CSA Research and the Benchmark Studio Load Simulation and Performance Testing platform. With Benchmark Studio, engineers from Intel's Reseller Products Group (RPG) were able to construct a series of sophisticated client/server test scenarios that highlighted the advantages of the new Xeon's Hyperthreading CPU core.

These scenarios went on to form the basis for Intel's global training initiatives for their "white box" resellers and retailers. Intel RPG field representatives are conducting workshops in each of the company's major geographies to bring these resellers up to speed on the new technology. The day long sessions begin with participants building a custom Windows 2000 Server-based test bed and then using the ADO Stress, MAPI Stress and ASP Stress from Benchmark Studio to measure 2-tier and 3-tier application scalability in both Hyperthreaded and non-Hyperthreaded scenarios.

One of the major draws for Intel was the realistic nature of the Benchmark Studio workloads. Each load simulation object mimics the behavior of a real-world client/server application, tapping key OS subsystems and APIs to generate a truly dynamic and scalable workload package. Ease of use was also a big factor - most of the workshop time is spent building the base systems since the Benchmark Studio portion of the process takes just minutes. Once the base systems are built, participants are up and running and generating compelling results almost immediately.

Of course, RPG isn't the only group at Intel that has jumped on the Benchmark Studio bandwagon. Intel Architecture Labs (IAL) and Internet Communications Group (ICG) are also big fans, with the latter using Benchmark Studio to demonstrate the benefits of Gigabit Ethernet to desktop PCs and workstations (see the gigabit.pdf on the page below) for a white paper on this subject. If you'd like more information on Benchmark Studio, check out this page Sunbelt product page.
http://www.w2knews.com/rd/rd.cfm?id=020328TP-BenchMark

  FAVE LINKS

This Week's Links We Like. Tips, Hints And Fun Stuff

  • World Mouse Clicking Championship! How many can you get in 10 seconds?

  • http://www.w2knews.com/rd/rd.cfm?id=020328FA-MouseClicks
  • Sweaty palms? Here are the instructions to build a fan in your mouse. Really.

  • http://www.w2knews.com/rd/rd.cfm?id=020328FA-MouseFan
  • Software development is fun. Life at Borland from an ex-Borlander:

  • http://www.w2knews.com/rd/rd.cfm?id=020328FA-SoftFun
  • Lego Brick Building is fun. It's even more fun to do it "fully virtual"!

  • http://www.w2knews.com/rd/rd.cfm?id=020328FA-VirtuaLego
      PRODUCT OF THE WEEK

    Hack Proofing Your Network (2nd Edition)

    By Ryan Russell (and a bunch of other security gurus). Ryan Permeh from eEye has written the chapter on buffer overflows for this new edition. Ryan's information alone is well worth checking out however the rest of the book also has a lot of really great information. Definitely check this book out if your interested in the topic of security. "The only way to stop a hacker is to think like one". This bestseller is now updated. This is one of these "Stu's Warmly Recommended" ones.
    http://www.w2knews.com/rd/rd.cfm?id=020328BW-Hack_Proofing