Sunbelt W2Knews Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Thu, Mar 28, 2002 (Vol. 7, #25 - Issue #356)
Chief Security Officer Pay
This issue of W2Knews contains:
- EDITORS CORNER
- TECH BRIEFING
- All about Wi-Fi, an 8-minute Primer
- How Much Does A Chief Security Officer Make?
- NT/2000 RELATED NEWS
- Promo Offer From MS Exchange Group
- NTswitch Makes Server Out Of Windows 2000 Workstation
- NT/2000 THIRD PARTY NEWS
- New: Assure Superior Security & Better User Password Service
- Intel Uses Benchmark Studio To Show Xeon Performance
- W2Knews 'FAVE' LINKS
- This Week's Links We Like. Tips, Hints And Fun Stuff
- PRODUCT OF THE WEEK
- Hack Proofing Your Network (2nd Edition)
SPONSOR: NEW SECURITY TOOLSET: ELM LOG MANAGER(tm) 3.0
ELM Log Manager(tm) 3.0 gives Security Administrators the power to see
event entries with unrivaled clarity. With or without installed Agents,
ELM efficiently monitors and collects events with separate, easy to
use, Monitor Items. Personal Views and scheduled Reports provide valuable
event summaries. And a unique Alerts feature, one of the 14 Notification
Methods, provides a single glance view of the most critical events
allowing prompt action. Download ELM and see "How the First-to-Know
Visit NEW SECURITY TOOLSET: ELM LOG MANAGER(tm) 3.0 for more information.
Phone Cracking Redux
A lot of people have been sending me email about this. It really has
been going on for years and from that perspective it is "old news".
But for many it was not really something they paid much attention to
as it is "low tech" and does not directly seem to threaten the IT
infrastructure. But make no mistakes. It often is the first point
of entry, and continues from there. And with the current convergence
between telephony and IT, it often is you and me as IT people that are
now also managing the new telephone systems. So for some of us this
All telephone systems can be hacked by social engineering, (even the
very modern ones) or by weak passwords for the voice mail boxes. Many
systems allow waaay too many features turned on, especially call
forwarding to a cell phone. Systems like that can easily be hijacked.
The large phone companies are monitoring for irregular calling patterns
and some even have fraud detecting software running to prevent these
kinds of ripoff calls. AT&T has had systems like this in operation for
years, and has free training seminars for employees to help prevent
telecom fraud. I'm sure the other carriers have similar programs.
Every business phone system (PBX) has holes in it, if you know where
to look. The biggest hole is the users! It is very, very similar to
IT servers and networks. You need to upgrade frequently and patch the
A British company at http://www.solitaire.co.uk has 80,000 PBX installations worldwide and developed especially HackerTracker software which allows you to set up 20 alarms, each with 7 fraud detection criteria, alerting
you instantly of any attempt to hack the PBX.
Another outfit in Sweden at http://www.envox.com has a PBX development platform that allows you to build a phone system you have complete
control of. There is a free product called SoftPBX that they give away to their customers. With that software, PBS cracks are much harder to achieve if at all.
To end off this series of three on phone cracking, one last point of
advice. Security awareness and training extends to all parts of the
company, not just the IT networks. But they do dovetail together, so
leaving a hole in one area immediately weakens the others. Staff needs
to be trained on all these aspects.
PS, You can't afford to keep managing password service and security
manually: It's too risky, it's too costly, it's simply too inefficient.
Here is a product that will allow you to automate staff training for
all security aspects:
(email me with feedback: [email protected])
SPONSOR: SCAN AND PATCH
SCAN AND PATCH SECURITY HOLES WITH UPDATEEXPERT
Do you have a reliable tool to secure your network with the latest
updates? UpdateEXPERT is a software patch vulnerability assessment tool
that scans your network for missing hotfixes, and FIXES discovered
weaknesses for increased network protection. Supporting Windows
NT/2000/XP, SQL Server, IE and other mission critical applications,
UpdateEXPERT helps enforce software security policies, enables you to
scan for patches, validates your installations for peace of mind, and
installs updates to all networked machines without an agent.
Visit SCAN AND PATCH for more information.
All about Wi-Fi, an 8-minute Primer
Want to get up to speed quickly on 802.11b wireless, a.k.a Wi-Fi?
Network World Fusion has a special selection showcasing what it is,
gives you tips on setting up a Wi-Fi network and protecting it.
It takes a look at how one medical center is using it. Plus, listen
to a cute little Wireless LANs audio primer to get up to speed quickly
on the various wireless technologies, then use the Wireless-LANs
research page to get even more in-depth information.
How Much Does A Chief Security Officer Make?
Plan to become a chief security officer? If you pick the right industry
you could find yourself reporting to the CFO and pulling in upward of
$400,000 per year, plus a 25 percent bonus. Pick the wrong industry,
however, and you could find yourself in the $70,000- to $90,000-per-year
range and reporting well down in the chain of command.
According to a new research report from Giga Information Group Inc., of
Cambridge, Mass., CSOs in financial services companies are most likely
to pull down the big bucks and to report to top management. Among
financial services industry CSOs, those reporting to the CIO can expect
to make between $125,000 and $270,000 per year plus a 15 percent to 25
percent bonus. Financial services industry CSOs reporting to the CFO
or COO can earn up to $400,000 per year.
While financial services companies appear to be on the cutting edge when
it comes to granting top status and pay to CSOs, high-tech manufacturing
companies and software companies are not far behind, according to Steve
Hunt, Giga vice president and head of the company's security practice.
Full article over here:
NT/2000 RELATED NEWS
Promo Offer From MS Exchange Group
The Microsoft Exchange Product Manager asked me to forward you this nice
little promo offer. So I said "Sure". Here you go, the offer involves:
This promo offer is available on the Exchange product site. (Click
Connect People with Knowledge site).
- 100 FREE 1 year subscriptions to Windows & .NET magazine
- 3 months of online access to Windows & .NET mag and Exchange & Outlook Administrator websites to anyone who elects to participate
NTswitch Makes Server Out Of Windows 2000 Workstation
I don't know if you've heard of NTswitch, but listen to this comment
on one of the Sunbelt Forums:
"I downloaded this tool and converted my Windows 2000 Pro laptop to Windows
2000 Server. My splash screen changed, the label on my start menu changed.
I went into System Info and it said I was running server. The only thing I
saw that was disappointing was that the Windows Components in Add/Remove
programs was still the Pro version. No Terminal Services. At any rate,
the point of this utility is to prove that the two OS's are really the same
exact code base with the only difference being the registry settings."
"Interesting", we thought, and decided to test this in Sunbelt. We tried
it on several machines. It totally trashed Windows XP, so do not try that
at home. Win2K was indeed transformed, from WS to Server, and it allowed
more than 10 connections. But we also found it broke other things, like it
completely broke IIS Web Publishing Service so we do not recommend using
this in a production environment. Apart from violating the license agreement,
it is not something we think is stable. But the tool does prove a point.
The two OS-en are practically identical. The site that was originally
mentioned in the posting is off the air at the moment. One wonders why.
THIRD PARTY NEWS
New: Assure Superior Security & Better User Password Service
Thanks to VUM/Password Management, when you implement this superior
password security tool (apart from significantly stronger passwords),
it also saves you or your helpdesk a significant amount of money.
Your users get convenient self-service access to password resets via
any online web browser. You as an admin configure, monitor and maintain
password policy automatically and consistently. Help Desk personnel
are relieved of routine reset requests but do have the administrative
control when they need to assist users.
User access needs grow faster than Help Desk/IT systems can handle them
- More users in more places than ever before
- More users accessing more systems than ever before
- 40% of Help Desk calls related to assisting users with passwords
- Every password reset call costs an average of $25.00
- Bottom Line: You can't afford to keep managing password service and
security manually: It's too risky, it's too costly, it's simply too
VigilEnt User Manager/Password Management (see link below)
The VigilEnt User Manager/Password Management Solution
- Improve password security with automated access control
- Deliver faster, more efficient user password resets with online self-
- Gain an immediate return on your password security investment
- Integrate across heterogeneous platform environment
- Easy to use, easy to deploy, easy to maintain
PentaSafe meets the challenge of enterprise password management with
new VigilEnt User Manager/Password Management by providing password
synchronization, self-service password reset, and enhanced central
Help Desk and Administrative functionality via a user-friendly Web-based interface. VigilEnt User Manager's password management solution
reduces your support costs and at the same time improves network
security across the enterprise.
Password Synchronization provides users with consistent access to
multiple systems while increasing enterprise security through the
enforcement of stronger password policy.
Instead of having to go through the tedious process of logging into
each application to conduct password changes, VigilEnt User Manager's
password synchronization capabilities allow an end user to initiate
a password change across all their systems and applications with a
single action from the convenient Web-based interface. Once a password
has been validated, the password change request is disseminated to
all applicable user login systems ensuring a synchronized enterprise-wide password. The password change process is complete when users are notified of successful changes.
Self-Service Password Reset
Self-service password reset allows end users to reset their password
upon authentication without help desk assistance. Not only does this
reduce costly support calls, it also increases employee productivity
while improving network security by enforcing authentication and other
security procedures, which are often neglected by overburdened help
If an end user's password expires or is forgotten, VigilEnt User Manager
allows users to reset their own passwords upon authentication without
having to rely on the help desk for support. Once a user's identity
is verified by responding to a configurable number of challenge questions,
they can replace a forgotten or expired password and the new password
is synchronized across the enterprise.
Password Policy Enforcement
Perhaps one of the most difficult tasks of today's security admins
is being able to effectively enforce password policy throughout the
organization. Without an enforceable policy, users are more likely to
utilize weak passwords resulting in a potential security gap. VigilEnt
User Manager comes with default settings for password validation policy,
but Administrators can configure the product to enforce their own
password policy. If an end user attempts to log in with a password that
does not match the password rules configured in the product, they will
receive a validation error and be asked to provide a password that
conforms to the password policy defined by the Administrator.
Online Tracking of Transactions
VigilEnt User Manager provides end users with online tracking of their
password transactions on relevant systems. When an end user submits
a password change, they are notified that the password change has been
submitted and can view the status of the password change across all
their systems to ensure that their transaction was executed enterprise-wide. This prevents users from encountering unexpected access denials that can result in unnecessary business interruptions.
Audit Trails and Logging
VigilEnt User Manager improves auditing and service management with
automatic logging of all password management activity information.
From a central location, Administrators can access a searchable and
sortable audit trail that contains user information, transaction type,
date, IP address and other configurable options.
Unique advantages of VigilEnt User Manager/Password Management
- Dramatically reduces help desk costs and increases employee productivity
with self-service password reset, allowing end users to quickly and
easily restore access to business-critical applications without help
- Decreases the security risks associated with users having to remember
multiple passwords, including the use of weak passwords or writing
down passwords. Password synchronization requires that end users remember
only one enterprise password.
- Mandates and enforces enterprise-wide password strength policies to
safeguard corporate data security by validating every new password
against a set of rules configured by your organization's security
- Increases security against unauthorized access by authenticating
users each time they reset or synchronize a password with a set of
- Improve your organization's overall security by providing complete
audit trails, logging and reporting on password change activities.
- Improve service quality by relieving over-burdened help desks from
having to attend to numerous password resets calls and allowing them
to focus on more complex projects in a timely manner, which allows
the end user to reset their own passwords without waiting in a long
queue-minimizing overall business interruption.
Go to the PentaSafe page, fill out the "30-day CD Eval" form and
indicate you want info about VigilEnt User Manager/Password Mgmt.
- Integrates into our VigilEnt Security Management console for
centralized management across your entire security infrastructure.
No need for multiple consoles and separate password system management
- Offers greater platform breadth than most other password products.
Includes major operating systems, web servers, web applications,
databases, and more, plus Lotus Notes and most custom applications
using the VigilEnt Universal Agent[tm].
Intel Uses Benchmark Studio To Show Xeon Performance
When Intel Corporation needed a scalable solution for demonstrating the
performance of its new Xeon processors, they turned to CSA Research and
the Benchmark Studio Load Simulation and Performance Testing platform.
With Benchmark Studio, engineers from Intel's Reseller Products Group
(RPG) were able to construct a series of sophisticated client/server
test scenarios that highlighted the advantages of the new Xeon's
Hyperthreading CPU core.
These scenarios went on to form the basis for Intel's global training
initiatives for their "white box" resellers and retailers. Intel RPG
field representatives are conducting workshops in each of the company's
major geographies to bring these resellers up to speed on the new
technology. The day long sessions begin with participants building a
custom Windows 2000 Server-based test bed and then using the ADO Stress,
MAPI Stress and ASP Stress from Benchmark Studio to measure 2-tier and
3-tier application scalability in both Hyperthreaded and
One of the major draws for Intel was the realistic nature of the
Benchmark Studio workloads. Each load simulation object mimics the
behavior of a real-world client/server application, tapping key OS
subsystems and APIs to generate a truly dynamic and scalable workload
package. Ease of use was also a big factor - most of the workshop time
is spent building the base systems since the Benchmark Studio portion of
the process takes just minutes. Once the base systems are built,
participants are up and running and generating compelling results almost
Of course, RPG isn't the only group at Intel that has jumped on the
Benchmark Studio bandwagon. Intel Architecture Labs (IAL) and Internet
Communications Group (ICG) are also big fans, with the latter using
Benchmark Studio to demonstrate the benefits of Gigabit Ethernet to
desktop PCs and workstations (see the gigabit.pdf on the page below)
for a white paper on this subject. If you'd like more information on
Benchmark Studio, check out this page Sunbelt product page.
This Week's Links We Like. Tips, Hints And Fun Stuff
World Mouse Clicking Championship! How many can you get in 10 seconds?
Sweaty palms? Here are the instructions to build a fan in your mouse. Really.
Software development is fun. Life at Borland from an ex-Borlander:
Lego Brick Building is fun. It's even more fun to do it "fully virtual"!
PRODUCT OF THE WEEK
Hack Proofing Your Network (2nd Edition)
By Ryan Russell (and a bunch of other security gurus). Ryan Permeh from
eEye has written the chapter on buffer overflows for this new edition.
Ryan's information alone is well worth checking out however the rest of
the book also has a lot of really great information. Definitely check this
book out if your interested in the topic of security. "The only way to
stop a hacker is to think like one". This bestseller is now updated.
This is one of these "Stu's Warmly Recommended" ones.