Tag Archives: SQL

About 1568 days ago Business Software

Web Applications: The Coming Threats

our beautiful site

If you’re looking for a secure form of computing, you can certainly do a lot worse than software-as-a-service (SaaS), but like any technology, SaaS is far from 100 percent secure. SaaS, a remotely operated form of computing offered by the likes of Salesforce.com, nSite (part of SAP Business Objects), Qualys and others, is growing in popularity among small and mid-sized businesses, but still has fairly low penetration. A survey by Forrester Research, of Cambridge, Mass., of businesses with fewer than 1,000 employees in 2007 showed only 11 percent were using SaaS. “It’s starting to expand out and playing a much more crucial role,” says Liz Herbert, an analyst with Forrester. The appeal to small business is obvious. Having software managed by a third party obviates in-house IT positions and places the onus on maintaining consistent uptime (99.7 percent seems to be the norm) on someone else. Moreover, security concerns are fewer than with in-house systems. “It hasn’t prevented people from signing up,” says Robert DeSisto, vice president and distinguished analyst at Gartner, of Stamford, Conn., said regarding security. “I wouldn’t say it’s a big issue, but it’s an issue.” Security concerns The truth is, there are security gaps in any kind of technology. SaaS programs are vulnerable to the following threats: Mass SQL bots, which compromised hundreds of thousands of websites. The loss of data. And the publishing of confidential data on the Internet. Those are worst-case scenarios and not all that likely, but if you’re contemplating a contract with a SaaS vendor, Wolfgang Kandek, CTO of Qualys, recommends hitting the prospective company with questions about their approach to secure computing. First, Kandek suggests tackling the loss-of-data question. “You should ask, ‘If I lose data, how will you get it back to me?’” Kandek says. While most companies will back up information like CRM databases as a matter of course, a bigger issue is if such information is made available to the public or competitors somehow. Kandek deems it unlikely that a competitor would go so far as to hack a rival company to get such information. A more likely scenario is that the information is made available as collateral damage during a random hack or bug attack. Questions to ask a provider For the latter reason, Kandek advises that those who use Microsoft’s SQL Server especially to grill their potential SaaS provider about how often they update their software with patches provided by Microsoft and the like. “Patches could be important so you should ask when they do it, do they wait until the weekend or do it as soon as they can. That gives you a good idea of how diligent they are about it,” Kandek says. The issue doesn’t just apply to Microsoft. Even if you’re using a Linux-based system, there are patches issued on a regular basis that may be relevant. Kandek says another question to pose is about data security. “You should ask, ‘How do you make sure it doesn’t go away,’” he says. Meanwhile, Kandek says you can ask vendors for Web application codes for further reassurance, but you’re unlikely to get them. “That is usually considered proprietary and competitive information,” he says. Another tip is to ask for a third-party security monitoring of the prospective firm. While there’s always the possibility that such results could be questionable (the monitoring firm could be in cahoots with the SaaS vendor), there are ways of checking the integrity of the third-party monitor. In the end, just as there is no 100 percent guarantee of security with any form of computing, there’s no way to be completely certain that your vendor is on the level, either. “You can be defrauded,” Kandek says. “It’s a trust relationship you have to build.”

About 1752 days ago Business Software

Tech Talk: Image Software Helps Baker Backup

Specialty Bakers, Inc., based in Marysville, Pa. has been in business since 1901 and is best known for its Ladyfingers. When the company needed a new solution to backup mission-critical applications, IT Director Jack Eckerd tells IncTechnology.com that a disk imaging solution helped reduce downtime during outages and enabled speedier recovery. Elizabeth Wasserman: What type of data does your business keep? Jack Eckerd: We rely on e-mail communications internally and externally to our clients, vendors and staff with an Exchange server. Other systems include production data, production schedules, accounting data and an EDI system. We also have an HR and Payroll system. We operate a SQL server as our primary database server. We keep a variety of data throughout the organization. We have 100 workstations in the network and 13 production servers. Wasserman: Why did you decide to get a new backup system? Eckerd: We used to backup onto tape. As our data grew and our backup windows became smaller this solution was too slow. Initially we focused on the workstation level to capture local data. Backing up workstations across the network to tape was incredibly slow and restoration was even slower. Sometimes, just to recover a file, it would take hours. We researched various products on the Internet and found Acronis True Image. This software was more intuitive, easier to use, and extremely reliable. It proved to be much faster and it restored files in minutes as opposed to hours. We eventually installed it on all our workstations.  The success on our workstations prompted us to experiment with our servers, as well. The server edition of the product proved to be as dependable as the workstation edition. We’ve stayed with this product through many version upgrades. Wasserman: How does it work? Eckerd: This solution is fully automated. Images are scheduled and run during off peak usage times. Even if an end user powers off their workstation we utilize the wake on LAN feature within the product to complete our images over night. It takes an image of the entire hard drive or a partition of the hard drive. The current version allows us to image down to the folder level. These images allows for the backup of all the data and the ease of restoration. The software also allows us to stop services, create an image and restart services on our servers so there are no open file conflicts. And it’s fully-automated, too. It’s not something we have to attend or watch. Wasserman: What have the results been? Eckerd: From my teams’ time, the backups are fully automated, so we’re spending less time managing backups. There are no tapes to change. The time difference to restore lost data is much less. We have a small IT staff. We only have three in our department. This solution allows us more time for project work and help desk. It gives faster response times so we aren’t spending as much time on backup. The software does also play a vital role in our disaster recovery plan. We’re very confident we can get the data from that image if we need to.

About 1813 days ago Business Software

Tech Talk: Restaurant Betters Database Access

Crabby Bills, a chain of seven seafood restaurants headquartered in Indian Rocks Head, Fla., wanted some of its 400 employees to more easily tap into and work with data essential to restaurant operations stored in two SQL databases. Chief information Officer Luis Campuzano tells IncTechnology how new software helped the restaurant improve productivity and keep expenses down. Elizabeth Wasserman: How does Crabby Bills use database technology? Luis Campuzano: The main thing is we have two separate databases. One is for our restaurants. That data comes from point of sale, labor information, daily sales, and check information. The other is for our accounting system. The sales data would feed over into the accounting side. We wanted to be able to have one place to go at the restaurants for the manager to be able to combine everything in a usable interface. That’s what we were looking for. Wasserman: So what did you do about this problem? Campuzano: There are a couple of different solutions out there. We were originally looking at developing something in Microsoft .net. But we needed something we could put together pretty quickly. We know about FileMaker Pro for a while, but when they came out with version 9, with a SQL back end, we realized we could pretty quickly build a front end and combine our two databases. It’s probably been up for about five months now. To do the initial front end took about a day. It really goes quickly. We’ve been tweaking it since then. Wasserman: What does this allow you to do now? Campuzano: A lot of the different restaurants call me up and they want to add a screen or a different function. I can create it pretty quickly with the connections. It’s a lot easier to put the data out there in a quick fashion. They can use it to go in there and track orders. They can compare how much they spent in dollars to how much they made. All the labor information is now accessible at the store level and they can view the data all in one spot. We’re all able to look at the same reports, same screens, at all our different locations. It used to be that with two systems at one time, we might have discrepancies. Now we’re able to view both at one time and make edits on the same screen. We used to have to go to two different places to go to find sales information and payroll information. It’s now a little less confusing for the restaurant managers.

About 1874 days ago Computer Security

Tech Talk: Virtualization Saves $$ for Software Firm

System Automation Corp., an 85-person business based in Columbia, Md., provides the MyLicense Suite software to more than 400 government entities in 23 states to manage, for example, teacher and nurse licenses. Network Engineer Craig Callan describes how server virtualization helps keep costs down yet provides better service for customers. Elizabeth Wasserman: What challenges did you encounter at System Automation? Craig Callan: There were often delays setting up testing trials because equipment simply wasn’t available. Quite simply, in many cases, a desktop box wouldn’t be enough. You needed to beef up a desktop box to run a server on it. We needed to do a number of things to get it going. We just didn’t have enough resources. We didn’t have enough servers to keep everybody happy. The process of ordering equipment, setting it up, loading software takes a minimum of about two weeks. Also, we were looking for a way to create a testing platform that would be easy to convert into production for our customers. Although the software starts with a common base, each MyLicense implementation is customized and each customer tests the software. Once testing is completed and the actual implementation is locked, we needed a better way to transition into production. Wasserman: What made you look at virtualization technology? Callan: The fact that I needed a number of servers and it was an increasing number every day. As we started in development of our MyLicense software product, we really needed servers. We tried to host multiple servers on a single box and it didn’t work. We were looking for the ability to quickly deploy servers for the developers as they needed them. Virtualization is the only way to do this. By sharing the resources on a single server, we can roll out servers almost instantly. In-house, we’re currently running three boxes. Two of our main boxes are for virtualization. One is deployment for customer sites, test sites for customers, and the other is for test sites for our own developers and quality assurance people. We’re probably running about 25 sites on each server at the moment. Wasserman: So virtualization helps you deliver products to customers? Callan: It helps us deliver products to customers on time, but also it allows our developers to quickly respond to deploy a new software build to see how it works, to have development sites that are different from our production sites and our quality assurance sites. Developers will go in and change a site and make changes on an ongoing basis and if anyone is trying to share that server they’re going to have some serious problems. So we need to give them their own servers and in many cases dedicated servers to run on the various levels of Oracle that we support and SQL server. We were facing this multiplying need for environments. Wasserman: What have the results been? Callan: We can turn around servers very rapidly now. One of the things that happens, for example, is we’ll do a new build. Within about two hours, I can deploy roughly eight to10 new servers with the new version of the software. Every time we do a build, we simply turn out a number of quality assurance servers for the team to work with. That takes about two hours. I wouldn’t begin to think what the 50 servers would cost me to buy. They run around anywhere from $1,500 to $2,000 each these days. So we’ve saved about $75,000 to $100,000 versus I think we’ve put in about between the software licensing everything was $25,000 to $35,000. Wasserman: Tell me about your implementation. Callan: We did it in an afternoon. It seems rather funny now. We got a trial version of Parallel’s Virtuozzo Containers software, worked with the sales people, and I installed the software and created a server with an operating system and installed on an existing server here started at 11 a.m. and had everything up and running by 1 p.m. By the time I went home that night, I had eight servers up.

About 1905 days ago Tools on Managing Technology

Application Security 101

our beautiful site

You’ve hired someone to build the Web-based application for your business’ online home, but do you know how they plan to lock the front door? Long-neglected by companies of all sizes, application security are the new buzzwords in business.  Unsecured apps allow anyone to walk right in and make themselves at home — while vandalizing your business, stealing big bucks, and creating off-line downtime.   And as large companies batten the hatches, hackers look for easier targets. “The path of least resistance may lead them to small businesses,” says Blake Frantz, a consultant with Leviathan Security Group Inc., a company specializing in application security, based in Westminster, Colo. Most security loopholes are “simple programming mistakes,” says Jeff Williams, chairperson of the Open Web Application Security Project (OWASP), a non-profit organization educating businesses and developers about the risks of unsecure apps. “They don’t teach this stuff in schools. It’s the dirty underbelly of the software industry.” Here’s how to implement application security from design to implementation, and get the strongest castle for your dollar.   Sketch out scary scenarios. According to Williams, business owners should ask themselves: “What are the worst things that could happen to me?”  Are you worried about downtime? Customer accounts or database corruption? Regulatory non-compliance? Bringing your concerns to the table ensures that every party knows what’s on the menu, whether you’re still seeking a developer or would like to review current code. Know top problems. Check your concerns against the OWASP Top Ten, which lists exploits common in Web-based applications.  Frantz says serious issues with Web apps include cross-site scripting and SQL injection attacks. Cross-site scripting allows malicious users to take over users’ browsers, while SQL injection exposes database contents, allowing hackers to read, change, or destroy your database. Secure your trusted developer.  Seek recommendations when hiring an application developer. Otherwise, you’re depending on an individual, yet know little about their background.  Ask potential hires or firms if they’re familiar with the OWASP Top Ten, and how — not whether — they build safety measures into applications. Seek developers that attend RSA or Black Hat conferences, or are involved in their local chapter of OWASP. Design Documents. Before the developer starts creating your Web storefront, request an outline for preventing your worst-case app-related scenarios. Williams proposes focusing on how the developer deals with cross-site scripting, authentication, and access control. Check his or her answers against the OWASP Top Ten. Often, security speak is overlooked during initial design discussions, Williams says. “So the OWASP legal project created sample language, to serve as a guideline for that conversation,” he adds. Appraise your apps. If you’re unsure about your current application’s weaknesses, consider contracting a short-term consultant to look for code loopholes. Alternatively, documentation reviews offer good value, another argument for solidifying security requirements before the developer’s work begins. As the OWASP site points out, security isn’t a one-time event. Map out strategies before, during, and after development, so your business stays safe.

About 1905 days ago Computer Security

Application Security 101

our beautiful site

You’ve hired someone to build the Web-based application for your business’ online home, but do you know how they plan to lock the front door? Long-neglected by companies of all sizes, application security are the new buzzwords in business.  Unsecured apps allow anyone to walk right in and make themselves at home — while vandalizing your business, stealing big bucks, and creating off-line downtime.   And as large companies batten the hatches, hackers look for easier targets. “The path of least resistance may lead them to small businesses,” says Blake Frantz, a consultant with Leviathan Security Group Inc., a company specializing in application security, based in Westminster, Colo. Most security loopholes are “simple programming mistakes,” says Jeff Williams, chairperson of the Open Web Application Security Project (OWASP), a non-profit organization educating businesses and developers about the risks of unsecure apps. “They don’t teach this stuff in schools. It’s the dirty underbelly of the software industry.” Here’s how to implement application security from design to implementation, and get the strongest castle for your dollar.   Sketch out scary scenarios. According to Williams, business owners should ask themselves: “What are the worst things that could happen to me?”  Are you worried about downtime? Customer accounts or database corruption? Regulatory non-compliance? Bringing your concerns to the table ensures that every party knows what’s on the menu, whether you’re still seeking a developer or would like to review current code. Know top problems. Check your concerns against the OWASP Top Ten, which lists exploits common in Web-based applications.  Frantz says serious issues with Web apps include cross-site scripting and SQL injection attacks. Cross-site scripting allows malicious users to take over users’ browsers, while SQL injection exposes database contents, allowing hackers to read, change, or destroy your database. Secure your trusted developer.  Seek recommendations when hiring an application developer. Otherwise, you’re depending on an individual, yet know little about their background.  Ask potential hires or firms if they’re familiar with the OWASP Top Ten, and how — not whether — they build safety measures into applications. Seek developers that attend RSA or Black Hat conferences, or are involved in their local chapter of OWASP. Design Documents. Before the developer starts creating your Web storefront, request an outline for preventing your worst-case app-related scenarios. Williams proposes focusing on how the developer deals with cross-site scripting, authentication, and access control. Check his or her answers against the OWASP Top Ten. Often, security speak is overlooked during initial design discussions, Williams says. “So the OWASP legal project created sample language, to serve as a guideline for that conversation,” he adds. Appraise your apps. If you’re unsure about your current application’s weaknesses, consider contracting a short-term consultant to look for code loopholes. Alternatively, documentation reviews offer good value, another argument for solidifying security requirements before the developer’s work begins. As the OWASP site points out, security isn’t a one-time event. Map out strategies before, during, and after development, so your business stays safe.

About 2452 days ago Computer Security

Protecting Your Network from Hackers

Jason Chen, a former systems administrator and programmer for an e-commerce company, woke one March night last year to the sound of his cell phone buzzing. He had created a program to notify him by phone when important files were changed or certain transactions were complete on the company’s computer system. But that night it was going crazy. Hackers had attacked his company’s servers and the system was in its final death throes, calling out to him over his phone. Chen groggily pulled on his sweat pants, and made the 20-minute drive down to the office. When he got there, he saw that intruders were accessing the machines remotely. “I quickly turned off the Internet connection and saw that I was being attacked by a Turkish hacker group,” Chen recalls. “After recovering the website from a week-old backup, I looked to discover why the intruders got access through the firewall. Developers had opened a few ports because they wanted to work from home and access the server and then they forgot to close them.” Chen’s experience wasn’t that unusual. Firewalls are often a small or medium-sized business’ only line of defense against hackers and they sometimes fail. But the number and sophistication of hacker continues to rise, as cyber attacks increasingly target financial gain and are coordinated by organized rings of criminals as opposed to disgruntled teens. In addition, the increasing use of remote access to business networks by employees and the growth in connectivity by business partners has blurred the lines between internal and external networks. These are some of the reasons why it is more important than ever that business leaders understand what they can do to keep hackers out of their servers and, more importantly, how to close up holes that might pop open without their knowledge. Forrester Research analysts Paul Stamp and Robert Whiteley wrote in a recent report that most companies — 80 percent in fact — had firewalls while only 49 percent had any form of intrusion detection. At the same time, only 26 percent used a secure virtual private network (VPN). While the obvious pieces are usually put in place, the most important aspects — secure system architecture and quarantine servers — are often overlooked. Here are some tips on how to protect your business network from hackers: The key to controlling your server assets is deciding which servers are forward-facing and which servers should be kept completely behind your firewall. Forward-facing servers should be stripped to their barest minimum — if you’re using Windows, turn off all Web features, close all ports, and enable only the applications you need like your SQL database server or Web server. Better yet, move the SQL server to a separate machine and create an encrypted connection between the two. If you are using a stock version of Linux, be sure to shut down any and all unnecessary programs and servers. Stock Linux installations often include mail servers, graphics programs, and other detritus. Uninstall these immediately. Although your users will hate you for it, use a VPN to access data from the outside or, better yet, create a secure Web-repository for important data. Use encryption on the server to keep things secure and transfer data to and from the webpage using SSL encryption. Hackers can’t do anything with encrypted files, even if they get past all of your defenses. When working with an IT team, have them create a Venn diagram of two overlapping servers. One side will be the forward-facing servers and the other side will contain internal servers. The overlapping points are considered a DMZ, a no-man’s land full of encrypted connections or, better yet, no connections at all. Some servers will need to be on the outside — email, Web, FTP — and some will stay on the inside, ideally only connected to your internal network. Label any and all possible entrances and exits into the internal servers, thereby allowing you and your team to keep track of potential holes in your armor. No system is hack-proof, but with a little preparation your business can create a set up that is as close as you can get without disconnecting from the Internet entirely.

About 3548 days ago Computer Security

System Alert: You’ve Got…Worms

As anyone who has an e-mail account knows, the past few weeks have seen unprecedented virus attacks on computers around the world. With names like Sobig, Blaster, and Welchia, these viruses are the bane of many an IT department — not to mention an “I-was-here” calling card for their nose-thumbing authors. No longer confined to e-mail attachments, the latest worms can spread through the Internet, wreaking havoc as they take advantage of vulnerabilities in exposed computers. A company’s entire network can be brought to its knees in minutes — and many recently were — as infected machines become mass-mailers that cause the virtual equivalent of clogged arteries. Was the recent spate of attacks just more of the same — or are virus writers beginning to infect computers with other gains in mind? Experts at Wharton and elsewhere weigh in on possible motives, what businesses should do to protect themselves — and which industry sectors stand to gain from the chaos. Malicious Code or Marketing Tactic? Some media reports suggest that a few of the present crop of viruses differ from those that infected computer systems in the past. One difference, they say, is that these bugs can capture e-mail addresses as well as IP addresses “that can later be used to generate massive amounts of spam.” How real is that concern? While it’s tempting to wonder whether the latest viruses are being unleashed with a profit motive — and the goal of using computers to send spam — most people agree that it’s unlikely. “The haxors [a term derived from "elite hacker"] and ‘script kiddies’ who write viruses actually hate spammers,” notes Dan Hunter, a professor of legal studies at Wharton. “It doesn’t seem likely that they would get into bed together. The recent big viruses have been e-mail viruses because it’s easy to exploit — since Microsoft Outlook is so pervasive and so buggy — and they cause huge problems. Most people run some type of mail client, as exploited by Sobig; quite a few people run SQL Server, as exploited by Slammer. This explains the pervasiveness of mail viruses better than the idea of a grand conspiracy of spammers.” What’s more, says Hunter, it’s not worth the grief: “Viruses are clearly illegal in many jurisdictions, whereas spam isn’t. Why would a spammer, or a conspiracy of spam enablers, subject herself to criminal prosecution when it’s unnecessary?” Chris Belthoff, senior security analyst in the U.S. office of Sophos, a U.K.-based anti-virus protection firm, has seen no direct evidence that new spam messages have been sent from infected machines. However, he notes, it’s not impossible. “The author of the most recent Sobig virus variant almost certainly used some heavy-duty spamming techniques to initially distribute the virus, which is the main reason it caused so many problems. While there is no hard proof that e-mail addresses are being harvested with recent viruses, it is certainly possible to do so on an infected system with some fairly simple techniques.” Due to the nature of e-mail addresses, moreover, it would be difficult to follow a money trail even if it did exist. “Since this pure information product can be gathered, sold, and used without ever taking on physical form like a CD or printout of names, it’s very difficult to track who’s profiting from it,” says David Croson, visiting professor of management science at MIT’s Sloan School of Management. Stay Current or Else While estimates of the exact economic impact of viruses vary widely, just about everyone agrees that the costs to business are substantial. So what should firms do to protect themselves from a virtual blackout? “Companies not only need to ensure virus protection is in place on every single system (especially remote and mobile systems) but that virus protection programs on these systems are kept up-to-date with automated methods,” says Belthoff. Patches — software fixes that close holes in programs — need to be applied regularly, he adds. “Security policies for all companies need to include detailed steps on identifying new vulnerabilities, quickly testing available patches, and deploying them.” A third consideration is end users: “IT departments should feel compelled to either directly lead or heavily influence end-user training for security issues, getting the end users to be more security-aware,” says Belthoff. Wharton chief information officer Gerry McCartney notes that security needs to be an organization-wide endeavor. “If all the energy is put into guarding the perimeters of the organization — but people inside don’t feel the need to be vigilant — then large-scale bad things can happen if the perimeter security is broken. Organizations need to be vigilant in terms of keeping their machines fully patched and acting quickly and decisively to remove infected machines from their network, no matter who they belong to or what they do.” Shuttering the Windows Since most viruses target Microsoft programs, the obvious question in many an IT manager’s mind is: Is it wiser to switch to another system, such as Macintosh or Linux? Hunter believes that for some firms, going the non-Windows route could make sense. “I think that some businesses will look to other platforms and factor virus costs into their IT departments. Linux and Mac — which of course uses UNIX — are inherently more stable than Windows, and the security on the applications tends to be better. They are also, because of their low user base, a much less attractive target for virus writers. As a result I’m sure there are some places that are looking at their total computing infrastructure costs and realizing that migrating to another operating system is going to be cheaper in the long run than maintaining Windows. Microsoft has been trying to push its ‘trustworthy computing’ initiative, one major component of which is resistance to viruses. Recent events haven’t helped their position.” Croson points out, however, that viruses would probably go wherever the users are. “Remember, Windows is a target of opportunity because (a) it’s popular, so the fixed cost of writing a worm to attack it can be spread over a lot of computers that it could infect, and (b) users of the Windows OS are, on average, less sophisticated than, say, Linux users. If the majority of systems — especially those run by novice users, who don’t really understand operating systems or security — were Mac, then the worms would attack Macs. Thinking about the supply-side incentives for people to produce viruses will give us more insight into how to defend against them, by learning how to automatically defend against prosaic ‘script-kiddie’ viruses and making it not worthwhile to create really clever ones.” In addition, the costs of switching are not insignificant, cautions Belthoff. “Migration to Linux or Mac from Windows may appear attractive at first glance to someone dealing with a major virus infection and cleanup tasks. However, migration costs are sometimes more than they initially appear, particularly with Linux. The cost of the operating system is only one of several cost factors. Others are initial deployment, training or hiring of proper IT personnel, maintenance, and migration of applications to the new platform.” Besides, migrating isn’t a cure-all, he adds. “It is important to note that, although Mac and Linux systems were not ‘infectable’ directly from Sobig.f, users of these platforms could suffer just as much as Windows users from all the resulting e-mail bounce backs and undeliverable returns caused by the worm. From that perspective, you couldn’t hide from Sobig by being on Mac or Linux.” Place Your Bets Not surprisingly, one firm’s infection is another’s profit opportunity, and several players are emerging to take advantage of it. “The big winners will be data security vendors,” says McCartney. “Between people’s concerns about what and how personal data is stored and available and these continuous security compromises, there is a strong argument to be made that most places are not yet doing enough to protect their data assets.” Anti-virus vendors and intrusion prevention firms aren’t the only gainers, adds Belthoff. “There is also increased interest on the part of organizations in performing some form of ‘lockdown’ on the end-user desktop, which would drive increased interest in personal firewall and content filtering vendors.” Established players like Norton and Symantec, notes Hunter, may be joined by new entrants in such niches as plug-ins for mail clients. Alternative platforms will likely tout their superiority, too: “Apple and the Linux-purveyors will probably use this as a marketing benefit. Why wouldn’t they?” All materials copyright of the Wharton School of the University of Pennsylvania.

About 3732 days ago Computer Security

There’s a Virus Going Around

Note: This is the first in a series of technology updates by former Inc. senior writer Anne Stuart. Future columns will explore topics such as “spam,” videoconferencing, cell phone messaging, and smart business use of online auctions. Slammer. Klez. Bugbear. Bubbleboy. Lirva. Those sound like names for characters in kids’ cartoons, but they’re neither funny nor harmless. They’re computer viruses. And they’re increasingly common. Over the past decade, virus-writers worldwide have created and released about 80,000 viruses, worms, Trojan horses and other “malware” programs, according to Graham Cluley, senior technology consultant for antivirus software vendor Sophos Inc. (www.sophos.com) And about 600 to 800 new variations crop up every month, although, typically, only a few cause widespread or serious headaches. What exactly is a virus? It’s tiny, malicious software program designed purely to disrupt or damage computers. What exactly do viruses do? Some simply display odd messages or images. Many — including the famous Melissa virus — perpetuate themselves by sending infected messages to everyone in a user’s e-mail address book. Others gobble memory or storage space, making systems sluggish. Some corrupt files — for instance, changing spreadsheets or chewing up text documents — or erase them entirely. Some alter Web pages. Some reformat hard drives, block user access, or cause systems to freeze. A few disable security measures or open secret “holes” into computer networks, providing hackers with easy access. Like their biological counterparts, computer viruses can spread fast, attack systems silently, and cause a great deal of pain. In January 2003, the SQL Slammer worm circled the globe in less than an hour, infecting 75,000 computers in 10 minutes. Slammer, which paralyzed computers running Microsoft SQL Server 2000, temporarily shut down South Korea’s telephone system, knocked out thousands of Bank of America automatic-teller machines, and slowed credit-card transactions worldwide. How much financial damage can viruses cause? It’s tough to find reliable numbers about the costs of virus attacks because some effects — for instance, decreased productivity and unrealized business opportunity — are tough to quantify. In addition, many companies simply won’t share information about security-related losses. Following are several ways you can prevent or minimize the impact of virus attacks in your business: Install antivirus software on every computer. That includes laptops and PCs in remote offices. Encourage employees to use antivirus programs at home as well, especially if they use their own computers to connect to your network. In addition, consider protecting e-mail gateways with software that automatically blocks all incoming messages carrying executable code — but keep in mind that those filters may also capture legitimate business communications with harmless attachments as well. Keep antivirus programs current. With new viruses popping up regularly, it’s critical to make sure you’ve got the latest protection. Most leading solutions can be set to periodically update themselves online; you can also do the job manually to respond to new threats. Launch a company-wide prevention campaign. State-of-the-art security measures won’t protect your company unless everyone uses them. A single employee can unintentionally infect the entire network by opening a booby-trapped e-mail attachment or installing contaminated software. Make sure everybody knows and follows these basic virus-prevention procedures: Always delete junk e-mail messages — ads, jokes, chain letters — without opening them. More than 85 % of viruses infect businesses via e-mail, according to the International Computer Security Association’s (www.icsa.net) annual Virus Prevalence Survey released in March 2003. Never open e-mail attachments from strangers. And even those from people you know should be scanned with software that might spot viruses forwarded unintentionally. Be selective about downloading and installing software. Know the source and scan the files before running any new program. Get knowledgeable about pranks and hoaxes. Phony virus alerts waste almost as much time as the real thing. When you get a forwarded e-mail message breathlessly proclaiming some new threat, check it out at Vmyths (www.vmyths.com) or on other virus information sites before responding. Regularly update Microsoft products. Many viruses attempt to exploit vulnerabilities in Windows, Outlook, Internet Explorer, and other products by the giant software empire. Microsoft’s security page (www.microsoft.com/security/) provides alerts, “patches,” and advice for both home and business users. Back up. Back up. Back up. At work, store files on both PC and network hard drives. At home and on the road, copy important files to CDs or floppies. Begin backing up entire systems nightly or weekly, perhaps storing an extra copy of critical information offsite. Look into Web-based storage services such as Connected Corp. (www.connected.com), Easyspace’s Easyarchive (www.easyspace.com/services/easyarchive.html), and Elephant Backup (www.elephantbackup.com). The computer-virus universe changes constantly, with, according to some estimates, about 20 new viruses surfacing every day. You can’t vaccinate your computers against all of them. But with vigilance and commonsense caution, you can strengthen your company’s electronic immune system, making it much more likely to survive an attack. Glossary Antivirus Program: Software that detects and removes viruses from computer hard drives. Such programs must be updated regularly to add profiles for the thousands of new viruses that appear every year; updating can often be handled quickly online. Trojan (or Trojan Horse): A malicious program in disguise, named for the giant wooden gift horse the Greeks used to conquer their Trojan enemies. Trojans appear benign, entertaining, or even useful, but actually conceal viruses that can harm systems. Backdoor.BO (also called Back Orifice) is among the best-known examples. Virus: A malicious software program used to deliberately infect a computer system. Typically, viruses are concealed in existing programs and activated when those programs are executed. Viruses often cause damage by replicating themselves, causing systems to crash, or by attacking or attaching themselves to other programs. Stealth viruses remain hidden or change themselves after executing so that they can’t be detected. Well-known viruses include Melissa and Bubbleboy. Worm: A type of virus that replicates itself and gobbles up computer memory but cannot attach itself to other programs. Well-known worms include Klez.H, LoveLetter (sometimes called “IloveYou”), Bugbear, and Lovgate. Further Reading The following books, all available from Amazon (www.amazon.com) and other booksellers, offer generally easy-to-understand information about computer viruses: Securing the Network from Malicious Code: A Complete Guide to Defending Against Viruses, Worms, and Trojans, by Douglas Schweitzer (John Wiley & Sons, 2002). Offers sound, practical, comprehensive advice from a security expert. Updates provided on a companion Web site. Malicious Mobile Code: Virus Protection for Windows, by Roger A. Grimes (O’Reilly & Associates, 2001). Focuses on defensive strategies. Viruses Revealed, by David Harley, Robert Slade, and Urs E. Gattiker (McGraw-Hill/ Osborne Media, 2001). Explains what viruses are, how they work, where they come from, how to prevent them, and how to deal with them. Includes case studies. Also available as a downloadable, searchable e-book. Resources The following Web sites provide comprehensive information about viruses, worms, and similar threats: About.com Antivirus Software Guide antivirus.about.com/index.htm?terms=computer+virus News, glossary, encyclopedia of hoaxes, links to vendors and other resources. CERT Coordination Center, Carnegie Mellon University www.cert.org/ A wealth of information on all aspects of computer security at work and at home. CNET Virus Alert Center www.cnet.com/software/0-7760531-8-6319437-1.html News on current threats, advice on PC protection, links to free resources, and antivirus software vendors. Computer Security Institute www.gocsi.com Major membership organization for technology-security professionals; Web site contains articles, reports, and links to additional resources about viruses and other security issues. International Computer Security Association (ICSA) Labs www.icsa.net Independent arm of security vendor TruSecure Corp. (www.trusecure.com) offers “vendor-agnostic” testing and research. Web site contains constantly updated virus alerts, white papers, studies, an annual Virus Prevalence Survey, and more. National Institutes of Standards and TechnologyComputer Security Resource Center Virus Page csrc.nist.gov/virus/ Information, links to other resources and antivirus software vendors. Sophos Inc. www.sophos.com/safecomputing Safe-computing advice for both network administrators and individual users. Virus Bulletin www.virusbtn.com Independent antivirus advice, news, profiles, and resources. Vmyths http://www.vmyths.com Supersite for information on virus myths and hoaxes. Vendors Following is a sampling of major antivirus software vendors whose offerings include products, services, and information targeted to small and growing companies: Command Software Systems Inc. www.commandsoftware.com Founded 1984; now part of Authentium Inc. Offers antivirus software for home users, large companies, and small businesses. Web site’s Virus Center includes news, alerts, a glossary, research, e-mail newsletters, and other information. Computer Associates International Inc. www.ca.com Founded 1976. Offers antivirus software for businesses. Web site’s Virus Information Center contains alerts, encyclopedia, and an extensive glossary. McAfee Security www.mcafee.com/ Founded 1989. Offers antivirus and security solutions for home users, large companies, and small and growing businesses. Network Associates Inc., McAfee’s parent company, provides free virus alerts, updates, update on hoaxes, and other information. Panda Software Inc. www.pandasoftware.com Founded 1990. Offers antivirus software for home users, large companies, and small and growing businesses. Web site includes Virus Information Center with virus encyclopedia (including “Top 5″ current threats), hoax updates, tips, and other resources. Sophos Inc. www.sophos.com Founded 1986. Offers antivirus software for companies of all sizes. Web site includes a rich collection of analyses, articles, updates on hoaxes, and alerts, including monthly “Top 10″ virus list. Symantec Corp. www.symantec.com Founded 1982. Offers firewalls, antivirus software, and other security solutions for home users, large companies, and small and growing businesses. Web site provides free virus alerts, library of virus information. Customers can download anti-virus updates from home page. Provides updates on hoaxes. Trend Micro Inc. www.trendmicro.com Founded 1988. Offers network antivirus software and other security products and services. Web site includes virus advisories, encyclopedia, prevention tips, and additional information. Also offers a free online cost-analysis calculator for determining potential financial impact of virus attacks. Send feedback, column ideas, and tech tips to annestuartinc@yahoo.com.

About 3732 days ago Antivirus Software

There’s a Virus Going Around

Note: This is the first in a series of technology updates by former Inc. senior writer Anne Stuart. Future columns will explore topics such as “spam,” videoconferencing, cell phone messaging, and smart business use of online auctions. Slammer. Klez. Bugbear. Bubbleboy. Lirva. Those sound like names for characters in kids’ cartoons, but they’re neither funny nor harmless. They’re computer viruses. And they’re increasingly common. Over the past decade, virus-writers worldwide have created and released about 80,000 viruses, worms, Trojan horses and other “malware” programs, according to Graham Cluley, senior technology consultant for antivirus software vendor Sophos Inc. (www.sophos.com) And about 600 to 800 new variations crop up every month, although, typically, only a few cause widespread or serious headaches. What exactly is a virus? It’s tiny, malicious software program designed purely to disrupt or damage computers. What exactly do viruses do? Some simply display odd messages or images. Many — including the famous Melissa virus — perpetuate themselves by sending infected messages to everyone in a user’s e-mail address book. Others gobble memory or storage space, making systems sluggish. Some corrupt files — for instance, changing spreadsheets or chewing up text documents — or erase them entirely. Some alter Web pages. Some reformat hard drives, block user access, or cause systems to freeze. A few disable security measures or open secret “holes” into computer networks, providing hackers with easy access. Like their biological counterparts, computer viruses can spread fast, attack systems silently, and cause a great deal of pain. In January 2003, the SQL Slammer worm circled the globe in less than an hour, infecting 75,000 computers in 10 minutes. Slammer, which paralyzed computers running Microsoft SQL Server 2000, temporarily shut down South Korea’s telephone system, knocked out thousands of Bank of America automatic-teller machines, and slowed credit-card transactions worldwide. How much financial damage can viruses cause? It’s tough to find reliable numbers about the costs of virus attacks because some effects — for instance, decreased productivity and unrealized business opportunity — are tough to quantify. In addition, many companies simply won’t share information about security-related losses. Following are several ways you can prevent or minimize the impact of virus attacks in your business: Install antivirus software on every computer. That includes laptops and PCs in remote offices. Encourage employees to use antivirus programs at home as well, especially if they use their own computers to connect to your network. In addition, consider protecting e-mail gateways with software that automatically blocks all incoming messages carrying executable code — but keep in mind that those filters may also capture legitimate business communications with harmless attachments as well. Keep antivirus programs current. With new viruses popping up regularly, it’s critical to make sure you’ve got the latest protection. Most leading solutions can be set to periodically update themselves online; you can also do the job manually to respond to new threats. Launch a company-wide prevention campaign. State-of-the-art security measures won’t protect your company unless everyone uses them. A single employee can unintentionally infect the entire network by opening a booby-trapped e-mail attachment or installing contaminated software. Make sure everybody knows and follows these basic virus-prevention procedures: Always delete junk e-mail messages — ads, jokes, chain letters — without opening them. More than 85 % of viruses infect businesses via e-mail, according to the International Computer Security Association’s (www.icsa.net) annual Virus Prevalence Survey released in March 2003. Never open e-mail attachments from strangers. And even those from people you know should be scanned with software that might spot viruses forwarded unintentionally. Be selective about downloading and installing software. Know the source and scan the files before running any new program. Get knowledgeable about pranks and hoaxes. Phony virus alerts waste almost as much time as the real thing. When you get a forwarded e-mail message breathlessly proclaiming some new threat, check it out at Vmyths (www.vmyths.com) or on other virus information sites before responding. Regularly update Microsoft products. Many viruses attempt to exploit vulnerabilities in Windows, Outlook, Internet Explorer, and other products by the giant software empire. Microsoft’s security page (www.microsoft.com/security/) provides alerts, “patches,” and advice for both home and business users. Back up. Back up. Back up. At work, store files on both PC and network hard drives. At home and on the road, copy important files to CDs or floppies. Begin backing up entire systems nightly or weekly, perhaps storing an extra copy of critical information offsite. Look into Web-based storage services such as Connected Corp. (www.connected.com), Easyspace’s Easyarchive (www.easyspace.com/services/easyarchive.html), and Elephant Backup (www.elephantbackup.com). The computer-virus universe changes constantly, with, according to some estimates, about 20 new viruses surfacing every day. You can’t vaccinate your computers against all of them. But with vigilance and commonsense caution, you can strengthen your company’s electronic immune system, making it much more likely to survive an attack. Glossary Antivirus Program: Software that detects and removes viruses from computer hard drives. Such programs must be updated regularly to add profiles for the thousands of new viruses that appear every year; updating can often be handled quickly online. Trojan (or Trojan Horse): A malicious program in disguise, named for the giant wooden gift horse the Greeks used to conquer their Trojan enemies. Trojans appear benign, entertaining, or even useful, but actually conceal viruses that can harm systems. Backdoor.BO (also called Back Orifice) is among the best-known examples. Virus: A malicious software program used to deliberately infect a computer system. Typically, viruses are concealed in existing programs and activated when those programs are executed. Viruses often cause damage by replicating themselves, causing systems to crash, or by attacking or attaching themselves to other programs. Stealth viruses remain hidden or change themselves after executing so that they can’t be detected. Well-known viruses include Melissa and Bubbleboy. Worm: A type of virus that replicates itself and gobbles up computer memory but cannot attach itself to other programs. Well-known worms include Klez.H, LoveLetter (sometimes called “IloveYou”), Bugbear, and Lovgate. Further Reading The following books, all available from Amazon (www.amazon.com) and other booksellers, offer generally easy-to-understand information about computer viruses: Securing the Network from Malicious Code: A Complete Guide to Defending Against Viruses, Worms, and Trojans, by Douglas Schweitzer (John Wiley & Sons, 2002). Offers sound, practical, comprehensive advice from a security expert. Updates provided on a companion Web site. Malicious Mobile Code: Virus Protection for Windows, by Roger A. Grimes (O’Reilly & Associates, 2001). Focuses on defensive strategies. Viruses Revealed, by David Harley, Robert Slade, and Urs E. Gattiker (McGraw-Hill/ Osborne Media, 2001). Explains what viruses are, how they work, where they come from, how to prevent them, and how to deal with them. Includes case studies. Also available as a downloadable, searchable e-book. Resources The following Web sites provide comprehensive information about viruses, worms, and similar threats: About.com Antivirus Software Guide antivirus.about.com/index.htm?terms=computer+virus News, glossary, encyclopedia of hoaxes, links to vendors and other resources. CERT Coordination Center, Carnegie Mellon University www.cert.org/ A wealth of information on all aspects of computer security at work and at home. CNET Virus Alert Center www.cnet.com/software/0-7760531-8-6319437-1.html News on current threats, advice on PC protection, links to free resources, and antivirus software vendors. Computer Security Institute www.gocsi.com Major membership organization for technology-security professionals; Web site contains articles, reports, and links to additional resources about viruses and other security issues. International Computer Security Association (ICSA) Labs www.icsa.net Independent arm of security vendor TruSecure Corp. (www.trusecure.com) offers “vendor-agnostic” testing and research. Web site contains constantly updated virus alerts, white papers, studies, an annual Virus Prevalence Survey, and more. National Institutes of Standards and TechnologyComputer Security Resource Center Virus Page csrc.nist.gov/virus/ Information, links to other resources and antivirus software vendors. Sophos Inc. www.sophos.com/safecomputing Safe-computing advice for both network administrators and individual users. Virus Bulletin www.virusbtn.com Independent antivirus advice, news, profiles, and resources. Vmyths http://www.vmyths.com Supersite for information on virus myths and hoaxes. Vendors Following is a sampling of major antivirus software vendors whose offerings include products, services, and information targeted to small and growing companies: Command Software Systems Inc. www.commandsoftware.com Founded 1984; now part of Authentium Inc. Offers antivirus software for home users, large companies, and small businesses. Web site’s Virus Center includes news, alerts, a glossary, research, e-mail newsletters, and other information. Computer Associates International Inc. www.ca.com Founded 1976. Offers antivirus software for businesses. Web site’s Virus Information Center contains alerts, encyclopedia, and an extensive glossary. McAfee Security www.mcafee.com/ Founded 1989. Offers antivirus and security solutions for home users, large companies, and small and growing businesses. Network Associates Inc., McAfee’s parent company, provides free virus alerts, updates, update on hoaxes, and other information. Panda Software Inc. www.pandasoftware.com Founded 1990. Offers antivirus software for home users, large companies, and small and growing businesses. Web site includes Virus Information Center with virus encyclopedia (including “Top 5″ current threats), hoax updates, tips, and other resources. Sophos Inc. www.sophos.com Founded 1986. Offers antivirus software for companies of all sizes. Web site includes a rich collection of analyses, articles, updates on hoaxes, and alerts, including monthly “Top 10″ virus list. Symantec Corp. www.symantec.com Founded 1982. Offers firewalls, antivirus software, and other security solutions for home users, large companies, and small and growing businesses. Web site provides free virus alerts, library of virus information. Customers can download anti-virus updates from home page. Provides updates on hoaxes. Trend Micro Inc. www.trendmicro.com Founded 1988. Offers network antivirus software and other security products and services. Web site includes virus advisories, encyclopedia, prevention tips, and additional information. Also offers a free online cost-analysis calculator for determining potential financial impact of virus attacks. Send feedback, column ideas, and tech tips to annestuartinc@yahoo.com.