Microsoft released this week information about an issue in their OS that has made hundreds of applications that run on Windows vulnerable to attack. 

Here’s the security advisory from Microsoft: http://www.microsoft.com/technet/security/advisory/2269637.mspx

The vulnerability basically allows applications to start DLLs that are on remote network shares.  A DLL (Dynamic Link Library) is a piece of code used by applications to help them run.  Typically when an application is installed the associated DLLs are either placed in a standard directory (C:\Windows\System32) or in the same directory that the application is installed in.  The flaw allows the applications to start DLLs that are not on the local workstation.  This means that if you attach to a network share and click on a file on that network share and it starts an application on your local workstation that application may actually call a malicious DLL that is saved on that network share rather than your local workstation. 

Here are a couple more articles on the vulnerability:

• http://isc.sans.edu/diary.html?storyid=9445
• http://www.zdnet.com/blog/security/details-emerge-on-new-dll-load-hijacking-windows-attack-vector/7204
• http://www.pcworld.com/businesscenter/article/204017/microsoft_applications_plagued_by_binary_planting_flaw.html

Some of the application impacted by this are Windows Office, WireShark, Firefox (v3.6.8), Windows Live Mail, etc.  Basically be expecting a lot of patches to be coming out over the upcoming weeks.  To limit your personal exposure be sure you know and trust the location of the files you are opening. 

MaaS360 Patch Analyzer provides access to detailed information about installed and missing patches including Product, Title, KB Article ID, Bulletin ID, Severity, Category, and More Info URL to Microsoft® TechNet.

As you know from reading this blog, I work for Fiberlink, a company that operates a “Mobility-as-a-Service” platform called MaaS360. The marketing tag line for this platform is “See. Know. Go.”

Now I am no marketing whiz, but I think that is a fantastic tag line and describes what the platform does to a tee. “See”—the discovery of endpoints and the collection of all the pertinent hardware, software and compliance data. “Know”—the Business intelligence reporting capabilities to inform and support decisions.

Then you get to the “Go” part. I got to thinking. “Go” is all about action, not data and analytics. “Go” is likely push a patch, distribute software or mitigate a security or configuration issue. These are typically automated actions related to some change required at the endpoint. “Go” is also the part of the process that may actually have some benefit for or impact on the end user of the target machine. Considering the impact on the user is an area where many workflows and solutions lack thought, and end user needs can get lost in the rush to use automated methods to manage endpoints. It is important to not lose sight of what the goals of Endpoint Management are in the first place, which are to provide a secure, efficient work environment that will allow employees to be productive, to be cost efficient and to add to the bottom line.

The “Go” part of the equation has to consider the impact on the end user, and there should also be contingencies in place for situations where the user is impacted negatively. Remote Takeover is a tool in the Endpoint Management bag of tricks that can make the “Go” part much more personal and provide the ability to remedy a situation where an automated function has not met its goals.

In this world of mobile and remote working, it is not easy for an end user to ask a coworker for help, or walk down the hall or ping the IT guy. This is where Remote Control can be very valuable and provide that personal touch to reach out and help an end user with an issue or to follow up after a change to their system. Remote Takeover allows an Endpoint Management administrator access to an endpoint’s screen, keyboard and mouse, and facilitates a range of actions that can go from coaching the user on various activities to repairing configuration issues that were not resolved using other “Go” tools. 

Maybe you view Remote Takeover as a last resort. You might want to think about Remote Takeover as an opportunity to interact with end users in a personal way in an ever increasingly detached world.

And the best part…It’s FREE!  

Who doesn’t like to hear those words? Well, I guess it really depends on what we are talking about. If it’s your neighbors trash, that’s not really good. If it’s a free hammer when you are about to build a shed in the backyard, that’s pretty helpful. How about when it saves you time or money in doing your day-to-day job? In the world of software applications, IT support staffs seem to have their favorites.  They’re not just for fun and games, there are some serious cost and time savers. 

The desktop manager at my company has a bunch of favorites he was willing to share with me.  I think you will find these useful if you are not already using them. 

• 7-zip:  A great alternative to WinZip, it is based on open source code which is totally free to use.
• Malware Bytes:  This manager uses the free version for anti-malware (i.e. software that was loaded unknowingly). The website also offers a support forum which is very active. NOTE: There are also paid versions which unlock advanced capabilities which he has not used yet.
• Primo PDF: This is a great alternative for most users. Outside of legal, marketing, and technical publications, everyone gets the free version. 
• Danm Small Linix or DSL: which is a small bootable environment that has a tiny core of command line tools to assist with many day-to-day operations.  DSL is a community project that has grown in time to be much more than what I have already mentioned;, it is definitely worth a look.
• AIK: As written by Microsoft, “The Windows® Automated Installation Kit (Windows AIK) is a set of tools and documentation that support the configuration and deployment of Windows® operating systems.“ This is what’s needed to migrate to Windows 7.
• Image X: Another tool from Microsoft which allows for capturing, deploying and modifying images for post-Windows XP OSs.  Image X is a shift in the paradigm for imaging.   It’s a file-based imaging tool in contrast to Norton Ghost, which is a sector-based imaging tool. 

He states that some of the apps are for his team’s own productivity, while others just save the company money. “No need to have everyone purchase Adobe Acrobat when Primo is a fine PDF alternative for ninety percent of the user base.” He claims it saves the company money but, I personally think it just keeps more money in his budget to spend on cooler things. You know, like compressed air and screen wipes.  

I’m sure you have a list of free applications that personally save you time and money. If you have a couple you want to share, please leave a comment. I would love to know what apps you find most useful.

Having trouble supporting your mobile users? Collect the hardware, software, network, and security information you need to solve problems reported by your mobile users with the free MaaS360 Glimpse tool. Get it now.

Prior to taking on a product management role, I had worked for several years in Supply Chain Management, and I had the chance to dig through usage numbers when Mobile Broadband in the enterprise was still in its infancy.  And truth is there’s no surprise to me (or most) that carriers are moving to usage-based pricing, or that 3% of AT&T users make up 40% of their network usage. In almost every different level of enterprise data I’ve seen, that’s happened across the board. In certain cases we actually took the extra step to see why there was such a surplus of data for these users, and, of those users, only  a very small percent were actually business travelers using the service as providers intended (while streaming some music and videos along the way). The “problem” high usage accounts were users who wanted  always-on connectivity at home, corporate test PCs hat were running all the time, the corporate back up in some cases, and always-on connections for IT/Infrastructure teams so they can constantly ping servers, etc. Funny, some people do actually think unlimited means unlimited!   

That said, today it’s a little different (just check out AT&Ts data calculator tool at http://www.att.com/standalone/data-calculator/index.html).Today, all you need to do is stream an hour’s worth of your favorite TV show and send a couple emails, and bam! 200MB is gone. Mobile content is a major factor that will cause the data usage for the 3% to become more common, which would seem to be the carriers’ biggest fear. It’s easy to make things more complicated, especially when you’re required to actually pay attention to what you’re doing!   And that’s exactly where carriers are taking us with usage-based pricing.

But is metered usage that bad?  Though times are always changing, as a rule of thumb, I’ve learned that not only is usage-based pricing good for the carrier, it’s also the way to go for the enterprise who is looking to maximize cost savings around wireless spend. Of course that means you have to monitor it and manage it a lot closer.

So, who today within the enterprise is managing this growing area of wireless usage and costs, and how are they doing it? Whoever it may be within your organization, they undoubtedly need more control. Users are using YouTube, Netflix, their favorite streaming music site, social media and much more when they are connected.

So what can I do?  There are a limited number of enterprise services that are available today to help you manage wireless usage across devices, carriers and Wi-Fi networks around the world.  As you compare solutions, I would suggest making sure the follow features and functions are available to ensure you have controls to easily manage and enforce mobile usage, and that they include tools to make end users aware of their limits so that they can better manage usage themselves.

Tips to control Mobile Usage:

• Have the ability to track on network and roaming mobile broadband, as pricing can vary greatly
• Have the ability to stop users from connecting after they reach pre-defined limits
• Shut down Wi-Fi connections that are inactive for long periods of time
• Have reporting capabilities to track this on or near real time, and then over time for trending and plan alignment
• Make users aware that they are coming close to their limits; they don’t want to cost you more money, they usually just don’t know
• Look into tethering; it can be a low cost option for occasional mobile users – but the same controls need to be available
• If you have connection management software that allows for automatic connections, ensure management can add or remove transports as needed, as well as set preferences. For example, you could specify that Ethernet connections are always ahead of mobile data connections
• And, of course, tell your users to use FREE Wi-Fi, even if it requires going into McDonalds and spending 30 seconds to fill out the web page

In summary, usage-based pricing is here to stay, and in many cases it’s already in place. It’s not something you need to be scared of if you have the right tools in place to help manage usage. And, if used correctly, you can probably save a little cash, too.

The AT&T data calculator is a pretty cool tool to help bring things to light, in terms of how much data is used for certain content and just how quickly it can go. 

As an example, if you choose the 200MB plan, based on the calculator you would get each day (per month):

• 12 emails a day (no attachments)
• 2 emails with photo attachments
• 4 emails with attachments
• 7 web page views
• 2 social media posts with photos uploaded

Or about 60 minutes of streaming video (over a month) and 20 emails a day.

That’s not a lot.

Remember the days of investment bankers and investors carrying around the Blackberry 850 that looked more pager than the start of today’s smart phone craze?

Also, wasn’t it just two years ago that Blackberry had a stranglehold on the enterprise smartphone?

Well, those days are obviously gone and some new smartphone research that we conducted with Forrester Consulting shows that the Financial Services industry appears to be leading the way again.

How so? In our survey:

33% of firms already support multiple smartphone platforms.

More so, 50% of firms offer some type of support for personal smartphone devices.

So much for that Blackberry stranglehold.

Also, what the research shows is that IT is starting to think about and want to manage smartphones a lot like they do PCs. This makes sense, given that the latest OS offerings on the major smart phone platforms are more useful than PCs were when that first Blackberry hit the market. See for yourself on the latest reviews of iPhone/iOS, Blackberry, Windows Mobile, and Android.

What are these PC-like IT management needs that Financial Services firms are anticipating?

87% of surveyed firms are concerned about compliance with FINRA, SOX, Regulation S-P, GLBA, and HIPAA (to name a few regulations.) If you want more on these regulations, this separate whitepaper that goes into much detail on explaining and meeting them for mobile devices.

Plus over 80% of firms are concerned about malware, hackers, identity theft, and device theft.

And, 80% of firms are concerned that there is a lack of accurate reporting on these devices to support efforts at managing the above list of concerns. (Click here if you’d like to see how MaaS360 offers unique visibility into smartphone devices.)

Sounds like managing PCs and laptops, doesn’t it? On that note, research firm Gartner is predicting that PC Life Cycle and Mobile Device Management will converge by 2012. (If you are a Gartner client, you can access that research under ID:G00169473.) I guess we should get ready for a five-letter acronym for that one. UDLCM anyone? But, seriously, it makes sense given that the lines are blurring quickly. And, these PCs in our pockets will quickly pose more of a risk and user support challenge than our actual PCs.

I’ll stop there on this post, but for a complete copy of the Forrester Consulting research, you can download it here.

And, for the record, I love my Blackberry (the original 8800. It’s a workhorse.)

Here we will look at another excellent set of guidelines for financial firms, the Data Security in Financial Services report from the Financial Services Authority (FSA) of the UK. This report provides detailed recommendations on how firms can comply with The Data Protection Act 1998 (DPA), which “gives legal rights to individuals in respect of personal data processed about them by others.”

This report can be downloaded at:

http://www.fsa.gov.uk/pubs/other/data_security.pdf

Inventory and Anti-Spyware

The FSA report highlights the risk that key-logging devices and malware can capture log-on credentials and facilitate unauthorized access to personal information. Best practices to prevent this include “use of software to determine whether unusual or prohibited types of hardware have been attached to employees’ computers,” and “anti-spyware software and firewalls etc in place and kept up to date.”

Control of Laptops and Data on Devices

The report strongly recommends “The encryption of laptops and other portable devices containing customer data” and “Maintaining an accurate register of laptops issued to staff.”

Control of USB Devices

FSA authors also point to the risks inherent in the widespread use of portable USB devices. They cite as best practices in this area “The use of software to prevent and/or detect individuals using personal USB devices” and “The automatic encryption of portable media attached to firms’ computers.”

In short, in the area of controlling confidential data on endpoints, the Data Security in Financial Services report recommends encrypting data on laptops, encrypting USB devices, and implementing tools to ensure that up-to-date security features are in place on laptops and other portable devices. In fact, the FSA has fined financial firms for not effectively following these recommendations.

In our previous post we surveyed several regulations and standards with provisions that apply specifically to endpoints.

We also noted that some of these included general guidelines such as “protecting against foreseeable risks” that might be challenging to pin down. What standards can financial firms use to address such vague requirements?

Here we will look at one source of guidance on financial industry best practices, the Information Security Handbook from the Federal Financial Institutions Examination Council (FFIEC).

This document can be downloaded at: http://www.ffiec.gov/ffiecinfobase/booklets/information_security/information_security.pdf

Patch Management

The FFIEC Information Security Handbook suggests that financial firms must “update operating systems with security patches and using appropriate change control mechanisms” and “Appropriately and in a timely manner patch, update, and maintain all software…” It also recommends a comprehensive patch management process, including processes to monitor vulnerabilities, prioritize and test patches, plan a rollout, and create an audit trail of all changes.

Configuration Management of Remote Endpoints

The FFIEC authors highlight the importance of protecting the integrity of remote devices. They specifically recommend that organizations “Appropriately configure remote access devices,” “Periodically audit… access device configurations and patch levels,” and highlight the importance of “Monitoring host and network condition to identify unauthorized configuration and other conditions which increase the risk of intrusion or other security events.”

Securing Remote Access Devices Against Malware

The FFIEC handbook insists that it is particularly important to “Appropriately secure remote access devices against malware” and to keep anti-virus definitions up to date. Also, to ensure that technical safeguards remain in place, organizations should have “Integrity checking software, combined with strict change controls and configuration management.”

Encryption

The FFIEC authors strongly emphasize the importance of encryption of both data stored on devices (data at rest) and data transmitted over wireless networks (data in motion).

Logging and Monitoring Remote Access Communications

The FFIEC handbook repeatedly emphasizes the importance of continually monitoring events in the environment. For wireless devices, it specifically suggests that financial firms “Log remote access communications, analyze them in a timely manner, and follow up on anomalies.”  It also recommends that firms:  “Log and monitor the date, time, user, user location, duration, and purpose for all remote access.”

Network Access Controls

The FFIEC authors recommend that for sensitive communications with remote devices financial organizations “Restrict the use of the access device by policy and configuration” and “Ascertain the trustworthiness of the access device before granting access [to corporate networks].”

The financial industry is of course highly regulated. But what financial industry regulations and standards apply specifically to endpoints, and to data stored on mobile and distributed devices?

We did a little research on the subject, and would like to share our findings.

In this post we will survey several of the relevant laws.

In the next two posts we will look at the endpoint-related content in two excellent comprehensive guides, the Information Security Handbook from the Federal Financial Institutions Examination Council (FFIEC), and the Data Security in Financial Services report from the UK Financial Services Authority (FSA).

In the fourth post we will discuss a new MaaS360^® offering designed specifically to address the endpoint compliance requirements of financial firms.

So here is a quick survey of key regulations that specifically address protecting data on endpoints or protecting data transmitted wirelessly to and from mobile devices.

Massachusetts 201 CMR 17.00

Massachusetts law 201 CMR 17.00, states that laptops containing confidential information about Massachusetts residents must be protected by data encryption, firewalls, and up-to-date anti-virus files.

http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf

Nevada NRS 603A

Nevada NRS 603A specifies that personal data transmitted electronically must be encrypted. It also specifies that organizations that accept payment cards must comply with the Payment Card Industry Data Security Standard (PCI DSS).

http://www.leg.state.nv.us/NRs/NRS-603A.html

The “Safeguards Rule” (Regulation S-P)

The “Safeguards Rule,” Rule 30(a) of Regulation S-P (17 C.F.R. § 248), applies to brokers, dealers, investment companies, and investment advisers registered with the Securities and Exchange Commission (SEC). These firms must: “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”  Further, “These written policies and procedures must be reasonably designed to… Protect against any anticipated threats or hazards to the security or integrity of customer records and information.”

http://ecfr.gpoaccess.gov/cgi/t/text/text-idx?c=ecfr&sid=5cb4e1372eca646597d391a3ecfff6a4&rgn=div8&view=text&node=17:3.0.1.1.8.1.112.20&idno=17

This regulation clearly covers data stored on distributed computers. The SEC recently fined a firm $100,000 because the company did not require its registered representatives to have anti-virus software on their computers.

California SB 1386

Forty-five of the fifty U.S. states have data breach laws that require the notification of potential victims of security breaches. One of the best known and most stringent is California SB 1386.

Fortunately, many of these laws include a “safe harbor” clause for encrypted data. If a laptop or mobile device is lost or stolen, the requirement to notify potential victims can be eliminated if the organization proves that lost information was encrypted.

http://info.sen.ca.gov/pub/01-02/bill/sen/sb_1351-1400/sb_1386_bill_20020926_chaptered.html

H.R. 2221

In 2009 the U.S. House of Representatives passed H.R. 2221, the “Data Accountability and Trust Act.” If enacted by the U.S. Senate, this legislation would create a national standard for protecting personal information and require firms to safeguard personal data against reasonably foreseeable attacks.

http://www.govtrack.us/congress/billtext.xpd?bill=h111-2221

PCI DSS

To protect payment card data, the Payment Card Industry Data Security Standard (PCI DSS) requires the use of personal firewalls, anti-virus and anti-spyware software, and virtual private networks on all computers containing credit card related information.

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml

Our quick survey has turned up two types of mandates:

1. Requirements for specific technologies (encryption, virtual private networks, firewalls, and anti-virus packages).
2. More general guidelines such as “protecting against foreseeable risks.”

How can financial firms respond to such vague guidelines? We’ll take that up in our next post.

According to Wikipedia: A bridge is a structure built to span a valley, road, body of water, or other physical obstacle, for the purpose of providing passage over the obstacle.

Sometimes I wish I could create a bridge. Like a bridge to my house to turn my commute from 60 minutes to 40. How about a bridge to make the trip to my in-laws faster so the visit can feel less painful?  On second thought, maybe no bridge to the in-laws is a good thing…

Why build bridges? To make something quicker?  To make a task you perform more efficient? How about just to make life easier? Yes, Yes, and Yes! For me at least.

Bit Of History:

Problem: The chain of barrier islands called the Outer Banks (OBX) is a beautiful strip of sand, which many people fell in love with. If you lived in Maryland or Delaware you could only get there two ways. Take a road around the (very large) Chesapeake Bay or take a ferry ride. Depending on exactly where you live, that “round about” or ferry adds hours to your trip.

Solution: The 1952 opening of the Chesapeake Bay bridge tunnel. This allowed a smooth ride from point A to point B. Outside of traffic congestion now and then, it has simplified life for many, and trimmed hours off the trip.

Managing remote devices like desktops, laptops, or netbooks is not always the simplest task. Sure, if you’re already on the island it’s not a big deal. But, what happens when you’re not.  What happens when that device is 3,000 mile away? You likely already have the means to identify or see the device in order to understand what’s wrong. You also likely have a system to remotely connect to that device and take action on it. Just like prior to 1952, someone could get to OBX by avoiding the Chesapeake Bay or taking a ferry over it.  It’s not that you can’t manage the device. It’s just the long way.

If point A to point B takes 3 minutes one way as opposed to 1 minute using a different way, would IT take the longer way? Of course IT will choose the faster way. So why does IT continually settle for status quo for remote control applications?

In many organizations this typical scenario takes place multiple times a day:

1. A call comes into the Help Desk.
2. Help Desk looks up the user’s device support information in one application.
3. Help Desk thinks they know the problem but need to connect to the device to fix it.
4. Help Desk launches a separate application to find the user IP address or, in many cases, walks the end user through multiple steps to find the information.
5. Help desk launches a third application which is usually a PC remote control application like VNC, DameWare, Microsoft Remote Desktop, etc.
6. Help Desk enters the necessary IP information in the application.
7.  Help Desk initiates the session with the remote device to continue the problem resolution.

Think about an alternate method–without any additional tools or end user involvement:

The first three steps above are the same—but then a bridge is provided to span steps 4 through 7. In the same application your help desk is already using, just click a button to see the IP address of the device and all the available applications which can be used to connect. Click again to continue the problem resolution by automatically connecting and taking control of the device. Now wasn’t that easy?

Using a bridge on those last four steps resolves the problem in a much faster way. Sometimes desktop management does not have to be that hard. At least not when you use bridges!

Among the differences between Baby Boomers and Generation X/Yers is that the Gen X/Yers are significantly more conditioned to serving themselves.

A gas station stop can illustrate a typical Baby Boomer’s service experience. You would pull up to the pump and wait for the pump jockey to appear out of the building and then ask what you needed. “Fill ‘er up” was typically the response. Along with the fill up, the oil would be checked, the windows cleaned and off you would go. Other examples include paying the bills, which required a trip to the bank, or getting groceries, where the cashier would carefully perform the checkout activities then the bag boy would get everything packed up and accompany you to your car. 

Compare that to their kids and grandkids who are now much more inclined to use the self checkout at the grocery store, pay bills online and actually prefer to pump their own gas. Self service is becoming the preferred choice of most, and commerce is happy to accommodate them.

As more Gen X/Y professionals move into the positions of authority and are making purchasing choices for enterprise services and solutions, this self service conditioning will factor into their purchasing decisions. Self service is viewed as a cost saving efficiency measure for workforce optimization. Self service offers the ability to push the workflows and activities that are required for running the day-to-day business down the corporate hierarchy to more cost-effective labor or to the end customer entirely. In retail, it is not uncommon to see the staff using the supplier’s systems to replenish their own inventory,eliminating the need for field sales people for entire segments of the market.

Another example is the end of the Executive Administrative Assistant as a critical corporate resource. Once an essential function for effective organizations is now being relegated to history alongside the “Secretary” in favor of systems and processes that give executives self-service options that provide significant cost savings.

The adoption of Cloud- and online-based services is also another factor driving self-service acceptance. There is a strong nexus being created between the proliferation of online services of all kinds and self-service capabilities. Self service is at the core of an effective on-line service. Self Service + Cloud=Efficiency and ROI.

So as we think about self service as it relates to information technology, what are the fundamental aspects that provide an effective self-service solution and experience?

• Identity, Roles and Security – Establishing identity and applying the relevant roles and security controls are fundamental. As critical business functions are pushed down the organizational stack (and eventually to customers), it is critical that these activities be controlled, activities logged and that malicious activities are prevented.
• Automation – In order for a self-service solution to be effective, the user has to be offered a framework to automate common, repetitive tasks. Think about online banking without automatic payments or online shopping without being able to store shipping and payment information.
• Workflow – The sophistication and polish of the workflows has to accommodate the level of the end user’s understanding. Less technical and knowledgeable users will require very specific and clear steps as they progress through the workflow. 
• Help and Guidance – When the end user does require assistance, there is another self-service conditioning instinct that will have to be accommodated—the need for quick access to help and support. Robust, easily accessible help and online support are critical. Actually picking up the phone and asking for help will be the last resort for the self-service-conditioned user.

In writing about self service, it quickly became apparent to me that we have all been conditioned to require self-service capabilities at some level, and we now expect it to be a part of any service we engage with or subscribe to. This thinking has not only permeated the consumer mindset, but also the corporate mindset. It will continue to become more embedded in our culture, and in the products and services that support our personal and professional endeavors.

How do self service aspects of a solution affect selection criteria?