So what is consumerisation in the context of IT? The consumerisation of IT is a trend that has gathered momentum in recent years and refers to ways in which the consumer sector and business sector are converging. It is used as an umbrella term covering many things, including allowing employees to buy or bring to the workplace devices of their choice. This will sometimes replace being given designated computers or other devices, but it can also supplement the traditional model. The IT consumerisation tag can also be used to refer to the way in which some companies (or individuals) use consumer software and services such as Facebook and Twitter to accomplish business tasks.

Indeed, the boundaries between professional and personal lives are being redefined. Users no longer work within their offices (thanks to Cloud Computing/SaaS), but often check email late at night and update personal web pages during the day. Users are demanding freedom and IT needs to figure out ways in which to help them maintain a balance between work and personal time.

Those in favour of consumerisation of IT see it as a way of liberating their employees, increasing creativity and loyalty, and as a tactic for restoring work/life balance and enabling the recruitment of the brightest new talent. Opponents, however believe it leads to inconsistency, manageability issues and information security risks.

Here are some factors to address if you are considering consumerisation for your company/organisation.

• Assess your users – Assess what consumer grade applications and devices your employees are using at work today. It will also be useful to create a profile of your end-users and the typical scenario they encounter. Depending on the individual user’s impact on the business and their needs, you will be able to form an opinion on whether consumerisation is right for them and you.

• Understand content and information security – Some users may deal with confidential legal issues, whereas others may deal with information that is intended for public readership. Similarly, some information, such as sales contracts, is highly sensitive while other data, such as marketing brochures, can be shared using consumer technologies such as Windows Live SkyDrive without risk. Access to areas should be strictly limited by role and credentials.

• Recognise device types and application needs – Individual devices are not good for all tasks and one size does not fit all. Devices without keyboards may be inadequate for data creation and PCs generally provide the best environment for data creation and manipulation tasks. The challenge is to match work profiles with the right device.

• Define the criteria for a successful solution – Consider what benefits there will be and how these benefits will be measured. Plan to protect sensitive data, allow data access and sharing, provide tools for application delivery and access, and deliver a centrally managed environment through technologies such as cloud-based applications and services and desktop virtualisation.

• Update your organisational policies – Your policies should reflect your solution, requiring collaboration beyond IT. Areas such as data classification will require legal counsel and finance departments will need to tackle the tax issues of benefits in kind and issuing cash allowances when users select their own devices or bring their own devices to work. Occasionally, consumerisation is driven by the HR department which has an interest in providing a modern, dynamic environment to attract the best talent in the industry.

• Provide implementation and development resources – Ensure you provide sufficient assistance to support and develop the delivery of applications and data across multiple platforms. This will affect the likely cost and timescales for the successful implementation of a consumerisation project. Be aware that adopting a consumerisation strategy or implementing a ‘bring your own’ device model will not cost the enterprise less. Invariably it will cost more and increase complexity and risk. If the only driver is cost reduction, you are almost certainly making a bad move.

• Pilot your solution and plan for continuous improvements – Use highly motivated volunteers who are keen to create a consumerisation strategy. Do not pilot just a single device because it is unlikely to suit all users. The programme should not be a way for particular users to get ‘cool stuff’. Roll out the programme to all employees or to those you have identified as most likely to benefit.

The consumerisation of IT is a very real trend that is being adopted by many organisations, particularly those going through a period of change. Positive outcomes may include employees who are more engaged, productive and creative and a powerful aid to recruitment. However it should not be viewed as a cost saving exercise and like any change management programme, strict governance and measurements must be put in place to gauge success.

Thanks

Richard

Earlier this year Gwent Police Force inadvertently emailed a journalist the personal details of 10,000 citizens who had undergone Criminal Records Bureau (CRB) checks. The unencrypted file was intended for internal circulation, but an employee fell foul of the email AUTO COMPLETE function and the force was found in breach of the DPA.

For large financial organisations, bound by the requirements of the FSA (Financial Services Authority) and Security and Exchange Commission, the management of internal email communications is a key requirement to prevent insider trading or information leakage whether intentional or accidental. In fact, companies going through a merger, acquisition or divestment must keep tight control over internal email exchanges until deals are finalised. If an internal breach is found it can have very serious implications.

But the fact is – whether you are a small company or large corporation – if you deal with sensitive third party data you must not only guard against external threats like hackers, BUT ALSO protect yourself from negligence by your own employees. Ancar B has a number of solutions that it can recommend to provide internal and external security and would be happy to advise.

The cost in terms of loss of productivity, revenue and reputational damage caused by breaches can be far greater than businesses realise and so it is important to be proactive.

Richard

In April this year, Microsoft released its largest ever update, patching 64 software vulnerabilities – affecting Windows and Office, among other products – nine of which were rated critical.

The process of rolling out the updates is controlled by a company called Trustworthy Computing (a body created by Microsoft in 2002) who employ a collaborative approach, so that while its staff continually search for threats and vulnerabilities, they also receive information from external parties including security software vendors and independent security researchers. The Microsoft Active Protections Programme (MAPP) involves 80 or so vendors worldwide including Symantec, Trend, McAfee and Cisco – basically any vendors that have some form of protection product to detect weakenesses and suggest fixes.

Once vulnerabilities have been identified by Trustworthy Computing and the members of MAPP, they are prioritised and fixes are developed. The fixes are tested rigorously on average for two months per fix in order to maintain customer faith in downloading the updates and applying them to their machines. The reason testing takes so long is that Microsoft need to ensure the patches work with all systems and numerous combinations of applications. This is not a small task.

Once the testing is complete and the patches are released, it’s up to users to download and install them. Often Ancar B are called on to help with their implementation, since there are often instances where a ‘fix’ may not perform as expected or clash with a non-standard program.

Some critics of the ‘patch system’ suggest that if the software was properly coded in the first place it wouldn’t be necessary to embark on an endless process of fixes. Others believe ‘patch Tuesday’ is an example of great customer service, continuing to support products and protect customers years after the initial release.

I believe both sides of the argument carry weight, but for me the latter is more valid since it is impossible to predict the future and legislate for ‘changes in the market’. Either way the patching of systems is going to continue for the foreseeable future.

Richard

Ancar B was invited to present to the audience on Cloud Computing with particular reference to Sage 200. Whilst ‘Cloud’ is a subject with which many of us in the technology industry are familiar, not a single delegate – approximately 20 attended the event – had had any experience of ‘Cloud’ or working using Software As A Service. Why is this so?

Well in many instances I believe that most of the attendees had not considered ‘Cloud’ as an option, because of all of the technical terms surrounding it that makes it sound complicated to the layman e.g. Virtualisation, Software As A Service, Infrastructure As A Service, Platform As A Service, SPLA, VMWare, Hypervisor. In addition, I believe some companies are terrified of hosting their data in a location away from their business due to perceived security issues and the negative press attention some security breaches have received.

In terms of both of these stumbling blocks, understanding ‘Cloud’ and allaying potential customer’s fears about hosting their applications and data elsewhere can be negated. Despite all the definitions about cloud e.g. Cloud computing is the next stage in the Internet’s evolution, providing the means through which everything – from computing power to computing infrastructure, applications, business processes to personal collaboration – can be delivered to you as a service wherever and whenever you need, I found the following graphic pretty much ‘nailed it’ for the audience in understanding what can be stored/accessed/used in the cloud and via what means e.g. PC, Laptop, Smartphone etc.

Then we get onto the prickly issue of security. The irony with storing your data elsewhere – in the ‘Cloud’ – is that many companies are already doing this as part of their disaster recovery strategy i.e. storing data offsite at a data centre via remote backup in case their server is stolen or goes up in flames. So why would they be so reluctant to use an offsite resource for their day to day operations therefore? The other irony is that Data Centres have far superior access controls, firewalls and security procedures than many companies who keep their data on-site. The following cartoon made me chuckle in this respect:-

Anyway, I felt we really managed to grab the audience’s attention when we explained how ‘Cloud Computing’ removes many of the constraints from traditional computing environments including space, time, power and cost. For example, imagine a company wanting to deploy a Sage 200 system for 5 Users. Traditionally this would have been done with an On-Premise solution i.e. a server on the customer’s site. This would incur significant cost in terms of Server and PC Upgrades, New Operating Systems, SQL Database Licenses, Installation Costs and also ongoing Maintenance:-

Gulp! For many businesses this can be a real deal breaker. Having secured £20k from the Finance Director for the Sage 200 software itself, the extra £5k+ to deploy the solution on the appropriate hardware is ‘a bridge too far’.

However, ‘Cloud Computing’ can overcome this financial impasse by offering resources and licenses which customers can ‘rent’ on a monthly basis in order to deploy a much needed line of business application e.g. Sage 200. Moreover as a ‘Cloud’ solution is paid for on a monthly basis it falls into the operational budget of many companies and becomes no more burdensome than paying the monthly mobile bill e.g.

Great! That’s much more manageable!

Cloud is the future, but don’t just take my word for it. According to a recent survey by IDC cloud computing revenue will not only increase during the next few years, but the way organisations use the technology will change. In addition, it is anticipated cloud computing spending will account for 25% of annual IT expenditure growth by 2012 and nearly a third of the growth the following year.

The underlying reasons for this were even more revealing. In a related survey:-

• 70% agreed ‘Using the Cloud’ had Simplified IT Management Processes
• 72% agreed ‘Using the Cloud’ had Improved End User Experience
• 63% agreed ‘Using the Cloud’ had Decreased IT Performance Challenges
• 73% agreed ‘Using the Cloud’ had Reduced the Cost of Infrastructure
• 74% agreed ‘Using the Cloud’ had Alleviated Internal Resource Pressures

Speak soon

Richard

* Prices discussed in this article are estimates as of May 2011.  Please call for updated pricing.

Well here you go!

Small Business Server 2003

• Post 25 – SMTP
• Port 80 – HTTP
• Port 443 – HTTPS
• Port 444 – CompanyWeb,
• Port 4125 – Remote Web Workplace, Remote desktop from RWW
• Port 1723 – VPN

Small Business Server 2008

• Port 25 – SMTP
• Port 80 – HTTP
• Port 443 – HTTPS
• Port 987 – CompanyWeb
• Port 1723 – VPN

What is it? In brief, backscatter is the influx of Non Delivery Reports (or NDR’s) into a victim’s Mail Server (or MTA).

What is an NDR?

Mail Transfer Agents support a service called Delivery Status Notification (DSN) which allows end users to be notified of  the status of an email, such as the successful or failed delivery of email messages.

A non-delivery report is a status message sent by the recipient or interim email server that informs the sender of a email message delivery failure. There are several issues that can trigger an NDR, the most common are when the recipient of the message does not exist or when the destination mailbox is full.

Smarter Spamming?

Email servers offer a simple measure against SPAM by only accepting emails that have a valid source domain.

i.e. The domain exists.

Spammers are aware of this and have a simple way of bypassing this check which is to mimic email addresses from a valid domain.

Spammers use several methods for harvesting email addresses from the web. One method is the use of “Web Spiders”. Spiders crawl the Internet and web sites for email addresses that can be added to a database to be both a recipient, and used as a valid email address for sending spam.

From SPAM to Backscatter

So now you’re in the database, you’re likely to be targeted for the receipt of SPAM, and unfortunately it’s likely that a Spammer is going to use your email address at some point to send a batch of SPAM emails.

Even though you’re not the true source of the emails, you are the legitimate owner of the “Senders” address. As such any Non-Delivery Report is going to be returned to you.

So depending on the frequency of abuse, or indeed the size of the attack, you could potentially about to receive thousands of Non-Delivery Reports thanks to a spammer.

Can it be stopped?

Unfortunately it is easy to mimic someones email address, however there are measures to firstly prevent you being the source of such a violation, and secondly reduce or prevent the influx of backscatter.

The “Sender Policy Framework” or SPF have introduced additional DNS Records (SPF Records) that allow you to specify who is allowed to send email from your domain (Mail Servers). This way, if an email is received by a mail server from a source other than defined in your SPF record, the connection will be dropped and the email will not be processed.

Note: Googlemail, Hotmail and Microsoft are already implementing policies whereby if an SPF record does not exist, your email may be rejected.

Other options include disabling all catchall or wild-card mailboxes. When this feature is disabled the spammer has to match your exact email address and not your domain, so your mail server will not be accepting non-delivery reports for email addresses which do not exist on your mail server.

It is also recommended that you configure your mail server to reject during SMTP transmission rather than bounce email messages which cannot be delivered. Email servers such as Microsoft Exchange, Postfix, Sendmail and Qmail have patches to improve the behavior to create less backscatter.

A better solution

Using an external host to relay and filter your inbound email can prevent the receipt of SPAM and Backscatter, as well as reduce the loads generated by SPAM on your local mail servers.

Be low are a few more resources to give a little more information on the subject.

The Backlash!

The source of a Backscatter attack is no the SPAMMER, but it is the servers that are not configured to reject emails for invalid email addresses. These servers, although they’re the victim of an actual SPAM attack are now being listed on a UCE Blacklist (http://www.backscatterer.org/), which in turn gets your outbound email rejected due to your server being listed on a Black List.

As you can see, it is important to configure your email and DNS services correctly to ensure your neither the subject of a backscatter storm, nor listed unknowingly in a Blacklist.

Other Resources

Open SPF – http://www.openspf.org/
SPF Record Creator – http://old.openspf.org/wizard.html
Microsoft Sender ID Framework - http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
Reducing Backscatter on Exchange – http://www.avianwaves.com/Blog/default.aspx?id=31

A recent report by the DB Security Company Imperva based on 32 million passwords exposed from  the rockyou.com security breach has highlighted patterns and the most popular passwords used. The full report is available here.

The Top Ten Common Passwords

The Top Ten common insecure passwords are:

1. 123456
2. 12345
3. 123456789
4. Password
5. iloveyou
6. princess
7. rockyou
8. 1234567
9. 12345678
10. abc123

Key findings:

• About 30% of users chose passwords whose length is equal or below six characters.
• Moreover, almost 60% of users chose their passwords from a limited set of alpha-numeric characters.
• Nearly 50% of users used names, slang words, dictionary words or trivial passwords (consecutive digits,  adjacent keyboard keys, and so on). The most common password among Rockyou.com account owners is “123456”.

The effect to businesses

Even though Microsoft are trying to enforce password policies in the design of their Active Directory infrastructures, many IT Administrators are disabling these features at the request of management. This is causing major vulnerability.

In our market place, the Microsoft Small Business Server is key to many SME network deployments, and features such as Remote Web Workplace, Outlook Web Access and VPN access are enabled for many users.

The flaw to this is that in an SME environment the number of users is small, and as such usernames are generally easy to guess as many companies use just First Names as the username. It’s much easier for a hacker to attempt a brute force attack on First name combinations rather than the more complex First name Last Name permutations.

For example, the username of “chris” who has a password of “123456″ or “Password” is going to be very easy to break. If Chris happens to be at Director level, there is going to be no end of information that can be accessed by the hacker.

Our Recommendations for Usernames

So our recommendation in a business domain is that usernames are based on a pattern that is not directly related to First Names, but either has a prefix or is based on First name and Last Name to infinitely increase the username possibilities. If you’re signing up to a web site that shows a “Screen” or “Nick” name, ensure this is different to your username.

Our Recommendations for Passwords

Using passwords based around your name, family, or words found in a dictionary are not secure as these are the basis for simple dictionary attacks. Many websites now offer a scale of complexity when signing up provide a guide to users about their passwords. It should contain a mix of four different types of characters – upper case letters, lower case letters, numbers, and special characters such as !@#$%^&*,;” If there is only one letter or special character, it should not be either the first or last character in the password.

So to sum up, in a business and web environment it is important that both your usernames and passwords are designed to increase complexity to reduce the effectiveness of a Brute Force attack, and never use one of the passwords listed above.