[SecurityRatty] tag: crm

CRM Made Simple

Mon, 06 Oct 2008 09:02:02 +0000

WHEN:Wednesday, October 15th10 AM PT / 1 PM ET Join us today!SPONSORED BY: Microsoft Dynamics CRM OnlineJoin this FREE webinar to get 6 game plans to overcome 6 common CRM obstacles and fears CRM use...

Interop NY Keynotes: BlackBerry

Wed, 17 Sep 2008 11:07:39 +0000

David Yach, Chief Technology Officer of Software at Research in Motion rounded out the final keynotes of the morning as part of the Mobile Business Expo (MBX). David focused on how enterprise and mobility are tied together today.

Which of the following initiatives are likely to be a major telecommunications technology related priority for 2007? Mobility is a huge issue.

We’re starting to see traction with mobility.

The evolution of enterprise mobility:
- Voice –> messaging –> e–mail –> web, –> business applications –> instant messaging/presence –> what’s next?
Cell phone to Smartphone:
- 1G –> 2G –> 3G

Converging IT Responsibilities

Collaboration, Web/Internet, Desktop Computer, Deskphone/PBX, Mobile Phone and Applications. All of this is under the umbrella of IT. IT departments are not a single cohesive unit where everyone gets along. They have different motivations, budgets, goals, etc.

BlackBerry manages all of these responsibilities in one, forcing these departments to collaborate and work together. This is key for interoperability between these systems, knowing how they work together.

Desktop capabilities are expected in mobility:

Information
Collaboration
Voice
Transactions
Presence
Application

Mobile devices are fundamentally changing the pace of which we all work. You can reach anybody at anytime. This changes business.

All of this is working with data that is behind a corporate firewall.

The big change in IT is that for almost any industry now, the data that you have and you manage is a core corporate asset. It doesn’t matter whether you’re in manufacturing, logistics, or a bakery. Information is king. This has the benefit of moving IT up to a C-level position. You are a core part of your business success. This has benefits, and also added stress.

Voice is still the “killer app” for mobility. Deskphones and smartphones need to overlap into a mobile voice system.

Another up and coming technology is the mobilization of enterprise applications. This provides the ultimate user experience. For example, Blackberry has mobilized the SAP Business Suite on BlackBerry smartphones. SAP CRM access is as seamless and intuitive as email on BlackBerry and incorporates push, alerting, security, GPS, Wi-Fi and media.

Enterprise grade platforms will extend core competencies of enterprise systems to mobile environments.

Secure
Reliable
Manage
Control
Administration
Standardize

Conclusion:

Putting it together: integrating the wireless capabilities of today into the business tools of tomorrow.

Links for 2008-09-15 [del.icio.us]

Mon, 15 Sep 2008 20:00:00 +0000

Quest grabs NetPro to strengthen Windows management wares - Network World
NetPro’s lineup includes tools focused on security/compliance, infrastructure administration and identity/access. Those tools include auditing, backup/recovery, policy enforcement, event log management, Exchange migration, group policy management, health/performance and user self-service password management
Are common logging and audit standards emerging? :: SearchSecurity.com.au
SaaS market will 'collapse' in two years | Tech News on ZDNet
Q: Won't people avoid the mistakes of "previous" SaaS incarnations, as you mentioned? A: People are stupid. History has shown it repeats itself, and people make the same mistakes.
CRM Outsiders » Blog Archive » Lawson CEO: SaaS Will “Collapse” In Two Years
I couldn’t disagree more, but than again it was also Harry Debes that predicted that many of today’s Web 2.0, cell phone gadgets would never catch on either. SaaS is certainly here to say. I
Nerd News: Eventlog to Syslog
(ISC)2 Blog: Event Correlation
Speaking of Security... | Blog Entry: Paul Stamp | Correlation is no silver bullet: 1301
So, when deploying SIEM to improve your security operations, remember that correlation only really works when backed up by real data about what is the biggest problem in your environment, and how that problem manifests itself in the event logs. I call it "working out what type of needles you'll find in your haystack."
Systems log analytics offers operators performance insights that set stage for IT transformation | Dana Gardner’s BriefingsDirect | ZDNet.com
Sharpening Stones and Walking on Coals | Nemertes Research
When hunting for a needle in a haystack, after all, making the haystack larger is not an obviously productive course; getting a tool that can assist in the hunt - a magnet, or a metal detector - makes more sense!
Search or Destroy | Nemertes Research
It's not all about security, it's not all about events, it's not all about compliance. All those things are critically important to IT, of course, but even more fundamental is the task of keeping things running.
jdm's Blog: How worthwhile is logging?
Logs are like a warm blanket; verbose logging means you can know what's happening on your systems if you keep up with the logs. At the same time, logs become a burden very very easily, and they are easy to ignore.
Rainer's Blog: What is an Event? And what an Event Log?
Enterprise Architecture: From Incite comes Insight...: Taming the Documentum Audit Trail
First and foremost, it is a good security principle to separate log data from the system.
Log management is a pain | Thomas Nicholson
So for an administrator to not care about logs was a shock.
thebaumblog » Blog Archive » Life after SIEM. Situational Awareness is next.
Life after SIEM. Situational Awareness is next.

5 Proven Ways Your CRM Can Pay For Itself Overnight

Mon, 15 Sep 2008 10:51:17 +0000

Free Live Webinar > Join us today!SPONSORED BY: Microsoft Dynamics CRM OnlineDiscover 5 straightforward ways to easily get results using your CRM, almost overnight! Join us today!You'll l...

Web Services and XML Security Training at OWASP

Thu, 28 Aug 2008 04:55:59 +0000

I am teaching Web Services and XML Security training at OWASP's AppSec conference in NYC, Sept 22-23. Web services provide the backbone that integrates many things in the enterprise from application servers, databases, ERP, and CRM. Increasingly we are seeing Web services in more B2C roles with Rest, Federation and other technologies. The class looks at how Web services applications are built, what are common threats and vulnerabilities in Web services, and how to build your Web services application to defend against them.

I have often said that OWASP conferences are my favorite ones because they are in depth technically and very practical. I always look forward to teaching at OWASP and the speaker lineup for this conference looks excellent.

Here is a quick list of tools we have used in past classes

Web Services frameworks
Apache CXF - very interesting open source Web services framework with support for JMS, SOAP, and Rest
Apache Axis & Axis2
.Net
Metro - interesting framework from Sun for interop with WCF

Identity
PingFederate - leading federation tool, we'll look at browser based SSO with SAML
PingFederate Web Services - we'll look at how to implement a STS in Web services
Bandit - Cardspace, authorization, and auditing

Security Services
VordelSecure - XML gateway, comprehensive web services security policy creation and enforcement, deploying decentralized security services
Apache Ramparts
modecurity

Testing
Soapbox - web services security testing
WebScarab - web services fuzzing

Static Analysis
Fortify SCA - how to scan your web services code for security bugs *before* you deploy

This is just a quick list, new tools are added periodically. If you are using tools of these types in your company you may find it interesting to attend.

Testimontials on past classes

"High quality detailed overview of SOA security standards and approaches. Well thought-out and structured presentation."
- Sr. IT Architect, Fortune 10 enterprise

"The knowledge and transfer was a great baseline and with the additional resources Gunnar made available, made this one of the best one day classes I've taken."
- IT Security Lead, Fortune 10 enterprise

"This class was a thorough and well-organized trek through the current Web Services Security landscape. Going beyond just describing the standards and the options available in the Web Services Security world, this class discusses real-world use cases and offers implementable solutions, best practices, even vendor choices in several key areas. This class provided me with actionable tasks that I took back to my project teams the very next day!"
-Jesse Aalberg, Sr. Enterprise Application Architect, United Healthcare

"The class was distinctly focused on Security requirements and the strength and weaknesses of the various solution approaches we could consider. The result of the course was actionable approaches to providing security in our SOA environment."
-Brad Sillman, Director IT Security, Deluxe Corp.

"Anyone who wants up-to-date information on SOA Security, security standards and best practices should take this class."
-Kevin Beam, Senior Systems Engineer, Union Pacific Railroad

"Good comprehensive overview of subject, standards, and threats"
- Sr.Security Consultant, Ubizen

"The class helped me get my head around what "SOA" and WS-Security is really all about"
- Mike Zusman, Independent consultant

"Topics addressed are timely and relevant. Labs are hands-on and help see concepts in action"
- Jerry Tan, Systems Analyst, DTCC

"This class was concise and covered a majority of the problem set my company is looking at and dealing with."
- Steve Reilley, Technical consultant, Commerce Insurance

"Excellent two day overview of security topics as related to Web Services."
- Daniel Reznick, Information Security, ADP

"Issue affecting most of us today & for those that don't - will soon. Very necessary education and technology."
Aaron Delashmutt

"Great class! Effective and relevant teaching in an area without much guidance."
- Mark DiSabato, Senior Information Security Architect, Roche

"The class cut through jargon to communicate concepts and implementation details."
- Developer, Fortune 100 insurance company

"Good overview regarding SOA Security. Contains new technology like AMQP and REST"
- Lars Loland, Statoil

"The course covered what I had to learn about Web services"
- Sven Vetsch, Dreamlab Technologies

"Very good, eye opening especially for websecurity noob."
-Michael Brandon

"Presenter has very broad and deep technical knowledge on subject. Content: good overview and comparison of SAML and WS-*"
- Security consultant, ING

"Good to learn where our application is vulnerable to attacks and how we can avoid them."
- Application Development Programmer Lead, Fortune 100 Insurance company

"Entirely thorough overview of technology surrounding the use of web services with a 1 day presentation"
- Technical consultant Contextis

"Gave a good overview of the Web services security environment"
- Francesco Degrassi, Emaze Networks

"A great entry point for securing your web services"
- Stig Kluver

"Lots of good technical information about an emerging area that's very useful"
- Rory McClune, HBOS PLC

"This class reinforced the importance of software security assurance to me as it lucidly demonstrated why being 'behind the firewall' is an outdated concept."
-Senior Support Engineer, Software Security vendor

"The area of SOA Security is complicated and youg. A course such as this helps bring it into focus."
-Jayme Frye, System Engineer, Union Pacific Railroad

"Web services security class provided application security concepts valuable for applications audits."
- Mary Ma, IT Auditor, DTCC

"Very knowledgeable coverage of security requirements for Web services."
- David Libershal, Network Security Engineer, Johns Hopkins University Applied Physics Laboratory

"WS/XML security is not a "black art", but you do need to know about it to be able to take it into consideration."
- Applications Specialist, Global 500 manufacturer

"Good overview of techniques worth considering when planning secure apps"
- EAI Specialist, Leading Mobility company

"Brought concepts in very easily understood terms."
-Glenn Bernard, Systems Engineer

"Gives ideas about the latest Web services security standards in the industry"
- Security Coordinator, Global 500 manufacturer

"Class cleared up various WS-* standards and gave great concrete examples of how to build a message using each standard. Very good general thoughts on security groups' role in IT."
- Matt Kasselman, UP Systems Engineering

"I found this very useful as an IT architect in a "security critical environment"."
- Mika Pullinen, IT Architect, Finnish Defense Forces

"Lots of useful information packed in a small amount of time. Good overall picture."
- Jari Pirhonen, Security Director, Samlink

"Gunnar is very knowledgeable about security topics and has a great ability to explain complex ideas using simple, appropriate, and amusing language and analogies."
- Scott Redd, Sr. Project Engineer, Union Pacific

"Excellent instructor who had a good pace to go through the presentation"
- Anna Vaahtokan, Specialist, Nordea

"Good application security principles."
- Tuomas Kivinen, IT Security Specialist, Nordea

"I liked the class quite a bit. I took it in a "survey mode" where I wanted to learn about topics at a high level, and this was accomplished. It was good to listen to those in the class that were much more familiar with SAO than I."
- John Glazeski, Senior Systems Engineer

Mainframe Mindset

Wed, 13 Aug 2008 17:18:17 +0000

You might think a mature industry like mainframes means low growth, but IBM is still selling mainframes like hotcakes. IBM said its mainframe business rose 32% in the second quarter compared to overall sales growth of 13%. How many 1960s technologies are putting up these numbers in 2008? The reality is that what mainframes do, they do well. While some companies invest 8 figures in moving to a supposed latest and greatest ERP or CRM solution, many would be better served by putting a Web services gateway in front of the mainframe to address the mainframe's chief weakness - distribution.

From a security point of view, mainframes are interesting because they were designed for a closed environment. Their advocates generally talk about the beauty of RACF and so on, and that is all well and good until people go and put them on the web! Approaches vary, but it usually amounts to MQ Series with not authentication, sitting in front of the mainframe with a J2EE server talking to the queues. What happens then is a major shift, because the mainframe security model is designed (rightly for its time) to be focused on the resource owner (remember the R in RACF). There is a minimal effort on securing the subject, the claim and so on.

Again the mindset is fine when its your own employees in a room using a terminal, but its another thing altogether when you are integrating with a distributed system. This is where we need more focus on securing the subject and the claim, not just the resource. This is of course where new standards and technologies such as SAML and Information Cards come in. Its not enough to protect the object resource and assume a benign controlled (or controllable) subject and claim, you have to add layers of protection to the subject and claim as well.

Links for 2008-07-31 [del.icio.us]

Thu, 31 Jul 2008 20:00:00 +0000

Too Many GRC Systems? | The IT-Finance Connection
In many ways, GRC today is at a stage similar to CRM 10 or 15 years ago. Then, each department maintained its own customer relations management tools, resulting in inefficiency and customer frustration, as well as duplication of effort and redundancy of i
Five signs that your career is about to get vapid » Brazen Careerist by Penelope Trunk
You can tell if you are avoiding personal growth in your career because you are not feeling challenged. You can tell if you are not feeling challenged if you are not scared. Being scared is what makes life interesting. You should be scared that you are go
McAfee acquires Reconnex, inks distribution pacts | Between the Lines | ZDNet.com
The company said it acquired Reconnex, which makes technology that automates data protection, for $46 million.

Get Involved Now In Cloud Computing Discussions

Thu, 24 Jul 2008 06:55:19 +0000

This week Amazon’s Simple Storage Service (S3) suffered a major outage that affected several websites that rely on the service. This is actually the second major outage for Amazon S3 this year. As a result of these and other reported outages, some companies will come to question whether they should pursue these new cloud-based services in the future. I agree with Nick Carr, whether you’re a startup looking to rely on the cloud almost exclusively for computing power and storage capacity or you’re a brick and mortar company who may want to use SaaS services for CRM or an online backup service, these outages should not scare companies away from cloud-based services. Outages are inevitable; no one, not the most sophisticated internal IT shops on Wall Street, or the largest service providers can offer 100% availability all the time. Amazon threw everything it had to fix the problem and was able to address the outage in several hours. How well would you be able to execute on your disaster recovery plan if you had a major outage?

Instead of avoiding cloud-based services, organizations need to be savvier about security and resiliency of the service provider. In fact, your organization may already be in pursuit of these services. Online backup is becoming a viable alternate to premise-based solutions for PC backup as well as remote office backup. Next will be a number of services related to information management such as online archiving and online records management and more online storage offerings to support low cost storage. Further down the road, there will also be hosted, multi-tenancy Exchange solutions. Get involved in these discussions. Don’t take it for granted that the potential service provider has hardened data centers that meet Tier III or Tier IV classifications (these classifications describe data center site infrastructure and topology, Tier IV is the highest rating), that your data is replicated to another data center, that your data is encrypted in flight and at rest and that the service provider has strong security measures in place so that administrators can support the infrastructure but not access or even see your organization’s information. Organizations should have consistent processes before, during and after the contracts have been signed.

And, when you ask about SLAs regarding resiliency, keep in mind that there will be some downtime for routine maintenance and that some unplanned downtime is inevitable. Consider a service provider that might boast about 99.9% availability (8 hours/year outage for 24x7). What is the difference between the following?

· 8 AM to 4 PM on the last Friday of the quarter

· Biweekly outages of 30 min at 4 AM local time

Timing and duration are more important than total downtime/outage.

Get involved in these discussions but be careful not to come off as the obstacle or as the doomsayer. Quite the opposite, you want to be seen as the enabler. Help the organization understand some of the potential risks but then help the organization define its resiliency requirements, security requirements, and risk tolerance. When the organization knows this, it can more confidently go out and select the right service provider, negotiate the appropriate SLAs and be prepared ahead of time with contingency plans for any potential service outages.

Arnon Rotem-Gal-Oz on SOA Security

Mon, 14 Jul 2008 09:40:01 +0000

Arnon cites his paper which builds on Deutsch, Gosling and Joy's famous Fallacies of Distributed Computing, specifically Fallacy #4 "the network is secure" These are common mistakes people make when building disiributed apps. Arnon blogged this:

In my opinion, assuming the network is secure for an SOA is not only naïve but negligence pure and simple. The whole premise of moving an organization to SOA is connectedness and integration. So, unless your SOA will fail it will be connected to other systems. Whether you are building RESTful systems, WS-* SOAs, EDAs or any combination of these architectural styles, If you won’t treat the services boundary as a border and secure it – you will be sorry…
Security in SOA should be considered at the "grand-scheme" level with issues like authertication, authorization but also at the single service level, looking at issues like DDOS, SQL injection, elevation of privilige and what not. A trivial thing like exposing a transaction beyond service boundaries can translate to an attacker denying services in your system simply by locking out your database. Again, this is just a simple example.
The other thing about Security is that you have to consider it early. patching security "later on" can have devestating effects on a system's capabilites esp. in areas related to performance. I have seen even military systems that had to go through serious rework, just because Security was added as an afterthought instead of handled early on

This is a great way to think about the problem, and as Arnon says its not just an issue with SOA security, its a pervasive issue. If you think REST+SSL is a security architecture then you should consider what threats you are choosing *not* to deal with.

Also, Arnon articulated what I call the gateway vulnerability problem. SOA, Web services, REST et al are fundamentally gateway, interoperability focused technologies. And they are for the most part, great at providing simplified access to back end systems. The problem is that your mainframe, ERP, CRM, et al were never designed for anything remotely resembling an Internet threat model. So you just provided a gateway to a system that from a security standpoint is underpowered. The gateway is not the problem but what lies behind it.

In school they called marijuana a gateway drug because it led to heroin usage, in web services security if you put a Web service in front of your back end creating a vulnerable gateway to that which runs your business then your sys admin may wind doing heroin.

OWASP Talk Q&A Notes

Fri, 11 Jul 2008 11:36:26 +0000

On Monday I did a talk on Web Services security at the MSP OWASP. The talk was ok, but not as good as at RSA because I Brian Chess did a better job with some of the stories than me. What was really good though was a number of questions and answers afterwards.

One person asked the old chestnut - "do we need to care about web services security if we are inside the firewall?" Now, I have heard this question many, many times in different ways, and this time my brain just shorted out, I basically said that I am not sure what difference it really makes. You don't get security from a firewall, you may get the ability to fire someone if they do something bad, but in most companies there is no "wall" and there sure isn't any "fire", at most they are speed bumps. I am *not* saying to remove them, they are part and parcel of how you operate a network but they are not really providing any additional security. Network firewalls are thought of as a security tools because they began as a security innovation and they are paid for out of the security budget.

Robert Garigue said several years ago that network firewalls are part of network hygiene like brushing your teeth. Information security should not have to help people brush their teeth, and instead should operate like a dentist helping groups work more complex and risky issues. I have advised CISOs at several companies to off load the network firewall jockeys out of infosec and into network groups. Sometimes they listen. If so, the infosec group can focus on other issues instead of managing a Visio-driven "security" device.

Why Visio? Well, the main security property from a firewall is the scary flames and brick wall on Visio. And how do you know whether or not to open up a port? You just open the org chart (in Visio) and find the level of the person who is requesting the port be opened. If VP Then Yes. Is this security? Hardly.

So one last time - Web Services are used to provide access to your main systems (which live on mainframes, big RDBMS, SAP, ERP, CRM, and so on) these are the keys to the kingdom, and lots of apps need them. The whole point of Web Services is to make it easier to talk to them. So "inside" or "outside" the firewall, do you need to care about authentication, authorization, and auditing on the systems that run your entire business???

Another interesting question from the Q & A from Jon Passki was on XML Security Gateways. We talked a fair bit about their utility in solving the aforementioned authentication, authorization, and auditing problems. I pulled up Vordel's gateway and showed how to build security workflows to deploy security as a service. Jon asked could I ever imagine a Web services security architecture without a gateway? I said I think that they are not always the starting point but mid to long term they are definitely in basically any effective security architecture I can think of. Having a place to deploy, manage, and enforce policy that is separate the code solves a lot of real world problems. People are hung up on thinking about Web services programming like it has to be Web app programming (this happens in REST a lot), but there is another school of successful web apps, arguably the most successful, and its called email.

Email app architecture looks nothing like web app design. You wouldn't read every email sent to your address would you? Of course not, it goes through spam filters, virus checkers and so on. Further its a message oriented paradigm, and you know that unless its signed/encrypted with PGP/GPG security is suspect at best. So yeah, I think gateways are an hugely important part of a Web Services security architecture.

Finally, I can also not imagine going live when you are supporting multiple protocols and token types without a good testing strategy. Mark O'Neill recently blogged something I recommend to all my clients - namely make sure you have security specific test cases, test harnesses and testing tools, like for example Vordel's Soapbox.