Windows 7 and Desktop Lockdown with Privilege Management

With the Windows XP sunset date fast approaching, plans for Windows 7 migrations are in full swing. This has prompted most organizations to also re-assess their approach to PC lockdown.  With the advanced privilege management capabilities offered by Viewfinity, enterprises have an alternative to the “all or nothing” approach to least privileges – because an “all or nothing” methodology prohibits organizations from meeting compliance, security and desktop operations goals.  This white paper discusses how Viewfinity Privilege Management allows IT professionals to reach these objectives, without sacrificing user productivity or increasing support call volume. We offer granular, multi-level user permission control, including support for endpoints that are not part of the Active Directory domain or do not regularly connect to the corporate network.

View the original article here

Windows 7 and Desktop Lockdown with Privilege Management

With the Windows XP sunset date fast approaching, plans for Windows 7 migrations are in full swing. This has prompted most organizations to also re-assess their approach to PC lockdown.  With the advanced privilege management capabilities offered by Viewfinity, enterprises have an alternative to the “all or nothing” approach to least privileges – because an “all or nothing” methodology prohibits organizations from meeting compliance, security and desktop operations goals.  This white paper discusses how Viewfinity Privilege Management allows IT professionals to reach these objectives, without sacrificing user productivity or increasing support call volume. We offer granular, multi-level user permission control, including support for endpoints that are not part of the Active Directory domain or do not regularly connect to the corporate network.

View the original article here

Best Practices for Virtual Infrastructure Management

There are two sides to virtualization. The positives are well known: better hardware utilization, faster application deployment and increased workload mobility, all in the service of business agility. However, with all of these positives it is easy to forget the challenges. Read this white paper to learn how to address these IT management problems.

View the original article here

Best Practices for Virtual Infrastructure Management

There are two sides to virtualization. The positives are well known: better hardware utilization, faster application deployment and increased workload mobility, all in the service of business agility. However, with all of these positives it is easy to forget the challenges. Read this white paper to learn how to address these IT management problems.

View the original article here

Your Journey to EMR Starts with Content Management

Now is the time to assess your existing equipment and consult with a partner like CDW Healthcare to determine what you may need to upgrade or replace your document management technology for EMR readiness. Here’s a quick checklist: 

Data capture — Does your scanning technology recognize optical characters, barcodes and other patterns?Workflow — Does your system automate file copying and does it support worklists, e-mail notifications and timed alerts?Data storage — Do you have enough storage space to handle growing digital file sizes?Data retrieval — How quickly can you access, download and transmit digital records?Data distribution — Printing, faxing and e-mailing should be standard capabilities for sharing patient data.Security — A system must protect information on multiple levels to comply with HIPAA and internal security policies. 

Continue reading to learn more about content management and EMR.

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of   |     

All Rights Reserved, Copyright 2000 - 2010, TechTarget | 

View the original article here

Your Journey to EMR Starts with Content Management

Now is the time to assess your existing equipment and consult with a partner like CDW Healthcare to determine what you may need to upgrade or replace your document management technology for EMR readiness. Here’s a quick checklist: 

Data capture — Does your scanning technology recognize optical characters, barcodes and other patterns?Workflow — Does your system automate file copying and does it support worklists, e-mail notifications and timed alerts?Data storage — Do you have enough storage space to handle growing digital file sizes?Data retrieval — How quickly can you access, download and transmit digital records?Data distribution — Printing, faxing and e-mailing should be standard capabilities for sharing patient data.Security — A system must protect information on multiple levels to comply with HIPAA and internal security policies. 

Continue reading to learn more about content management and EMR.

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of   |     

All Rights Reserved, Copyright 2000 - 2010, TechTarget | 

View the original article here

Log management best practices: Five tips for success

NETWORK SECURITY TACTICS

Diana Kelley, Contributor
07.29.2010
Rating: -4.00- (out of 5)

This tip is part of SearchSecurity.com's Integration of Networking and Security School lesson, Application and network log management program planning. For more learning resources, visit either the lesson page or the Integration of Networking and Security School main page.

The right log management tool can go a long way toward reducing the burden of managing enterprise system log data. However, the right tool can quickly become the wrong tool unless an organization invests the time and effort required to make the most of it. Diana Kelley offers six log management best practices to ensure a successful implementation.

A fool with a tool is still a fool – Don't spend millions on a log management system if you're not prepared to invest the time in installing and managing it properly. Log management systems must be configured to parse events and data that matter to the organization so that reports have business and technical value. Another "fool" mistake is failure to look at and review the alert console, thereby missing critical security events. Don't make the mistake of committing to log management technology without committing the time necessary to use it well.
Pre-define requirements to streamline RFPs – Creating RFPs is a time-consuming process, but some requirements, once defined, can be re-used in subsequent RFPs. This is often the case with logging requirements because the baseline of what's needed (format of the log file, data written to the log file, etc) remains the same. Another benefit of using pre-defined requirements is that it ensures the requirements remain consistent while streamlining the RFP cycle.
Make sure you have the information you need – To be able to write effective correlation rules, the log management system must have enough contextual data to analyze. For example, where specifically did the traffic or activity come from? This requires knowledge of the source IP address, which means the log management systems must be logging that information in order for the engine to be able to parse it. What happened on the target device or application? If an organization wants to write log analysis rules and alerts for activity, the log data must record that activity.
Think beyond static reporting – The last thing most organizations need is another list or spreadsheet filled with rows and rows of data that has no overarching analysis model to help make sense of it all. Alerting should be done not just on "the characteristics of individual rows but also on sets" and baselines of expected or acceptable activity. Consider logins to a critical database. The normal baseline may be two failed logins, but if the password requirements for that system are changed from a simple dictionary word to an 8+ character non-dictionary string, login failures may be expected to increase while users get accustomed to the new rules. Intelligently aware log management systems could be tuned to monitor trends and provide feedback to the administrators who may decide to use the trending information to temporarily alter the alerting threshold.
Use log data to figure out what is happening or what just happened – "Logs are wonderful for outages," because, very often, all of the information necessary to determine what is causing (or caused) the outage can be found in the log files themselves. During a crisis, staff often goes into reactive mode, sometimes relying on intuition, speculation, and atomic unrelated pieces of information to piece together what is going on or what happened. But logs are a record of what actually happened. Systems that allow staff to write and run reports in real-time based on outage information deliver the facts that response teams need to understand what's happening on the network.
Think outside the security box – Log management systems are excellent for aggregating and analyzing information from security devices for security awareness, but the information being gathered can be used for other purposes as well. For example, an organization "can analyze the customer experience for [your] top ten business relationships." Many trending and click track type Web application-reporting systems don't provide a granular view of the actual customer experience. "Well-designed application logging would take the customer experience into account," and expands the utility of the log management well outside of the security box.

About the author:
Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.

To rate tips, you must be a member of SearchSecurity.com.
Register now to start rating these tips. Log in if you are already a member.

BROWSE BY TAG Integration of Networking and Security School,   Application log management program planning,   Network Security Tactics,   Network Intrusion Detection and Analysis,   Security Event Management,   Enterprise Network Security,   Network Security: Tools, Products, Software,   Network Device Management,   VIEW ALL TAGS

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

View the original article here

Log management best practices: Five tips for success

NETWORK SECURITY TACTICS

Diana Kelley, Contributor
07.29.2010
Rating: -4.00- (out of 5)

This tip is part of SearchSecurity.com's Integration of Networking and Security School lesson, Application and network log management program planning. For more learning resources, visit either the lesson page or the Integration of Networking and Security School main page.

The right log management tool can go a long way toward reducing the burden of managing enterprise system log data. However, the right tool can quickly become the wrong tool unless an organization invests the time and effort required to make the most of it. Diana Kelley offers six log management best practices to ensure a successful implementation.

A fool with a tool is still a fool – Don't spend millions on a log management system if you're not prepared to invest the time in installing and managing it properly. Log management systems must be configured to parse events and data that matter to the organization so that reports have business and technical value. Another "fool" mistake is failure to look at and review the alert console, thereby missing critical security events. Don't make the mistake of committing to log management technology without committing the time necessary to use it well.
Pre-define requirements to streamline RFPs – Creating RFPs is a time-consuming process, but some requirements, once defined, can be re-used in subsequent RFPs. This is often the case with logging requirements because the baseline of what's needed (format of the log file, data written to the log file, etc) remains the same. Another benefit of using pre-defined requirements is that it ensures the requirements remain consistent while streamlining the RFP cycle.
Make sure you have the information you need – To be able to write effective correlation rules, the log management system must have enough contextual data to analyze. For example, where specifically did the traffic or activity come from? This requires knowledge of the source IP address, which means the log management systems must be logging that information in order for the engine to be able to parse it. What happened on the target device or application? If an organization wants to write log analysis rules and alerts for activity, the log data must record that activity.
Think beyond static reporting – The last thing most organizations need is another list or spreadsheet filled with rows and rows of data that has no overarching analysis model to help make sense of it all. Alerting should be done not just on "the characteristics of individual rows but also on sets" and baselines of expected or acceptable activity. Consider logins to a critical database. The normal baseline may be two failed logins, but if the password requirements for that system are changed from a simple dictionary word to an 8+ character non-dictionary string, login failures may be expected to increase while users get accustomed to the new rules. Intelligently aware log management systems could be tuned to monitor trends and provide feedback to the administrators who may decide to use the trending information to temporarily alter the alerting threshold.
Use log data to figure out what is happening or what just happened – "Logs are wonderful for outages," because, very often, all of the information necessary to determine what is causing (or caused) the outage can be found in the log files themselves. During a crisis, staff often goes into reactive mode, sometimes relying on intuition, speculation, and atomic unrelated pieces of information to piece together what is going on or what happened. But logs are a record of what actually happened. Systems that allow staff to write and run reports in real-time based on outage information deliver the facts that response teams need to understand what's happening on the network.
Think outside the security box – Log management systems are excellent for aggregating and analyzing information from security devices for security awareness, but the information being gathered can be used for other purposes as well. For example, an organization "can analyze the customer experience for [your] top ten business relationships." Many trending and click track type Web application-reporting systems don't provide a granular view of the actual customer experience. "Well-designed application logging would take the customer experience into account," and expands the utility of the log management well outside of the security box.

About the author:
Diana Kelley is a partner with Amherst, N.H.-based consulting firm SecurityCurve. She formerly served as vice president and service director with research firm Burton Group. She has extensive experience creating secure network architectures and business solutions for large corporations and delivering strategic, competitive knowledge to security software vendors.

To rate tips, you must be a member of SearchSecurity.com.
Register now to start rating these tips. Log in if you are already a member.

BROWSE BY TAG Integration of Networking and Security School,   Application log management program planning,   Network Security Tactics,   Network Intrusion Detection and Analysis,   Security Event Management,   Enterprise Network Security,   Network Security: Tools, Products, Software,   Network Device Management,   VIEW ALL TAGS

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

View the original article here

Smart Grid Deployment and Identity Management

This paper is the author's personal opinions on the role that identity management will play in the utility industry as smart grid evolves across North America.

Utility- Home Energy Controller

One significant portion of smart grid is the interaction between the home energy controller and the utility. 

The home owner may choose to allow the utility to monitor appliance, air conditioner, electric heater and gadget events in the home and potentially to control some of them (e.g.  downing an air conditioner in a peak load to trim the peak load and avoid a grid brownout).

This requires identity management to authenticate between the home energy controller and the utility's home management system potentially every few minutes.  Most of the current deployments set a uid (uniform identification) and password in place allowing the application to log on to the local data store in the home. 

I believe that this approach is not secure from the customer's perspective since passwords are easily obtainable through a variety of different methods.  I also believe that over the next several years, privacy litigation against utilities will force the utility to adopt a more rigorous method of authenticating to the home.

I foresee the use of digital certificates issued by the utility to the home owner's energy controller and then to use web services to authenticate to the device. This means that utilities must get in place a solid PKI infrastructure and also deploy access control that is highly available.

Home Owner - Utility Interaction

The home owner will either use software supplied by enterprises like Google or use the utility's own portal software or combinations thereof to communicate with the utility. 

Further, I also foresee that in the future  energy controller bought in the store will be installed by third parties who will then help the home owner create their account and interface the controller with the utility.

Further, the home owner will want to assign different authorization rights to their family members allowing them different control over the home energy management system. 

Finally, many families will be delegated administration rights for different family members (e.g.  elderly people may delegate some or all of their privileges to their caregivers).

All of this requires:

Robust identity management system to provision the assets and applications to the home ownerIntegration with B2B infrastructureAllow for easy log on using things like voice recognitionFine grained authorization

Electric Vehicle Management

I foresee several areas where identity management would be important in leveraging a smooth customer interaction with the utility.  This included:

Vehicle identity registration systems with the utility - likely involving issuing a digital certificate to the carUtility identity federation with credit card companies and energy suppliers (e.g. Chevron, Exxon, Shell, etc.)Utility federation with parking garage owners who offer electric vehicle rechargingPossible federation with electric vehicle car manufacturersPossible use of registering the vehicles in an energy saving program IF it turns out that battery recharging on numerous vehicles significantly loads the grid (the jury is still out on this)

SCADA Home/Commercial Electrical Generation Authentication

As the home and commercial users begin to generate electricity and want to connect to the gird to sell it back to the utility, I foresee the following:

Need to identify and register the devices with the utility - likely will involve in the future the ability to install a digital certificate on the energy generating device or the device that connects the energy generating device to the gridAuthentication of the devices to the grid

"Smart Grid"

As smart transformers, power line monitors and feeder automation devices and software are deployed on the SCADA systems, this will require the following identity management infrastructure:

Registration of all devices in a central LDAP store from the authoritative sourcesAuthentication of the devices by either the HMI in the control room and/or an identity management access control systemIdentity management for personnel and third parties who will be working and interacting with the devices and their software

Operations

I foresee a significant shift in the future to what happens in a utility's operations control centre and it's IT operations.  The integration of the home and the digitization of the networks using TCP/IP means that:

Enterprise incident management must now integrate formerly separate IT and SCADA change management systems into oneMonitoring systems need to be significantly improved from stem to stern (i.e. the home with its appliances and gadgets all the way through to utility corporate and utility SCADA systems)Network architecture will need to be significantly upgraded and will require more numerous internal DMZ zones to limit utility risk of someone able to penetrate to the SCADA systemSecurity operations must now be moved out of IT and Facilities and into the control room to actively monitor and manage all security to watch for physical and logical penetrations

Operations concern me the most when considering smart grid.  While the software sales people and utility marketing people are making the most of "smart grid", I don't think many utilities have considered the operational impact, organizational reorganization and security requirements required.

Summary

This brief paper outlines, at a high level, the challenges of deploying smart grid for a utility from an identity management and operational perspective.  Many state and provincial legislation is forcing utilities to take on home or commercial generated power without thinking through the security, operations and identity implications. 

Concurrently, I believe that many senior utility managers are "hopping on board" the smart grid bandwagon without knowing the true infrastructure, operational costs and enterprise reorganization.

What most does not realize is that with the digitization of the SCADA network to TCP/IP communication AND the deployment to the home requires extremely tight integration between IT and SCADA. 

Those utilities that figure this out early will be the winners while those who don't may open themselves, unknowingly, to significant security holes.

About the Author

Guy Huntington is a learned and burned identity management and security consultant.  He has led a utility identity management program, participated in a utility security assessment, integrated physical and logical security and rescued several large Fortune 500 identity projects.  His white papers can be read at http://www.authenticationworld.com/papers.html.  He can be reached at guy@hvl.net or 1-604-861-6804.

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here

Password Management in the Enterprise

Preface: I am not on the payroll for any vendor. This is not a paid endorsement/advertisement. I am simply sharing what I have found in my research in the Enterprise password management space.

Password management is an essential part of every organization’s security program. Even if you have a well implemented single sign on (SSO) solution, your employees will still need to remember and use passwords for new external websites.

The demands we put on our employees to remember more and more passwords, and to make those passwords more and more complex, have become unmanageable.

Consider all the rules we ask our employees to follow:

Passwords must be at least [X number] characters longMust include special characters, capitals, numbers, etcChange your passwords every [X number] of daysUse a different password for every systemDo not use a predictable pattern in your passwordsDon’t write your passwords down anywhere

These demands usually lead to one of two results. Either the users will write passwords down (often in a text or Word document on their computer’s desktop) or they ignore the rules and reuse passwords between systems.

Some of our more technical and security savvy users will go find a tool like Password Safe (or one of the many others like it) which does a wonderful job of giving the users a safe place to put passwords, but is very clunky in an Enterprise environment.

These types of tools do not accommodate passwords that need to be shared between users, and do not allow integration with Active Directory, or role based permissioning. And when an employee leaves the organization, those passwords are lost, potentially leaving the employer in the lurch.

There are several products that attempt to work in this space, but most of them offer SSO type functionality. While there is certainly a place for that in some organizations, it requires a very significant amount of back-end configuration by the IT department. And whenever a new application gets added there needs to be configuration changes to support it.

What I want is a tool that works like Password Safe, allowing users to create and manage all their own passwords with little to no interaction from IT, but still allows centralized management and ease of deployment. After looking through dozens of tools, I have found that Thycotic software’s Secret Server meets all of my needs.

The technology really is pretty simple. The system can tie into Active Directory for authentication and group memberships.

By default, users have their own secure area where they can create as many system passwords (which this system calls “secrets”) as they want. They can either create secrets just for their own use or they can assign permissions to other users or groups in the system.

Secret Server allows users to create auto-launcher links within the secrets. These launchers will open a web browser, SSH or Remote Desktop connection to a system with the username and password pre-populated.

More, the system can be configured so that the password is not even visible if there is a launcher available. I can give you access to sign in with my account without you ever actually knowing my password.

Secret Server can also be used to automatically change passwords on a predetermined schedule. So if you don’t want to have to log into that server every 90 days to change your password, you can tell Secret Server to do it. Then when you need the password you just log in and get it.

Secret Server is not perfect. It’s got a sizable price tag. The UI leaves something to be desired, and some of the administration configuration can use a little work.

But overall it’s a powerful tool that provides users with a real option for saving their passwords in a secure location, eliminating the need to memorize dozens of 8+ character complex passwords.

In a world where security is continually becoming more onerous for our users, this tool can help stem that tide just a little bit.

Cross-posted from Enterprise InfoSec Blog from Robb Reck

Note: the views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post. Infosec Island reserves the right to remove or edit the content of all material submitted by our members.

View the original article here