IPhone Apps Every Road Warrior Entrepreneur Needs

The Blackberry has been the mainstay of the business world for years. But as we know, the IPhone is eating away at market share. There are over 75,000 apps for the IPhone now and growing steadily. For those who have Blackberry Thumb, you can probably look forward to IPhone Index Finger at some point in the future as you switch away from the Blackberry.

Why should you switch from the Blackberry? Well there may not be a good reason. The Blackberry has a number of apps and it is secure, it has encryption and has been beaten up on the security front like network security assessment and application security testing. It’s ingrained in businesses and Blackberry Enterprise Server is well known to many IT administrators.

The Entrepreneur can use both devices. Let’s assume there are at least some people using the IPhone, what apps should they have in their toolkit? Of the thousands of apps, how can you pick a few that would be beneficial to the Entrepreneur Road Warrior? Well the way I picked them is through word of mouth , that are of benefit to me and comes with network security assessment tools. I travel, work in my car, have meetings at all times of day, I am away from the office for days or weeks.

Take these with a grain of salt and do not send any flame emails. But please send in the apps that you think should be shared with the world or at least readers of this Blog.

Urban Spoon

First up is Urban Spoon. You are thinking, well that’s not some kind of spreadsheet or financial app. What is the business purpose? The lifeblood of the Entrepreneur is networking , managed security services, application security risk assessment and deal making. Where deal making most of the time involves some kind of meal. Urban Spoon can find you restaurants by cuisine, by neighborhood, by cost, by distance. Everything you need for a meeting is the most random city.

AroundMe

In the same vein as Urban Spoon, is AroundMe . Say you are on your way to an important lunch you have setup with a restaurant you found on Urban Spoon but you are almost out of gas. Use AroundMe to find the closed gas station. Or if you need cash to pay for that gas because your Amex Card has been cancelled, find the closest bank.

GoogleMaps

Well this is pretty obvious. But when you are traveling and maybe forgot to bring your Garmin GPS and do not feel like paying the rental company an extra $11.99 a day to rent their GPS , this is just as good.

ReQall

This is a pretty useful app. The developers were one of the www.TiE.org Top 50 companies this year at TiECon. The app captures your voice, translates it to text, organizes your calendar based on your voice messages, integrates into Outlook or Google Calendar and provides memory assistance. It’s great when you have no pen or driving in a car or need a memory reminder.

FlightAware

For the true Road Warrior, there is no road, there is the sky. So when you are rushing to the airport or think you need to rush to the airport, track down what is going on with your flight. Check out FlightAware to get an update and help you plan that trip to the airport.

TweetDeck

Social Media, the latest buzz word, actually has some teeth. Small companies and the Entrepreneur have to be connected to the work whether you like it or not. Twitter is a way of life these days even if people seem to be twittering their lives away. How do you tell your followers that you are stuck in an airport in Baltimore? Try using TweetDeck.

These Apps don’t seem very business-like, but the Entrepreneur is practical, cheap, requires network security audit tools and has to get things done today . These help you achieve your million tasks on a timely basis.

Gary Bahadur

http://www.kraasecurity.com/

http://blog.kraasecurity.com/

http://twitter.com/kraasecurity

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

This Time Its Network Solutions Reporting a Data Breach

For a long time, various well known companies have been the target of hackers. This has resulted in huge data losses for the company as well as the client's that are associated with the company. Many companies have faced several financial charges by the government or by business partners to satisfy penalty fees.

Network Solutions, which specializes in the domain name registration industry, has recently reported an incident of a breach of data. The breach occurred during March 12 to June 8 2009 and was detected in a check carried out by the company. Though this breach was detected in June, the company took around a month's time to decipher the code that was used in hacking the domain. By that time the hackers had hacked their e-commerce services and had already diverted the transaction details of more than 500,000 registered companies. This shows that industries are still lacking in security measures to prevent the loss of important data.

Network Solutions company issued a statement saying that till now no incidence reporting misuse of information has been reported by any merchant company. The company is now enlisting all those merchant clients' who had made any transaction in between that period. These clients will in turn notify their customers who will then inform their banks to block the credit cards to avoid any misuse.

Network Solutions has offered to bear all the expenses that the customers have suffered. But isn't it more correct to take a few precautionary measures beforehand than facing such incidents? Data loss prevention and a network security assessment are the best tools available for the security assessment of any website and it also helps in avoiding such incidents.

There have been many such companies reporting breaches in the past that have resulted in the bad reputation of those companies. Heartland Payment Systems and RBS WorldPay are a few examples of such breaches. Both these companies had been removed from the Payment Card Industry Data Security Standard (PCI Audit) services' list. The loss of clients and market value was an additional issue.

These incidents indicate that various other similar companies are exposed to such risks. But if they take certain measures to keep their network system in check, they can surely avoid experiencing these kinds of losses. This also ensures the goodwill of the company in the market thereby attracting more clients.

An expert with knowledge of Information Security Risk Assessment has written this article.


Gary Bahadur
http://www.kraasecurity.com
http://blog.kraasecurity.com
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test

Web Security Testing has come of age

Website security is the one of the most dangerous places for a company. If you look at a layered security approach, we start out with the internal network. There we have host security, patch management, host IDS and other server based technologies. Next we have the network security layers, network intrusion detection, network monitoring and firewall protection. So if we have the internal servers secured, the network protection place, what is left is the only wany an attacker can possible get into a secure environment.

The website is the open frontdor to many companies. Security education for both the developers of website applications and the users of web sites is sadly lacking. If we look at most of the compliance regulations such as HIPAA or PCI, there is a component of education required, but most companies do not spend the time to provide more than a written manual that no one reads. In those same regulations, there are requirements for a Secure Development Lifecycle strategy, but how many web application developers actually follow a strict methodology?

So on Linkedin, I asked the quesion of what are the Web security tools that are favored by the security community (www.linkedin.com/gbaha). These can provide some help and insight for those looking to conduct some security testing. Some are paid and some are free. Here is the list in no particular order.

1) Foundstone http://www.foundstone.com
2) Acunetix WVS http://www.acunetix.com
3) Scrawlr https://h30406.www3.hp.com/
4) N-Stalker http://www.nstalker.com/
5) Nikto http://cirt.net/nikto2
6) Scarab http://www.owasp.org
7) WebInspect http://www.hp.com
Fiddler - http://www.fiddlertool.com
9) Samurai Web Testing Framework – http://samurai.inguardians.com/
10) FireCAT - http://www.security-database.com
11) W3af http://w3af.sourceforge.net/
12) CORE Impact http://www.coresecurity.com/content/web-app-pro
13) Appscan http://www-01.ibm.com/software/awdtools/appscan/

Having listed these and of course there a re a number of other tools. (Please send me any comments on other tools you like). Running a tools is a first and easy step you can take to close that open web door (Webdoor, i am going to try and coin that phrase). If you can target tactical prablems, get them fixed quickly, you can then tackle the strategic problems that led to your web vulnerabilities.

The basic steps you want to take in website security are:
1) Vulnerability testing
2) Secure Code Review
3) Architecture review
4) Monitoring and Logging
5) Consistent Testing (monthly) and Validation of Controls

Do not get lax when it comes to Web security. Its a bit black magic and a lot of hard work but as its the “webdoor” try and keep it closed.

Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity

HIPAA Assessments are the next wave

In February, CVS was ordered to pay a fine of 2.5million dollars by the FTC. This fine was because their employees threw out personal information about patients. Who knew poor recycling programs could cost so much? HIPAA has been around for a number of years but not until recently did we see that it has teeth and companies are going to be held accountable. CVS has to have an assessment every other year now for 20 years. And assessments are not cheap! Assessments based on the Security Rule cover many areas of technology controls such as Firewall protection, Antivirus, Encryption, Vulnerability Scanning and much more. I am sure conducting an assessment rather than getting fines would have been much cheaper for CVS.

The definition of a Covered Entity for HIPAA compliance really reaches out to more companies than just hospitals and doctors offices. Not only companies like CVS will get fined but business partners of hopsitals and doctors offices storing patient data will be in trouble if they do not conduct Risk Assessments.

There are a number of ways to conduct these assessments, make them practical and stay out of trouble with “The Man”. One company that is pretty helpful in this regard is RiskWatch, http://www.riskwatch.com Their software allows you to conduct HIPAA, PCI, Red Flag Rule and other types of assessments.

For security professional, these regululations provide a strong insentive for companies to get their act together regarding privacy and security of data. Its unfortunate they have to be fined first to get them to the ball rolling. But hopefully, more will take a proactive stance for compliance but also to get an ongoing security program in place.

Regards
Gary Bahadur
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test
ta8vuc4i3r

Data Breaches are misunderstood

The Ponemon Institute and Ounce Labs (www.ouncelabs.com) released a study on the view CEOs have regarding data protection in their environment. In the study of 213 CEOs and other senior executives, CEOs did not share the same view on how secure their organization is with their executives. 92 percent of respondents said they were attacks. Who has the more realistic view of data security? Could it also be the fault of the executives who usually do not share all the bad information with the CEO? That is probably part of the security education challenge the CEO faces.

The study also found that 33 percent of C-level executives replied that attacks happened "hourly or more often," while only 17 percent of CEOs said the same thing. That’s a pretty big difference of opinion. Whose responsibility is it to manage, monitor and report on hacker activity? Obviously tactically speaking it fall under IT, the CIO or maybe even the Chief Compliance Officer. But ultimate responsibility in any company falls to the CEO. If a data breach happens such as in the case of TJ Max, its the CEO who has to appear on television to explain what happened and answer to their customers.

How do you apply metrics to report appropriately to the CEO? That magic "Dashboard" is what everyone is after and no one gets right. A good Compliance dashboard that you may want to check out comes with the reports from RiskWatch software (www.riskwatch.com). Its worth a look.

The category of technology CEO's need to focus on these days is Data Loss Prevention (DLP). Every major company in security has a DLP product and the reason is probably because the education is finally in the market around the necessity of looking at all inputs and output of data in the organization. A data breach can be caused by lack of proper firewalls, no antivirus, no browser protection, not malware protection, lack of patch management or no vulnerability management. Or it could be a hundred other things. A CEO needs to know these terms, how data flows and what the data life cycle really means if they are to truly grasp the threat to their environment.

Prevention is really worth more than detection. If the CEO doesn’t bridge the gap to thinking they might be secure to understanding that they are under attack ever day and perhaps every minute, data breached will continue to occur.

Gary Bahadur
CEO KRAA Security, baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
http://twitter.com/kraasecurity
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test

Wireless Risk Assessment needed Keep Problems at Bay

Every organization works towards making itself more secure and protected. Its main aim is to protect the data relating to both the organization as well as it’s valued customers. With so many security breaches happening in companies these days, it has become essential to save a company's sensitive information from being stolen or hacked. The article talks about importance of wireless risk assessment to avoid a serious security threat in a company.

Wireless security has become a major challenge for the companies as wireless become pervasive. Companies do install security systems but they forget that it needs to be checked both internally and externally on a daily basis. They need to understand the importance of wireless security system to secure the channels through which they share and transfer their data. Otherwise, it would be tough to control, monitor and verify the network sources of wireless data.

To help these organizations carry out their task efficiently and effectively, there are many tools and services available. Wireless Application security risk assessment is the a service that offers complete security. It thoroughly checks the data you use and transfer, checks the various policies and procedures of your company, keeps conducting routine checks for data analysis and offers guidance for safeguarding these kinds of activities against future problems.

You can maintain the information of your organization by using this risk assessment process. It conducts both internal and external tests. . It also offers a complete report of the results found and offers solutions to solve the problems. These services can be affordable in a typical environment.

This security assessment process is also available for various mobile phones as they are also becoming the targets of attack Typical safety measures that you can install for safeguarding your information include installing firewall protection, intrusion detection, and host monitoring.


Things will be alright if you take a few steps to avoid problems beforehand. By installing these security processes and tools in the network, you can easily ensure the long-term safety and security of the organization. After all, this is ultimately going to benefit your company and customers. Maintaining wireless security in both the network system and mobile phones has become necessary as they hold valuable information.

An expert of network security assessment , of KRAA Security a leading application security risk assessment company, has written this article.

Gary Bahadur
baha@kraasecurity.com
http://www.kraasecurity.com
http://blog.kraasecurity.com
*Managed Security Services
*Vulnerability Management
*Compliance & Policy Development
*PGP Security
*FREE Website Security Test

Vanguard Security Conference - Supplier Security

I spoke at the Vanguard Security Conference (http://www.go2vanguard.com) Vanguard has been doing this conference for a number of years. The focus is on Mainframe security. Most security professionals these days have never worked on MF security. I am proud to say I have back in the mid-90’s. We perhaps I shouldnt be do happy, it was over a decade ago.

The point being, that there are so many areas of security out there that most of us will never touch yet there is a dire need for professionals. The conference was less attended, as are most conferences this year, but I found the folks here are REALLY interested in learning and excited about the classes.

My topic was on Supplier Risk Management processe. You are asking yourself, what is that? I asked myself that same question in coming up with some good processes to target Supplier security. We have to go way beyond a SAS70 if you want real security over the hundreds or thousands of vendors that a large company may work with.

The Problem:

-No framework for managing vendor risk
-Inconsistent processes for tracking vendors
-Lack of enforcement capabilitiesThe Problem:

The Opportunity:

-Provide practical steps to manage vendor access/management
-Provide cost effective solution for risk mitigation
-Provide numerical risk analysis of vendor/partner security issues
-Risk reduction or risk acceptance
-Documented exposure
-Iterative process for risk management
-Happy CIO

So a Supplier Security assessment follow 4 main steps:

1 Analyze current vendor database, catageorize each determine risk of each supplier,

2 Determine threats posed by each supplier
3 Perform assessment tests of each supplier, their processes of interaction, and data access
4 Develop risk mitigation plan, update processed, monitoring processes

Gary Bahadur

baha@kraasecurity.com

http://www.kraasecurity.com

http://blog.kraasecurity.com

*Managed Security Services

*Vulnerability Management

*Compliance & Policy Development

*PGP Security

*FREE Website Security Test