3 Windows 10 features that every admin should know

We don’t know exactly when Windows 10 will be released, but it’s a good idea for IT pros to start thinking now about deployment, training and security issues.

Windows 10 is on the horizon. While there is no confirmed ship date quite yet, there’s a good chance we’ll see the final OS this year -- possibly in the fall if Microsoft sticks to its normal release schedule.

To be prepared for any gotchas, it’s a good idea for IT admins to start thinking now about deployment, training and security issues.

1. Deployment and Management Strategy
One of the key enhancements in Windows 10 (which skips a version number from the current Windows 8) could be a godsend to IT admins. With any new Microsoft OS, deployment usually involves a so-called “wipe-and-load” process that essentially removes the existing OS and adds the new version.

With Windows 10, Microsoft is using a new in-place upgrade that retains user settings like desktop resolution or color scheme, but still fits within the management infrastructure for deploying the new release. It’s known as dynamic imaging and, with a new laptop or other device, it means IT can configure even brand-new devices without having to first do a wipe-and-load to meet corporate requirements.

It’s also worth noting that Microsoft says Windows 10 will have the same basic hardware requirements of both Windows 7 and Windows 8, and that there will be better integration between Active Directory and Azure Active Directory. For example, if a user signs in to Windows 10, he or she will also automatically sign in to the Windows Store and to Office 365 in the cloud.

2. Interface Changes
Of course, one of the most important changes in Windows 10 has to do with the interface, which will combine the Metro-style tiles more directly into the desktop. Users will see a new Start menu displaying the tiles that filled the entire screen in Windows 8. This could mean less user training, as users are likely already comfortable with the Start menu from Windows 7.

“Microsoft is trying to make the classic desktop and Metro interface coexist with each other. For Windows 8, at times it seemed like you were on two different computers, so Windows 10 will be more of a happy medium and bring a more cohesive user interface,” says ESET http://www.eset.com/ researcher Aryeh Goretsky. “The desktop experience will be better while using the desktop Win32 legacy apps. You will no longer be pushed behind the Metro interface.”

3. Security Features
“The biggest way in which Microsoft has addressed the needs of business users is that Windows 10 will provide built-in data loss prevention, often referred to as DLP,” says Benjamin Caudill, founder and principal consultant at Rhino Security Labs . “This means that sensitive documents can take care of themselves, so to speak. Once a file has been secured with Windows 10 DLP, it will ‘phone home’ before allowing anyone to open it. This means that even if an employee accidentally forwards sensitive documents, or if a thumb drive full of charts gets stolen, these files will not allow themselves to be opened.”

Goretsky adds, “Microsoft has basically declared passwords dead, so they are looking into other forms of two-factor authentication. Whether it be out-of-band with a cellphone text, biometric or picture mapping, we will see a non-password form of authentication.”

Goretsky says that other security improvements include more encryption throughout the entire OS, for both managed and unmanaged files. He says Microsoft will also sell a “locked-down” version of Windows 10 hardware, including laptops and tablets that only include software loaded from the Microsoft Store without the possibility to add additional software -- something a business might use to keep employees from loading software that could contain malware.

---

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Six Biggest Business Security Risks and How You Can Fight Back

IT and security experts discuss the leading causes of security breaches and what your organization can do to reduce them.

Security breaches again made big news in 2014. Yet despite years of headline stories about security leaks and distributed denial-of-service (DDoS) attacks and repeated admonishments from security professionals that businesses (and individuals) needed to do a better job protecting sensitive data, many businesses are still unprepared or not properly protected from a variety of security threats.

Indeed, according to Trustwave’s recent 2014 State of Risk Report, which surveyed 476 IT professionals about security weaknesses, a majority of businesses had no or only a partial system in place for controlling and tracking sensitive data.

So, what can companies do to better protect themselves and their customers’, sensitive data from security threats? CIO.com queried dozens of security and IT experts to find out. Following are the six most likely sources, or causes, of security breaches and what businesses can, and should, do to protect against them.

Risk No. 1: Disgruntled Employees
“Internal attacks are one of the biggest threats facing your data and systems,” states Cortney Thompson, CTO of Green House Data. “Rogue employees, especially members of the IT team with knowledge of and access to networks, data centers and admin accounts, can cause serious damage,” he says. Indeed, “there [were] rumors that the Sony hack was not [carried out by] North Korea but [was actually] an inside job.

Solution: “The first step in mitigating the risk of privileged account exploitation is to identify all privileged accounts and credentials [and] immediately terminate those that are no longer in use or are connected to employees that are no longer at the company,” says Adam Bosnian, executive vice president, CyberArk.

“Next, closely monitor, control and manage privileged credentials to prevent exploitation. Finally, companies should implement necessary protocols and infrastructure to track, log and record privileged account activity [and create alerts, to] allow for a quick response to malicious activity and mitigate potential damage early in the attack cycle.”

Risk No. 2: Careless or Uninformed Employees
“A careless worker who forgets [his] unlocked iPhone in a taxi is as dangerous as a disgruntled user who maliciously leaks information to a competitor,” says Ray Potter, CEO, SafeLogic. Similarly, employees who are not trained in security best practices and have weak passwords, visit unauthorized websites and/or click on links in suspicious emails or open email attachments pose an enormous security threat to their employers’ systems and data.

Solution: “Train employees on cyber security best practices and offer ongoing support,” says Bill Carey, vice presdient of Marketing for RoboForm. “Some employees may not know how to protect themselves online, which can put your business data at risk,” he explains. So it’s essential to “hold training sessions to help employees learn how to manage passwords and avoid hacking through criminal activity like phishing and keylogger scams. Then provide ongoing support to make sure employees have the resources they need.”

Also, “make sure employees use strong passwords on all devices,” he adds. “Passwords are the first line of defense, so make sure employees use passwords that have upper and lowercase letters, numbers and symbols,” Carey explains.

“It’s also important to use a separate password for each registered site and to change it every 30 to 60 days,” he continues. “A password management system can help by automating this process and eliminating the need for staff to remember multiple passwords.”

Encryption is also essential.

“As long as you have deployed validated encryption as part of your security strategy, there is hope,” says Potter. “Even if the employee hasn’t taken personal precautions to lock their phone, your IT department can execute a selective wipe by revoking the decryption keys specifically used for the company data.”

To be extra safe, “implement multifactor authentication such as One Time Password (OTP), RFID, smart card, fingerprint reader or retina scanning [to help ensure] that users are in fact who you believe they are,” adds Rod Simmons, product group manager, BeyondTrust. “This helps mitigate the risk of a breach should a password be compromised.”

Risk No. 3: Mobile Devices (BYOD)
“Data theft is at high vulnerability when employees are using mobile devices [particularly their own] to share data, access company information, or neglect to change mobile passwords,” explains Jason Cook,CTO & vice president of Security, BT Americas. “According to a BT study, mobile security breaches have affected more than two-thirds (68 percent) of global organizations in the last 12 months.”

Indeed, “as more enterprises embrace BYOD, they face risk exposure from those devices on the corporate network (behind the firewall, including via the VPN) in the event an app installs malware or other Trojan software that can access the device's network connection,” says Ari Weil, vice president, Product Marketing, Yottaa.

Solution: Make sure you have a carefully spelled out BYOD policy. “With a BYOD policy in place, employees are better educated on device expectations and companies can better monitor email and documents that are being downloaded to company or employee-owned devices,” says Piero DePaoli, senior director, Global Product Marketing, Symantec. “Monitoring effectively will provide companies with visibility into their mobile data loss risk, and will enable them to quickly pinpoint exposures if mobile devices are lost or stolen.”

Similarly, companies should “implement mobile security solutions that protect both corporate data and access to corporate systems while also respecting user’s privacy through containerization,” advises Nicko van Someren, CTO, Good Technology. “By securely separating business applications and business data on users’ devices, containerization ensures corporate content, credentials and configurations stay encrypted and under IT’s control, adding a strong layer of defense to once vulnerable a points of entry.”

You can also “mitigate BYOD risks with a hybrid cloud,” adds Matthew Dornquast, CEO and cofounder, Code42. “As unsanctioned consumer apps and devices continue to creep into the workplace, IT should look to hybrid and private clouds for mitigating potential risks brought on by this workplace trend,” he says. “Both options generally offer the capacity and elasticity of the public cloud to manage the plethora of devices and data, but with added security and privacy—such as the ability to keep encryption keys on-site no matter where the data is stored—for managing apps and devices across the enterprise.”

Risk No. 4: Cloud Applications
Solution: “The best defense [against a cloud-based threat] is to defend at the data level using strong encryption, such as AES 256-bit, recognized by experts as the crypto gold standard and retain the keys exclusively to prevent any third party from accessing the data even if it resides on a public cloud,” says Pravin Kothari, founder and CEO of CipherCloud. “As many of 2014’s breaches indicate, not enough companies are using data level cloud encryption to protect sensitive information.”

Risk No. 5: Unpatched or Unpatchable Devices
“These are network devices, such as routers, [servers] and printers that employ software or firmware in their operation, yet either a patch for a vulnerability in them was not yet created or sent, or their hardware was not designed to enable them to be updated following the discovery of vulnerabilities,” says Shlomi Boutnaru, cofounder & CTO, CyActive. “This leaves an exploitable device in your network, waiting for attackers to use it to gain access to your data.

A leading breach candidate: the soon-to-be unsupported Windows Server 2003.

“On July 14, 2015, Microsoft will no longer provide support for Windows Server 2003 – meaning organizations will no longer receive patches or security updates for this software,” notes Laura Iwan, senior vice president of Programs, Center for Internet Security.

With over 10 million physical Windows 2003 servers still in use, and millions more in virtual use, according to Forrester, “expect these outdated servers to become a prime target for anyone interested in penetrating the networks where these vulnerable servers reside,” she says.

Solution: Institute a patch management program to ensure that devices, and software, are kept up to date at all times.

“Step one is to deploy vulnerability management technology to look on your network and see what is, and isn't, up to date,” says Greg Kushto, director of the Security Practice at Force 3. “The real key, however, is to have a policy in place where everyone agrees that if a certain piece of equipment is not updated or patched within a certain amount of time, it is taken offline.”

To avoid potential problems re Windows Server 2003, “identify all Windows Server 2003 instances; inventory all the software and functions of each server; prioritize each system based on risk and criticality; and map out a migration strategy and then execute it,” Iwan advises. And if you are unable to execute all steps in house, hire someone certified to assist you.
Risk No. 6: Third-party Service Providers

“As technology becomes more specialized and complex, companies are relying more on outsourcers and vendors to support and maintain systems,” notes Matt Dircks, CEO, Bomgar. “For example, restaurant franchisees often outsource the maintenance and management of their point-of-sale (POS) systems to a third-party service provider.”

However, “these third-parties typically use remote access tools to connect to the company’s network, but don’t always follow security best practices,” he says. “For example, they’ll use the same default password to remotely connect to all of their clients. If a hacker guesses that password, he immediately has a foothold into all of those clients’ networks.”

Indeed, “many of the high profile and extremely expensive breaches of the past year (think Home Depot, Target, etc.) were due to contractor’s login credentials being stolen,” states Matt Zanderigo, Product Marketing Manager, ObserveIT. “According to some recent reports, the majority of data breaches – 76 percent – are attributed to the exploitation of remote vendor access channels,” he says. “Even contractors with no malicious intent could potentially damage your systems or leave you open to attack.”

“This threat is multiplied exponentially due to the lack of vetting done by companies before allowing third parties to access their network,” adds Adam Roth, cybersecurity specialist from Dynamic Solutions International. “A potential data breach typically does not directly attack the most valuable server, but is more a game of leap frog, going from a low level computer that is less secure, then pivoting to other devices and gaining privileges,” he explains.

“Companies do a fairly good job ensuring critical servers avoid malware from the Internet,” he continues. “But most companies are pretty horrible at keeping these systems segmented from other systems that are much easier to compromise.”

Solution: “Companies need to validate that any third party follows remote access security best practices, such as enforcing multifactor authentication, requiring unique credentials for each user, setting least-privilege permissions and capturing a comprehensive audit trail of all remote access activity,” says Dircks.

In particular, “disable third-party accounts as soon as they are no longer needed; monitor failed login attempts; and have a red flag alerting you to an attack sent right away,” says Roth.
General Guidance on Dealing With Breaches

“Most organizations now realize that a breach is not a matter of if but when,” says Rob Sadowski, director of Technology Solutions for RSA. To minimize the impact of a security breach and leak, conduct a risk assessment to identify where your valuable data resides and what controls or procedures are in place to protect it.

Then, “build out a comprehensive incident response [and disaster recovery/business continuity] plan, determining who will be involved, from IT, to legal, to PR, to executive management, and test it.”

---

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

Big names like Google dominate open-source funding

Companies can get plenty of bang for not many bucks via open-source sponsorship.

Network World’s analysis of publicly listed sponsors of 36 prominent open-source non-profits and foundations reveals that the lion’s share of financial support for open-source groups comes from a familiar set of names.

We found 673 companies on the donor rolls of our list of organizations – which was drawn heavily, though not entirely, from the Open Source Initiative’s list of affiliates.

Google was the biggest supporter of open-source organizations by our count, appearing on the sponsor lists of eight of the 36 groups we analyzed. Four companies – Canonical, SUSE, HP and VMware – supported five groups each, and seven others supported four. (Nokia, Oracle, Cisco, IBM, Dell, Intel and NEC.) For its part, Red Hat supports three groups – the Linux Foundation, Creative Commons and the Open Virtualization Alliance.

It’s tough to get more than a general sense of how much money gets contributed to which foundations by which companies – suffice it to say, however, that the numbers aren’t large by the standards of the big contributors. According to Pro Publica’s non-profit records, the average annual revenue for the open-source organizations considered in our analysis was $4.36 million, and that number was skewed by the $27 million taken in by the Wikimedia Foundation (whose interests range far beyond open-source software development) and the $17 million posted by the

Linux Foundation.
Split between, say, half a dozen companies, and even the Linux Foundation doesn’t look too hard to fund. What’s $2.83 million a year to Intel? The non-hypothetical, real-world price tag is actually lower, as it turns out – the foundation said that it charges $500,000 per year for platinum membership, $100,000 a year for gold, and anywhere from $5,000 to $50,000 for silver, depending on the size of the company.

It should be pointed out that this is still far from a complete picture – we used the most recent numbers available, but those were frequently from as long ago as 2011, and this doesn’t account for the many overseas groups and others not covered by the database – but it does suggest that, to a company like Google, even relatively major donations barely make a dent in the bottom line.

Another thing keeping the picture incomplete was a reluctance by some of the bigger companies to speak to us on the subject of their activities within the open-source community. We got only boilerplate responses back from two companies, and from list-topping Google, no response at all.
So what do they get out of it?

In the main, companies that support open-source nonprofits get brownie points – your developers can work on a project without the company joining an official foundation (and, importantly, vice versa), so the benefits of direct participation in a project aren’t necessarily related to the non-profit angle.

But those brownie points are far from valueless. All those services provided by non-profits are important to lots of people in the open-source community. Tejun Heo, a prominent kernel developer and Red Hat employee, gave the example of a hobbyist developer attending one of the many conferences on open-source held every year.

“A sponsoring company … would have a lot easier time getting acquainted with the person, and he or she would be a lot more likely to be familiar with and have a positive impression of the company,” he said.

A lot of that goodwill, Heo added, has to do with the job market – sponsorship can make companies more attractive to potentially valuable developers, while keeping them in the loop on individual projects.

“Even if it doesn’t directly result in hiring, the wider contact surface ensures that Red Hat at least can stay in contact with what’s going on in terms of both technical and human resources aspects of the project,” he said.

More even than that, companies like Red Hat employ a lot of people that are just big fans of open-source in the first place, according to Heo.

Of course, some see hints of whitewash in the movement of big tech companies toward the open-source world’s nonprofits. It’s important to note that support for those organizations doesn’t necessarily translate into actual code contributions to open-source projects.

A look at the most recent edition of the Linux Foundation’s “Who Writes Linux” publication, which covers 2013, found that Red Hat was the largest corporate contributor of code to the Linux kernel, at 10.2% of the total. Close behind is Intel, at 8.8%. So far, that tallies with the list of open-source organizations sponsored, but the similarities partially fall away from there – the two next-biggest code contributors were Texas Instruments and Linaro, both of which are supporters of just one organization, the Linux Foundation.

Obviously, this doesn’t prove much on its own – it’s tough to directly compare code contributions and sponsorship, and it doesn’t account for work done on any other projects besides the kernel. But the discrepancy is noteworthy in several cases. Google, for example, contributed less than a quarter of the kernel code that Red Hat did.

Jay Lyman, an analyst with 451 Research, highlighted both positive and negative attributes to corporate sponsorship in open source.

“[Participation] is good in the sense that organizations are focused on real benefits and results, but it could make it easier for those seeking to leverage open-source communities without participating or contributing,” he said.

What do foundations do?
So what do foundations do? In the case of major organizations like the Linux Foundation, it seems almost easier to ask what they don’t do.

The group has a legal defense fund, patent commons, trademark management program, workgroups for several technical focus areas like SDN and accessibility and lots more – not to mention the basic development and testing infrastructure that enables Linux development.

“And we’ll throw in a subscription to Outside Magazine, and a wind-up radio,” jokes Jim Zemlin, the group’s executive director.

Not every non-profit’s operations are so extensive, of course – many provide not much more than training, advocacy and/or a basic organization and collaboration framework for smaller projects, or for geographically clustered groups of open-source developers. But the principle is the same.

One other unique facet to the Linux Foundation’s activities is the group’s direct employment of Linus Torvalds – final arbiter over all things Linux kernel and probably the most powerful person in open-source – helps avoid allegations of bias over the direction of the project – which is an issue, though not as contentious as one might suppose, given the fact that many of the most active code contributors to Linux are employed by some of the same companies that underwrite the non-profit.

Tejun Heo said that there’s “no tension at all” between his employer and the broader kernel community.

“If I think something is a technically better direction, that’s the direction I follow. Even when that mismatches with what Red Hat internal engineering was expecting,” he said.

“Somebody once told me that [Red Hat] is a company where a bunch of open-source engineers hired management and marketing people to run the boring, money side of things so that they can continue to do whatever they like, and while it’s a bit of an exaggeration I think there’s a certain amount of truth to that,” he noted.

---

Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com

2015 11 predictions for security

It’s tough to know what the security landscape will look like in six months, never mind a year. But that doesn’t mean it’s not worth trying.

Predictions for 2015
In the world of business, correctly seeing the future even a few months out can provide a leg up on the competition or, in the case of cybersecurity, on ever-present attackers. A missed guess can leave one scrambling to catch up.

So, here are some predictions for 2015 on security from research firms Gartner and Forrester Research, and from Arthur W. Coviello Jr., executive chairman of RSA.

Nation states vs. private sector
(Coviello) Nation-state cyber-attacks will continue to evolve and accelerate but the damage will be increasingly borne by the private sector.

“With no one actively working on the development of acceptable norms of digital behavior … we can expect this covert digital warfare to continue,” Coviello said. And it will increasingly be private sector firms that will be, “the intended victim or the unwitting pawn in an attack on other companies.”

The rise of integrated threat intelligence
(Gartner) Internet of Things (IoT) device revenue growth of almost 30% will create new vulnerabilities and security demands relating to both physical and digital environments. The expected convergence of IoT security and information security technologies, along with increased regulatory activity directed at protecting critical infrastructure, will drive demand for integrated threat intelligence capabilities, including IoT-related threat data feeds.

More money, much more scrutiny
(Forrester) Security budgets will see double-digit growth in sectors outside of banking and the defense industrial base.

The downside to those increases will be an enormous amount of scrutiny and much higher expectations, not just from business leaders and counterparts in technology management, but also from customers, government agencies, and privacy watchdog groups.

The quest for a uniform threat language
(Gartner) The drive toward a common framework adopting a uniform language, such as Structured Threat Information Expression, will accelerate as a result of the complexity and challenges brought by the need to integrate IoT security data inputs for indicator of compromise (IOC) detection.

Pragmatic privacy
(Coviello) A maturing privacy debate will become more pragmatic and balanced. Prospects for responsible privacy policies and intelligence sharing legislation that would better protect our privacy may improve. One test of this prediction will be the outcome of the EU General Data Protection Regulation, which may reach a final form in 2015.

More billions of things, more billions of risks
(Gartner) 4.9 billion connected things will be in use in 2015, up 30% from 2014, creating disruption, continued opportunities and continued risk.

“Organizations must straddle the tension of all the information available from smart things by balancing their desire to collect and analyze it with the risk of its loss or misuse,” according to Steve Prentice, vice president and Gartner Fellow.

Find the breach, botch the response
(Forrester) With new investments in breach detection, a large majority of companies (60%) will discover a breach, or more likely be informed of it by a third party like a government agency, security blogger or a customer.

But they will likely botch the response, given that only 21% of enterprises report that improving incident response is a critical priority. That means more cases of customers’ trust undermined or corporate reputations dragged through the mud.

Unhealthy exposure
(Coviello) While retail will remain an ongoing target, well-organized cyber criminals will increasingly turn their attention to stealing PHI – personal health information. It is not as well secured, is very lucrative to monetize in the cybercrime economy, and is largely held by organizations without the means to defend against sophisticated attacks – healthcare providers.

Competing on privacy
(Forrester) Privacy will be a competitive differentiator, not just through lip service, but action – appropriate privacy policies, enforcement and building privacy considerations into business operations and the products or services offered to customers.

That will require the leadership of a privacy champion – a Chief Privacy Officer, Data Protection Officer, or privacy professional. Today, about a third of security decision-makers in North America and Europe view privacy as a competitive differentiator. That will increase to half by the end of 2015.

The essential, more secure, mobile payment option
(Gartner) A renewed interest in mobile payment will arise, together with a significant increase in mobile commerce, due in part to the increased security features of Apple Pay and similar near-field communication (NFC) efforts by competitors such as Google.

As device manufacturers and application developers improve usability and functionality and address users' security concerns, devices will become even more of an essential tool for customers, particularly the younger demographics.

Beware the Botnet of Things
(Coviello) The increase of machine-to-human and machine-to-machine interaction will only exacerbate the situation described in a tweet this past year as: “Who needs zero days when you’ve got stupid?” Get ready for the Botnet of Things. This trend along with the strong growth of IoT in the healthcare sector and the accompanying risks to PHI, has ominous implications.

---

Best Microsoft MCTS Training – Microsoft MCITP Training at Certkingdom.com