How the biggest DDOS attack in history could have been easily avoided, or not

April 5, 2013

The recent DDOS attacks aimed at Spamhaus hammer home three very important points that we must learn in our new digital society:  1.) How dependent we are on digital communication, 2.) How interdependent our networks have become, and 3). How drastic the consequences are when basic “blocking and tackling” measures are not taken.

This particular attack is not only affected Spamhaus, it has also affected the internet speed and availability for millions of users and sites in the UK and in Europe.  According to an article by John Markoff and Nicole Perlroth in the New York Times, “a number of computer security specialists pointed out that the attacks would have been impossible if the world’s major Internet firms simply checked that outgoing data packets truly were being sent by their customers, rather than botnets.”

The article also discusses how the attack would have been much less successful (or not successful at all) if more internet providers followed the best practice guidance released 13 years ago (2000) by the IETF (Internet Engineering Task Force) in Bcp38.

While the article does a good job explaining the high level concepts of the attack, here is a little more detail on how the attack works, and how these attacks can be stopped:

Imagine some “attacker” can “spoof” your phone number so that your number shows up on other people’s phones when they call. Now imagine the attacker calls a bunch of people and hangs up before they answer— you’ll probably get a bunch of calls back from those people, because it looks like you called and hung up when you didn’t. Now imagine thousands of attackers doing this—you’d certainly have to change your phone number. With enough calls, the entire phone system would be impaired.

That’s similar to what’s happening in this DDOS attack. Attackers are spoofing Spamhaus’s IP addresses (IP addresses are like a phone number on the internet), sending traffic (let’s call this “stimulus”) to servers that they know will respond to this traffic, and these servers dutifully send their responses back to Spamhaus’ servers. Armed with the power of thousands of computers in a botnet, the attackers are sending a lot of stimulus. To make matters worse, the responses are much larger, in terms of size, than the stimulus. This means that for every packet of stimuli, there are many more response packets. (In our example above, imagine that all those hang up calls were to phone numbers that would automatically leave 3 minute messages on your voicemail or keep calling back over and over).

So what servers are drowning Spamhaus (and the rest of us) in response packets?  These servers are called domain name servers, or DNS, and perform a critical function—they match a human friendly name (e.g. google.com) with a machine friendly number (i.e. an IP address). Computers need to know each other’s IP addresses in order to communicate (or the IP address of the firewall that is protecting the computers).

DNS in friendly terms? When you try to browse to google.com, your computer queries a DNS to learn its IP address. If your computer can’t connect to a DNS, or the DNS can’t resolvegoogle.com to an IP address, you’re out of luck. You can see this in action by going to a command prompt or shell on your computer, and typing:

nslookup http://www.google.com

If successful, you’ll see one or more IP addresses for Google.

Without DNS, instead of typing http://www.google.com in our web browser, we’d be typing, “173.194.75.105” or something similar. I can’t even remember my own phone number anymore—imagine if we had to remember these?

Why is DNS so vulnerable? The primary protocol that DNS servers happen to use is called UDP (User Datagram Protocol). This is important because UDP is “connectionless,” meaning there is no “handshake” when the initial connection is set up. “Handshakes,” like those used in TCP communications, offer a reasonable amount of host authentication—in other words, with TCP connections, you can be reasonably certain that both computers are who they say they are. With UDP, you cannot be sure, especially with short bursts of communications like DNS queries.

So, using a botnet, the attackers are sending millions of DNS queries that appear to be from the victim’s computer (“spoofing” the victim’s IP addresses), and the much larger responses from the DNS servers actually go to the victim’s computers. It’s kind of the ultimate “crank call.”

How can these attacks be stopped? Follow the guidance in BCP38, which explains how internet providers can filter out spoofed traffic. The idea is simple— every router (the devices that connect the internet) understands which addresses should be coming from which direction (interface, in router terms). If a packet arrives that says it’s coming from an IP address that shouldn’t be arriving from that interface, the packet should be dropped.

Why is this hard? It’s not. So why haven’t internet providers taken these simple steps?

Actually, most of them have—according to research by the MIT ANA Spoofer Project, cited in anarticle on Senki written in June of 2012, 80% of internet providers had already implemented the recommendations in BCP38, and were already blocking spoofed traffic. It’s the remaining 20% that remain responsible for allowing “spoofed” traffic.

We’re seeing more and more that when fundamental blocking and tackling is missing, our interdependence shows – when a few parties don’t take basic security measures, other parties suffer. Just like on the road, where a few (or many) distracted or careless drivers can cause harm to countless others, a group of sloppily configured routers can allow attackers to disrupt critical infrastructure that we’ve come to depend on.  80% just isn’t good enough.

We can’t turn off DNS. Though it’s theoretically possible to make everyone use TCP instead of UDP for DNS queries (which would make these queries much more difficult to spoof), so many people would be adversely affected during the transition that this might make things worse than just living with the DDOS attacks.

Our best choice is to create a culture of security and responsible computing, where it becomes unacceptable to be in the remaining 20%. Imagine if 20% of the drivers on the road didn’t obey traffic signals—it would no longer be safe to drive. It should be equally unacceptable that so many computers are now in botnet armies that can do such tremendous damage—80% isn’t really good enough there, either. If 20% of the computers in the world are allowed to become part of a botnet, we’re going to have much bigger problems. The culture of security and responsible computing needs to extend to internet providers, and internet users.

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , , , | Permalink
Posted by david ricketts

Email Security: It’s Every Employee’s Business

April 4, 2013

Email security has become part of the job description for every employee. All it takes is one employee to cause a breach that opens up the entire company. For example, consider The New York Times: the recent breach by Chinese hackers was done via a phishing or spear phishing email. All that was necessary was that one email to be opened, and The New York Times network was accessible to the hackers. And once an attacker is behind the firewall, then the hacker can do anything.

Recently, hackers have been getting even more creative. One of the students in the information security class I teach showed me an email that she received. It contained a message about email phishing schemes and what to look for. The subject line was incorrect when compared with previous emails from the same organization. The body of the email had an incorrect logo and a slightly incorrect signature line. Also, there was a link with a call to action that requested my student to sign in to her account and learn more. She reported this email to the company who allegedly sent it. Had my student not been aware of phishing schemes, she might have clicked on the link and opened up her system to hackers.

Without proper training, it is easy for an employee to accidentally open and launch a window for a hacker. It is the duty of every personnel department to train new employees as to what to look for when receiving email messages. This information should be included in employee manuals and should also be posted on lunch room walls as reminders. With the volume of emails we all receive on a daily basis, it is very easy to forget that one of the emails could be a “Bomb” that could cause a breach. And a network breach can lead to data loss, loss of reputation, and denial of services for your employees and clients.

There are two types of phishing email messages: phishing and spear phishing. Phishing is a generic type of email that is sent to everyone in a company with the hope that someone will open the email and click on a link or open an attachment. There are no names attached to it, the subject line is generic, and the TO: line usually says recipients_not_disclosed. That’s a dead giveaway! Finally, the FROM line does not conform to corporate email standards.

The second form of phishing is called spear phishing. This type of email is more insidious. Someone or some organization has taken the time to find information about a specific employee and personalize an email message to make it look like it has been sent to that person from someone he or she knows. As a result, the email looks legitimate. This email is designed through a few methods. The attacker scours Facebook, LinkedIn, Twitter, and possibly financial information sites, such as, Hoovers. The hacker may make calls to a company’s receptionist to find other pertinent information regarding the email recipient, possibly email address and/or phone number. In bigger companies, they may even call the IT department and claim that they are the person of interest and forgot their email password and ask for it to be reset. Hopefully, there are policies in place with the IT department that make it impossible for someone to change a password without multifactor authentication (multiple types of ID must be given before the password can be changed – this is an issue for another post). Spear phishing emails are usually sent to management-level employees since they tend to have more network privileges.

Once again, even with spear phishing, the questions one must ask include: Are you expecting an email from this person and do you even know him or her? Is there a link in the body of the email? If yes, do not click on it. If you really must know what the link is, send it to the IT department or your security team and let them confirm if it is legitimate. Due to the speed of business these days, it may be difficult to remember what to look for, but it’s also difficult to recover from a breach. It can happen to anyone, don’t let it be you for your company’s sake.

Host computers should all have a good virus scanner to scan inbound emails and attachments. After that, here are some things to look for when determining if you’re looking at a phishing email. Does the email address in the FROM: line correspond to the corporate email layout? This may mean: last name first, or first name last. When a message is sent to you, are you expecting an email from that person or is the email coming from someone you don’t know? Look at the subject line of the email: Are there any misspellings in the subject line, and does it make sense?

Make it a policy to never click on live links within an email message. A live link (one that is colored and underlined) could look like a legitimate link but the actual link may send you somewhere else. If you really must know what the link is, copy and paste it into the notepad program. This will show where the link is actually pointing you to. Hovering the mouse over the link will reveal the actual URL. However, if the URL is embedded in an image within the email, you will have to retype the entire URL. There are two other options for shortened links (for example, bitly.com or goo.gl).

Sometimes emails arrive in your inbox under the guise of legitimacy. They appear to come from somewhere within your organization, but they’re not. An email arrives and asks to change your security credentials – but don’t be fooled. First of all, there should be a general announcement regarding this topic distributed company-wide to all users. It will be sent out by one person, not from “The Security Team.” Be aware of that. Emails regarding this sensitive issue must be sent by individuals, not groups, and an email sent by an internal employee will adhere to corporate email structure, fakes do not.

Many breaches come from an email that looks legitimate from an internal employee. So, look at the signature line at the bottom of the email. If it isn’t the standard signature line that your company uses for all emails, it’s probably suspect. I realize that checking an email to be sure that it’s real can be time-consuming, but the more you look for errors, the better you become at spotting them.

The larger a company is, the harder it is to remind employees about staying vigilant. But in the long run, what’s worse: reminders or hackers? You do the math.

______________________________________________________________

IBM

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

Related articles

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Start Sweating the Small Stuff

February 27, 2013

In his recent New York Times article, “That Daily Shower Can Be a Killer,” renowned geographer Jared Diamond observes how Americans tend to greatly exaggerate risks that are sensational and beyond our control—like plane crashes and nuclear radiation—yet underestimate the mundane, but more common risks that we can control—like slipping in the shower or falling from a ladder.

In my geek-centric mind, I immediately drew a corollary to computer security.   We’ve all met the engineer who will spend weeks obsessing over which password hashing algorithm to use, but fail to implement a solid password policy.

If you find yourself being hyper-paranoid about dangerous, but implausible attacks…stop!  Do a quick risk/frequency gut-check to determine whether you’re wasting time.  You shouldn’t be debating the strength of SHA-256 while your employees are emailing trade secrets to a Nigerian Prince.

XKCD: Security

What are some of the fall-in-the-shower type risks when it comes to data protection?  Our State of Data Protection Report from last year highlights a few:

  • Only 26% of companies are very confident their data is protected
  • 18% weren’t confident at all
  • 23% of companies were not confident or unsure where their critical business data resides
  • 27% of companies did not monitor any access activity on file servers and SharePoint sites
  • 13% of companies never revoke access to data when an employee leaves the organization
  • 61% do not scan their environment for sensitive data

Based on our results, there’s clearly a lot of room to tighten up these fundamental areas of day-to-day risk.  Just as Mr. Diamond’s goal is to reduce life’s common accidents to 1 in 1,000, we should strive to minimize common data security risks, like insider theft, by implementing soundsecurity programs.

Want to learn more about risk analysis?

Here are some good resources:

Leave a Comment » | Application Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

Is DNA Really Personally Identifiable Information (PII)? No. Maybe? Yes!

February 5, 2013

Biometric data is at the limits of what current personal data privacy laws consider worthy of protection. This type of identifier covers fingerprints, voiceprints, and facial images. While the risk factors are not nearly as threatening to consumers as more traditional PII, they do exist. Until recently, the dangers of biometric identification using DNA were more theoretical than real. That has suddenly changed. An article in The New York Times last month put a spotlight on research that proved the feasibility of identifying a person—getting a specific name and address—all from a DNA sequence posted online.

It’s not that regulators have overlooked biometric identifiers. Under HIPAA’s safe harbor rules, for example, the Department of Health and Human Services has a list of 18 e-PHIs that would need to be removed from public medical data for it to be effectively considered de-identified. Along with IP addresses, URLs, email addresses, HHS mentions biometric data, with voiceprints and fingerprints given as the only examples.

I’ve already written about how the Federal Trade Commission, another key US agency involved in data privacy regulation, has issued new guidelines to companies collecting facial images. Driving the FTC’s suggestions—mostly directed at retailers—are the recent improvements in image recognition technology and the availability of massive amounts of tagged photos on social media sites. Image matching software is now good enough so that a face captured by a store’s mall kiosk can eventually reveal ethnicity, mood, and with good likelihood, an actual name behind the face.

The risk of linking a name to a set of fingerprints is less serious for the general public— unless you have a criminal record. However, after the Graduate Management Admission Council  (GMAC) began using fingerprints to establish the identity of students taking their “GMATs” for admission to US business schools, the testing company realized there could be privacy issues.

GMAC ultimately decided to use palm scans, which are based on digitizing vein patterns. Since public databases of hand veins don’t exist, the possibility of identification is eliminated.

I would have put DNA into the same category as palm scans: there’s advanced matching technology—available even at the consumer level—but without a public database, there isn’t much of a privacy issue, and therefore DNA is not really a PII.

However, this is not true anymore, and that was the starting point for the researchers mentioned in the Times article. There are actually two public genealogy databases for tracking down one’s ancestry, Ysearch and SMGF, with a combined 135,000 records of DNA data and covering about 39,000 unique last names.

These genealogy databases simply accept a key—actually a pattern on the Y-chromosome—and then return a surname (along with a confidence level). The idea behind these services is to help subscribers find their ancestors and learn more about family backgrounds.

The researchers then examined whether they could narrow down their search. They assumed that they had the state of residency of the subject along with a birthdate—both of these, by the way, are not considered PII under current HIPAA rules. With these three data points and public US Census data, they were able to prove that successful DNA matches would lead to just 12 people on average. That’s a stunning end result from starting with just a DNA pattern.

How good is the DNA “keyword” match at finding a last name? The researchers projected a success rate of 12% for males—since it’s based on the Y chromosome—with a 5% false positive. This is not nearly as accurate as the facial scans, but still a cause for concern. They concluded that the risk of this DNA-based last name search will grow in the future, and there are other scientists and experts who are calling for more public discussion.

I decided to check the privacy policy of one of the DNA testing services. Here’s the good news. They’ll only release your DNA data to third parties with your consent; they treat genetic data as personal data (like name and address), and they say that the genetic data is stored on “secure servers”.

However, thinking purely in term of bytes, folders, and access rights, I’m wondering how truly secure those DNA files are, and whether there are already hackers looking to get that data using the same techniques and exploits they use to snatch credit card numbers and other personally identifiable information.

Leave a Comment » | Application Hosting, Managed Service Hosting | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

Hacks at Twitter, New York Times, WSJ and Washington Post highlight need for better security hygiene

February 4, 2013

Earlier tonight, I received an email I would just as soon not have gotten from Twitter, along with 250,000 Twitter users who had their password reset. Twitter security director Bob Lord explained why I’d received the email on the company blog:

“This week, we detected unusual access patterns that led to us identifying unauthorized access attempts to Twitter user data. We discovered one live attack and were able to shut it down in process moments later. However, our investigation has thus far indicated that the attackers may have had access to limited user information – usernames, email addresses, session tokens and encrypted/salted versions of passwords – for approximately 250,000 users.”

Mike Isaac has been following the story the hack at Twitter at AllThingsD, if you want the latest news tonight.

After the password reset, I went through revoked Twitter authorization access to a number of unused apps, something I’ve been doing periodically for years now. That habit is among Twitter’s security recommendations.

I’m thinking about other social media accounts now, too. Shortly after Nicole Perloth began covering IT security for the New York Times, she shifted her practices:

“Within weeks, I set up unique, complex passwords for every Web site, enabled two-step authentication for my e-mail accounts, and even covered up my computer’s Web camera with a piece of masking tape — a precaution that invited ridicule from friends and co-workers who suggested it was time to get my head checked.”

She talked to two top-notch security experts and wrote up a useful list of good digital security practices. Unfortunately, it may be that it takes getting hacked and embarrassed (as I was on Twitter, on Christmas Eve a couple years ago) to change what how people approach securing their digital lives.

I don’t recommend that sort of experience to anyone. I was lucky, was tipped nearly right away and was able to quickly get help from the remarkable DelHarvey, head of the Twitter Safety team.

It could have been much, much worse. I’m thinking of Mat Honan, a Wired journalist who experienced an epic hacking that came about through a chain of  compromised accounts at Amazon, iTunes, Gmail and Twitter. After a lot of work, Honan managed to recover his data, including some precious pictures of his child. In the wake of the hack, he turned on 2-factor authentication on Google and Facebook, turned off “Find my” Apple device, and set up dedicated, secret accounts for password management. Honan isn’t alone in the tech journalist ranks: he just happens to have a bigger platform than most and was willing to make his own painful experience the subject of an extensive story.

A jarring reality is that even people who are practicing reasonably good security hygiene can and do get p0wned. Unfortunately, the weakest point in many networks are the humans — that’s reportedly how Google ran into trouble, when key employees were “spear phished” during “Operation Aurora,” targeted with social engineering attacks that enabled hackers to access the networks.

The last paragraph of Lord’s post suggests that a similar expertise was at work at Twitter, although he does not specify a source.

“This attack was not the work of amateurs, and we do not believe it was an isolated incident. The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.”

It’s been true for a decade but it’s even clearer in the second month of 2013: practicing basic information security hygiene is now a baseline for anyone else online, particularly those entrusted with handling confidential sources or sensitive information.

Chris Soghoian was clear about the importance of journalists and media companies getting smarter about keeping sources and information safe in 2011. Tonight, I am not sanguine about how much has changed since in the news industry and beyond.

Two days ago, the New York Times disclosed that hackers had infiltrated …the New York Times. The next day, The Wall Street Journal has disclosed similar intrusions. Earlier today, Brian Krebs reported that the Washington Post was broadly infiltrated by Chinese hackers in 2012. The Post confirmed the broad outlines of an attack on its computers.

If you’re a journalist & you’re not using a password manager+unique, long random passwords per website: stop, install and configure one now.

— Christopher Soghoian (@csoghoian) February 2, 2013

If you have a moment this weekend, think through how you’re securing your devices, networks and information. If you use Twitter, visit Twitter.com and update your password. If you haven’t turned on 2-factor authentication for Facebook and Gmail, do so. Update your Web browser and use HTTPS to connect to websites. disable Java in your Web browser. Think through what would happen if you were hacked, in terms of what numbers you would call and where and how your data is backed up. Come up with tough passwords that aren’t easily subject to automated cracking software.

And then hope that researchers figure out a better way to handle authentication for all of the places that require a string of characters we struggle to remember and protect.

Thanks to digiphile

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing | Tagged: , , , , , , , | Permalink
Posted by david ricketts

The Predictive Analytics Revolution- Are you sitting on the sidelines?

October 18, 2012

Predictive analytics (or Big Data) is here to stay. You may not understand it. You may not believe that it really works. But the reality is this: your competitors (and it may be just one or two of them) are using predictive analytics to chew up market space as you remain on the sidelines.

Don’t believe me? Consider the retail space. Who is the undisputed king of retail? That’s right, Wal-Mart. What’s their secret? What has given them the edge for so many years over their competitors? Data analysis. They live and die by data and have been for decades. Wal-Mart knows their customer data better than anyone and have the market share to prove it.

Recently the Dollar stores took on Wal-Mart by providing cheaper supplies like toiletries and medicine. Their strategy started to see some success and Wal-Mart even started to lose market share. But the retail giant went back to their data for a solution. The data said that many Wal-Mart customers started pinching pennies at the end of each month and needed a few basic items to get them over until payday. The solution, stocking shelves with thousands of items under $1 at the end of each month. Customers lured to the Dollar stores for such items were back in the Wal-Mart fold.

Target has also jumped into the game with their own consumer analytics program. The most famous example is how they used in-store data to pick out pregnant women through their shopping habits. They used this information to send marketing material promoting baby products. It worked…almost too well.

Wal-Mart, Target, and online stores like Amazon have forced everyone in this market make a decision, if you want to compete in retail you had better jump into the data science and predictive analytics game or a going-out-of-business-sale is in your near future. Sitting on the sidelines is not an option.

This isn’t isolated to just retail. There are stories everyday in the news about companies in a variety of markets taking a second look at their data and finding a treasure trove of valuable information.

Despite the hype and the proof that predictive analytics can give companies a competitive edge, the sidelines are full of businesses that are still not sure about getting in the game.

The New York Times reported that a handful of universities are using their data and predictive analytics to help them find students who are about to drop out of school. These schools know that higher enrollment means more money. These early adopters are reaping the benefits and aren’t afraid to tell everyone. Why? The vast majority of their competitors haven’t given this type of data analysis a second thought. Just like the example above, a few colleges will charge ahead and reap the benefits of higher enrollment while other universities…sit on the sidelines.

You can find the same thing in the health care industry. The Wall Street Journal published an article by Dr. Marty Makary of Johns Hopkins pleading with hospitals to make better use of their data to save lives. You can almost hear the frustration in his voice when he writes, “Medical mistakes kill enough people each week to fill four jumbo jets.” Even though there are 98,000 deaths due to medical errors in the United State, most hospitals and medical facilities are slow to adapt any type of data analytics.

A few forward thinking hospitals and health care facilities will see the opportunity and do what Dr. Makary suggests. Using the data visualization and predictive analytics, the trend setters have improved patient care, are keeping costs down – and most importantly – saving lives in the process. But just like the universities, the majority of hospital will remain on the sidelines. (I hope I can take my family to the forward thinking hospital!)

Why are so many still sitting on the sidelines?

The Harvard Business Review may have the answer. In an an eye opening survey they reveal the source of the bottleneck. (I highly recommend reading this entire study.) The study shows that the hype and awareness about data analytics is at an all time high.

According to the survey, a vast majority of companies are planning Big Data initiatives:

  • 85% of organizations reported that they have Big Data initiatives planned or in progress.
  • 70% report that these initiatives are enterprise-driven.
  • 85% of the initiatives are sponsored by a C-level executive or the head of a line of business.
  • 75% expect an impact across multiple lines of business.
  • 80% believe that initiatives will cross multiple lines of business or functions.

But here is where the rubber meets the road. HBR reports that:

  • Only 15% of respondents ranked their access to data today as adequate or world-class.
  • Only 21% of respondents ranked their analytic capabilities as adequate or world-class.
  • Only 17% of respondents ranked their ability to use data and analytics to transform their business as more than more than adequate or world-class.

The majority of companies are on the sidelines because they think they can’t readily access the data they have, they don’t have in house tools or talent to analyze it and don’t have the ability to put the data to use anyway. In other words, they don’t think their data is good enough.

Don’t let this kind of thinking keep you on the sidelines. I talk to business owners everyday who think they don’t have enough data for predictive analytics or even just analytics. Most of time, just the opposite is true. Many of our clients were pleasantly surprised when we told them they had more than enough data to jump into the game.

Don’t be one of crowd still sitting on the sidelines. Be one of those early adopters in your market space that uses predictive analytics to jump ahead of the competition. Would you like to learn more?

Thanks to http://blog.canworksmart.com/predictive-analytics/the-predictive-analytics-revolution/?buffer_share=e125e

 

Leave a Comment » | Marketing, Retail IT Solutions | Tagged: , , , , , , , , , , , | Permalink
Posted by david ricketts

Evolution Beats Extinction: Big Data Opens New Niches with Fast Flash Memory

July 20, 2012

65 million years ago, a six-mile-wide asteroid ended the reign of the dinosaurs, reopening ecological niches that were promptly filled by members of the class Mammalia, one of which, a long time later, went on to invent things like writing, the wheel, and information technology.

Big Data—ultra large scale data storage and analysis—is the storage market’s equivalent of that big rock, but rather than causing mass extinction, it’s simply opening up a lot of new ecological niches for storage technologies, especially advanced solutions like Fusion ioMemory modules and the new release of DataCore’s SANsymphony-V storage hypervisor. The advent of Big Data also offers a unique opportunity to re-architect your storage management infrastructure in a way that can prolong the life of storage “dinosaurs” and make it more adaptable in every respect and more easily aligned to business needs.

As profiled in the New York Times, Big Data is transforming business, government, and education. One researcher reported that a study of 179 large companies showed that those adopting the data-driven decision-making that Big Data makes possible “achieved productivity gains that were 5 percent to 6 percent higher than other factors could explain.”

Big Data is more than just big. It’s restless, too, and best used when hot. Let it cool off, and you lose the situational awareness that can lead to big-time financial rewards. It’s not just a matter of storing a gazillion bytes—you can’t possibly store it all, so your retention policies have to change, and the need to widely share data as quickly as possible means your networking strategies have to change as well.

Fortunately, a storage hypervisor can be a big help in adapting to Big Data. Even better, the benefits of this software layer, which insulates you from all the hardware variables that Big Data can throw your way, kick in long before Big Data arrives. A scalable and comprehensive storage hypervisor like DataCore’s SANsymphony-V is an agent of change: you get the pay-off today and a future-proof storage infrastructure. It also, as we’ll see, can give you an even better return on your Fusion-io ioMemory module investments.

SANsymphony-V provides a complete “storage management stack” and gives you a centralized console that enables you to efficiently pool all your storage resources, mirror and replicate data for high availability, cache data near applications for higher performance, automatically allocate space, and direct traffic to the optimal tier.

Resource pooling has the most immediate impact, because you can aggregate all of your storage capacity, without regard for brand, model, or interface, and easily reclaim unused space. These pooled resources can be easily mirrored locally for high availability, or replicated remotely for disaster recovery. Thin provisioning gives you just-in-time storage allocation for highly efficient use of disk space, and RAM caching speeds up “spindle-based” storage dramatically to turbocharge native disk array performance. The fact that all of these advantages are available to every storage resource managed by SANsymphony-V means that older storage that formerly might have been shuffled off to the dinosaur’s graveyard remains useful longer, leading to a higher ROI for all your storage investments.

Fusion-io Fast Flash Memory and DataCore Auto-tiering Software

When it comes to Big Data, however, it’s probably auto-tiering that’s likely to be of most interest to customers who rely on Fusion-io technology. SANsymphony’s auto-tiering can dynamically direct workloads to the right storage resource based either on access frequency or business rules, so that the hottest data gets the most attention. Older storage can be moved down-tier as new hardware is installed, again prolonging its service life. SANsymphony-V also offers a “cloud gateway” to leverage cloud service providers for both disaster recovery and archival of virtually unlimited capacity—a necessity to keep from getting squashed by Big Data.

This enables SANsymphony-V to put Fusion-io’s server class memory tier at the very top of an agile, easily-managed storage hierarchy that offers unprecedented levels of performance and availability. You can easily balance data value and the need for speed against price/capacity constraints—something that Big Data is going to make ever more necessary—and make sure that you get the utmost benefit from ioMemory modules.

The fallout from Big Data is going to transform business computing at every level, so if you don’t want to end up a data dinosaur, now’s the time to transform your infrastructure with a storage hypervisor. A good place to start is Jon Toigo’s Storage Virtualization for Rock Stars series, starting with Hitting the Perfect Chord in Storage Efficiency, which will give you a good overview of how a storage hypervisor can help you increase engineering, operational, and financial efficiency.

Related articles

Leave a Comment » | Application Hosting, Managed Service Hosting, Marketing, Retail IT Solutions | Tagged: , , , , , , , , | Permalink
Posted by david ricketts

Another Great Trade Robbery

April 17, 2012

by Ken Spinner and David Gibson

“The Great Trade Robbery” – currently used in the context of questionable international trading policies and lopsided sports team player trades—now has yet another meaning. Two recent articles about Digital Espionage and IP theft by the Chinese Government and Chinese businesses describe a new trade robbery that has apparently been going for some time, and the extreme measures some organizations are taking to protect themselves.

A recent New York Times article discussed how employees now must travel “electronically naked,” meaning leave all electronic devices at home, as just about everything you carry with you digitally—your personal information, your contacts, your login credentials, your company’s Intellectual Propertywill get stolen. The article went on to say, “The Chinese are very good at covering their tracks,” stated a former F.B.I. agent. “In most cases, companies don’t realize they’ve been burned until years later when a foreign competitor puts out their very same product — only they’re making it 30 percent cheaper.”

It makes sense that we become a little more circumspect with the information we carry around. Most of us wouldn’t tote our life savings in cash around the block (much less to China) without a very good reason to do so. A single smartphone can now be a gateway into our digital realm (as well as our life savings, because there’s an app for that). A Trojan installed or outright theft can conceivably lead to the theft of your entire digital life-savings and your organization’s valuable data.

A Business Week article, “Hey China, Stop Stealing our Stuff,” provided additional detail about China’s questionable “trading” practices, including sanctioned hacking of foreign entities by the Chinese Government. The article included a few examples of the impact on the victims – millions of dollars lost, a significant drop in stock price, and a loss of customer confidence.

So we can’t just keep our data at home, apparently. We have to continue to be vigilant even on our “trusted networks.”

China represents a huge market, but these articles illustrate that companies doing business in China or with Chinese interests must begin to think about mitigating new levels of risk, and in some cases take drastic actions like traveling “electronically naked” to minimize potential exposure.

Putting China and extreme security aside for a second, how is your organization doing at some of the more basic data protection tasks? For example:

  • Do you know for certain where all the intellectual property in your organization resides?
  • Do you know who can and does access it?
  • How often is access reviewed?
  • Does the organization allow intellectual property to be accessed or stored on laptops?
  • Does the organization allow intellectual property to be accessed or stored on remote devices, such as smartphones or tablets?

If the answer is “no” to the first two questions, for example, forget about keeping your data secret from China—you may not be able to keep it secret from your kids.

Thanks to Varonis.

For more information www.c24.co.uk

 

Leave a Comment » | Application Hosting, Managed Service Hosting | Tagged: , , , , , | Permalink
Posted by david ricketts

How SMBs can avoid costly legal disputes over who owns social networking data | Web Filtering

January 13, 2012

There may be trouble ahead for small and medium-sized businesses (SMBs) who neglect to adopt formal corporate social media policies. Lack of clearly defined company social networking accounts and data ownership criteria means they could be storing up legal trouble for themselves in the not too distant future and potentially leave the SMB sector with significant legal issues over data ownership.

Many SMBs are now truly embracing social networking applications by adopted them within their overall marketing strategies. It is almost impossible to track who owns this data as social data content is aggregated from site to site. As businesses of all sizes and types embrace social networking as a way to propagate messages and build their brands the line dividing personal and company data is becoming increasingly blurred. The important thing is that companies take steps to protect themselves as much as possible in advance.

Some simple tips to protect your social media assets and avoid litigation over data ownership:
Include a corporate social media policy alongside internet usage guidelines
Make sure company accounts are totally separate from employee personal accounts
Ensure company Facebook and twitter accounts are not tied to employee personal email accounts
Ex-employer seeks damages over non surrender of Twitter account
The legal position is at a very early stage of development. You may have read about Noah Kravitz, a California-based blogger who is being sued by his former employer, PhoneDog. His ex-employer is seeking damages because Mr. Kravitz did not surrender his Twitter account to them when he left the company. PhoneDog believe they had heavily invested in helping Mr Kravitz grow the number of followers he had on Twitter and therefore the account should be their property. The company view this Twitter account as a confidential customer list and the intellectual property of Phone Dog.

In a statement to the New York Times, the company said: “The costs and resources invested by PhoneDog Media into growing its followers, fans and general brand awareness through social media are substantial and are considered property of PhoneDog Media”.The dispute really hinges on why the account was opened in the first place. Phone Dog believe if the account was opened on behalf of PhoneDog and to be used to communicate with customers then the Twitter account is their property. Mr Kravitz maintains he opend the account with a view to using it for both professional and personal reasons and this is where the questions of why the account was opened gets blurred. This blurring between work and personal is particularly problematic in the social networking sphere.

Legal conflicts over data ownership not restrited to Twitter
Such legal conflicts have occured with other social media platforms also, in another less recent UK case a recruitment consultant moved confidential contact information to his LinkedIn account whilst employed at Hays Recruitment. This decision was one of the first to highlight the tension between businesses encouraging employees to use social networking websites for work but then claiming that the contacts and content remain confidential information at the end of their employment.

In 2007 a judgement involving the UK arm of a US business to business media publishing group (PennWell Publishing v Ornstein) ruled that the employer owned the outlook contacts of a former journalist employee even though this list contained both work and personal contacts some of which had been brought to the company by the employee.

Not defining what company data is in advance can be a costly oversight
As we’ve seen this blurring between work and personal becomes even more problematic in the social networking sphere. It’s time for every company to include a corporate social media policy alongside internet usage guidelines as part of their employment terms to avoid possible litigation and protect their social media assets and property. Without a clear internet policy many employees are unaware of the implications of sharing information on sites like Linkedin and if appropriate protection is absent many employers risk being drawn into costly legal wrangles with employees as time goes on.

www.webtitan.com

 

Leave a Comment » | Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

GAP and their iPad APP

September 7, 2011

Image representing iPad as depicted in CrunchBase

Image via CrunchBase

We missed this little gem from GAP. Their new iPad App looks fantastic. The app includes video interviews, social feeds from facebook and twitter amongst all sorts of goodness, but the biggest thing here is that everything is ready for purchase or sharing directly from the iPad app, no matter what piece of content you are looking at.

I would love to see how the guys at GAP can get this APP going with product placement in TV shows. Might be the next thing they are looking into, anyway for now please enjoy…………

Related articles

1 Comment | Marketing, Retail IT Solutions | Tagged: , , , , , , , | Permalink
Posted by david ricketts

Follow

Get every new post delivered to your Inbox.

Join 752 other followers