[ISN] Security UPDATE -- Lessons in Disaster Recovery -- September
isn at c4i.org
Thu Sep 15 00:50:14 EDT 2005
This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which
you might be interested. Please take a moment to visit these
advertisers' Web sites and show your support for Security UPDATE.
Supercharging SMS for Effective Asset Management
1. In Focus: Lessons in Disaster Recovery
2. Security News and Features
- Recent Security Vulnerabilities
- McAfee and Microsoft Warn About ASP.NET Forms Authentication
- eEye's Lengthy Laundry List of Vulnerabilities
3. Security Toolkit
- Security Matters Blog
- Security Forum Featured Thread
4. New and Improved
- Make Your Public PCs More Resilient
==== 1. In Focus: Lessons in Disaster Recovery ====
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
I seriously doubt that there is a person reading this newsletter who
doesn't know of the devastation caused by Hurricane Katrina. Vast areas
of the southern coast of the United States have been destroyed.
People's lives are in ruins, and how long it will take to recover is
The human suffering and loss of life is heart wrenching, to put it
mildly, and although I have a difficult time thinking about protecting
computer systems in the wake of such disaster, such protection is in
fact the focus of this newsletter. Therefore I think it's appropriate
to revisit disaster recovery in terms of information security and
Katrina brings to light the fact that you and your business can be
displaced not just temporarily, but for significant periods of time. A
robust disaster recovery plan is paramount. Katrina shows us that in
addition to thinking about system and communication failure, you should
also consider the possibility that your premises might be destroyed and
rendered unusable either temporarily or permanently. You need to think
about system recovery, but you also need to consider hardware
replacement or recovery, relocating available personnel in new office
space, and replacing communication systems.
Data backup strategies can include offsite storage by either physically
transporting media somewhere or by using a backup system that transmits
data over a communication link. Either way, you should probably use an
offsite backup location that's in a completely different geographic
You should also consider maintaining live backup Web sites, mail
servers, and DNS systems that are ready to go. If you plan these right,
they'll kick into action immediately as soon as anything at your main
site goes down.
To get in touch with key employees after a disaster, you might need
conventional-phone alternatives such as cell phones and Voice over IP
(VoIP) tools. However, if cell towers and other communication lines
fail, then those technologies will also be useless. You could consider
getting satellite phones if your business needs justify the cost.
You'll also need a quick exit strategy. If you must evacuate the area,
what will you take, aside from obvious essentials? You could gather
disk drives that contain mission-critical data and other devices if you
have time. One easy way to help protect hardware and documents you
might need to take with you or leave behind is to waterproof them by
using a product such as Space Bags (see URL below). Having a big safe
or vault to store hardware might be a good idea too. After all, if the
building collapses, Space Bags won't be much help.
In addition, you might consider the fact that you might have to leave a
lot of data behind. If it's sensitive information, then it should be
encrypted in case the hardware falls into the wrong hands in your
absence. You probably won't have time to start encrypting data during a
crisis, so you need to have such a process in place beforehand.
Those are a few ideas that might help you review your disaster recovery
plans. As I've written before, you need to be ready to take action
quickly on short notice and be ready to recover quickly from events
that strike with little or no advance warning. A comprehensive disaster
response and recovery plan is part of good business security.
You can find more information about disaster recovery for OSs,
databases, email systems, and more in numerous articles on our Web
The Microsoft Professional Developers Conference 2005 (PDC05) is this
week in Los Angeles. Check out Paul Thurrott's PDC05 blog on our Web
site to find out the latest development news from LA.
==== Sponsor: Scalable Software ====
Supercharging SMS for Effective Asset Management
Cost control and license compliance have risen to the top of the IT
asset and desktop management agenda. Learn to map Microsoft's SMS to
specific business objectives and examine the pitfalls of relying solely
on SMS to achieve business IT asset management objectives. Download
this free white paper now and find out how you can leverage technology
to bridge the gap between technical professionals and your CFO.
==== 2. Security News and Features ====
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
McAfee and Microsoft Warn About ASP.NET Forms Authentication
McAfee published a white paper that helps developers understand how
to better protect against replay attacks in applications based on
ASP.NET. Microsoft also published an article about the problem, which
pertains to forms authentication. Both Microsoft and McAfee recommend a
series of defenses.
eEye's Lengthy Laundry List of Vulnerabilities
Since the end of March, eEye Digital Security has discovered no less
than nine vulnerabilities in Microsoft products, two in RealNetworks
products, and one in Macromedia products. No patches are publicly
available for any of these problems.
==== Resources and Events ====
Windows Connections 2005 Conference--October 31 - November 3, 2005
At the Manchester Grand Hyatt in San Diego, Microsoft and Windows
experts present over 40 in-depth sessions with real-world solutions you
can take back and apply today. Register now to save $100 off your
conference registration and attend sessions at Microsoft Exchange
Identify the Key Security Considerations for Wireless Mobility
Wireless and mobile technologies are enabling enterprises to gain a
competitive advantage through accelerated responsiveness and increased
productivity. In this free, on-demand Web seminar, you'll receive a
checklist of risks to factor in when considering your wireless mobility
technology evaluations and design. Sign up today and learn all you need
to know about firewall security, transmission security, OTA management,
management of third-party security applications, and more!
Get Ready for the SQL Server 2005 Roadshow in Europe
Back By Popular Demand--Get the facts about migrating to SQL Server
2005! SQL Server experts will present real-world information about
administration, development, and business intelligence to help you
implement a best-practices migration to SQL Server 2005 and improve
your database-computing environment. Receive a one-year membership to
PASS and one-year subscription to SQL Server Magazine. Register now.
Discover SQL Server 2005 for the Enterprise. Are you prepared?
In this free, half-day event you'll learn how the top new features
of SQL Server 2005 will help you create and manage large-scale,
mission-critical, enterprise database applications--making your job
easier. Find out how to leverage SQL Server 2005's new capabilities to
best support your business initiatives. Register today!
Cut Your Windows XP Migration Time by 60% or More!
If your organization is considering--or has already begun--migrating
your operating system to Windows XP, then this Web seminar is for you.
Sign up for this free event and you'll learn how to efficiently migrate
your applications into the Windows Installer (MSI) format and prepare
them for error-free deployment and what steps you need to package your
applications quickly and correctly and more!
Walking the Tightrope Between Recovery and Continuity
There's a big difference between the ability to quickly recover lost
or damaged data and the ability to keep your messaging operations
running normally before, during, and after an outage. In this free Web
seminar, you'll learn what the technical differences between recovery
and continuity are, when each is important, and what you can do to make
sure that you're hitting the right balance between them.
==== Featured White Paper ====
How to Solve the Anti-Spam Dilemma
In this free white paper, learn why older spam prevention
technologies using traditional content filtering don't work against the
latest spammer tactics--and why more corporate email administrators are
turning to a managed email security service. Discover how to achieve
email security with multiple-layer protection, minimize false
positives, cut email administration costs, and keep user communities
happy and productive. Download your copy today!
==== Hot Release ====
Download Free: Patch & Spyware Management in one easy-to-use GUI.
Is your network safe from Spyware? The first step to securing your
network is to remove spyware, adware, and malware. Next, patch your
systems to stop re-infestation. Remediate Spyware and install Patches
with Shavlik NetChk Protect for a Complete Security Solution.
To download free software visit:
==== 3. Security Toolkit ====
Security Matters Blog: Some Vulnerabilities Are Downright Funny
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=13892:4FB69
Full Disclosure is a decent mailing list, although the conversation can
at times become childish and full of offensive language. Once in a
while, a truly funny post comes across the list to lighten the
discussion. Read this blog item for a little comedic relief.
by John Savill, http://list.windowsitpro.com/t?ctl=13891:4FB69
Q: I'm trying to copy a user profile, but the Copy To button is grayed
out in the dialog box in the System Control Panel applet. How can I
access that functionality?
Find the answer at
Security Forum Featured Thread: Securing Microsoft Access
A forum participant has a Microsoft Access database on the company
network and wants some people to be able to read it and others to be
able to make changes to it. When he chooses what he thinks are the
proper security settings in Tools, Security, he gets a "Not a valid
account name or password" error message. Does he need to save an .mdw
file to a particular folder, and can he create passwords on the fly?
Join the discussion at
==== Announcements ====
(from Windows IT Pro and its partners)
Get All the Scripting Answers You Need
If you haven't seen the Windows Scripting Solutions newsletter,
you're missing out on an exclusive monthly resource that shows you how
to automate time-consuming administrative tasks by using our expert-
reviewed downloadable code and scripting techniques. Subscribe now and
find out how you can save both time and money. Plus, get online access
to our popular "Shell Scripting 101" series--click here:
SQL Server Magazine Has What IT Professionals Need
Get SQL Server Magazine and get answers! Subscribe today and get an
entire year for just $39.95--that's 44% off the cover price. You'll
also gain exclusive access to the entire SQL Server Magazine article
database (over 2300 articles) and get the Top SQL Tips handbook (over
60 helpful tips) FREE. This is a limited-time, risk-free offer, so
click here now:
==== 4. New and Improved ====
by Renee Munshi, products at windowsitpro.com
Make Your Public PCs More Resilient
Jackson Backup offers the Jackson Armor Card, a PCI card that
provides fast recovery technology for computers in schools, libraries,
cyber cafes, and other public places. Jackson Armor Card is designed to
protect a PC's OS and program settings; it guards against any form of
corruption or unwanted modification, accidental or intentional damage
to the hard drive, hacking, viruses, tampering, and most accidents
including formatting. To recover the PC's original settings and data
after an incident, you simply reboot the system. The Jackson Armor Card
costs $79.99. For more information, go to
Tell Us About a Hot Product and Get a T-Shirt!
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.
Editor's note: Share Your Security Discoveries and Get $100
Share your security-related discoveries, comments, or problems and
solutions in the Windows IT Security print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rwinitsec at windowsitpro.com. If we print your submission, you'll
get $100. We edit submissions for style, grammar, and length.
==== Sponsored Links ====
Argent Versus MOM 2005
Download Argent Versus Microsoft Operations Manager 2005
Is Your Office Truly Fax Integrated?
Download this free whitepaper from Faxback and find out!
==== Contact Us ====
About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=13894:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com
This email newsletter is brought to you by Windows IT Security,
the leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for
internal users. Subscribe today.
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2005, Penton Media, Inc. All rights reserved.
More information about the ISN