[ISN] Security UPDATE -- Lessons in Disaster Recovery -- September 14, 2005

InfoSec News isn at c4i.org
Thu Sep 15 00:50:14 EDT 2005


This email newsletter comes to you free and is supported by the 
following advertisers, which offer products and services in which 
you might be interested. Please take a moment to visit these 
advertisers' Web sites and show your support for Security UPDATE. 

Supercharging SMS for Effective Asset Management


1. In Focus: Lessons in Disaster Recovery

2. Security News and Features
   - Recent Security Vulnerabilities
   - McAfee and Microsoft Warn About ASP.NET Forms Authentication
   - eEye's Lengthy Laundry List of Vulnerabilities

3. Security Toolkit
   - Security Matters Blog
   - FAQ
   - Security Forum Featured Thread

4. New and Improved
   - Make Your Public PCs More Resilient


==== 1. In Focus: Lessons in Disaster Recovery ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

I seriously doubt that there is a person reading this newsletter who 
doesn't know of the devastation caused by Hurricane Katrina. Vast areas 
of the southern coast of the United States have been destroyed. 
People's lives are in ruins, and how long it will take to recover is 
still unknown. 

The human suffering and loss of life is heart wrenching, to put it 
mildly, and although I have a difficult time thinking about protecting 
computer systems in the wake of such disaster, such protection is in 
fact the focus of this newsletter. Therefore I think it's appropriate 
to revisit disaster recovery in terms of information security and 
computer networks. 

Katrina brings to light the fact that you and your business can be 
displaced not just temporarily, but for significant periods of time. A 
robust disaster recovery plan is paramount. Katrina shows us that in 
addition to thinking about system and communication failure, you should 
also consider the possibility that your premises might be destroyed and 
rendered unusable either temporarily or permanently. You need to think 
about system recovery, but you also need to consider hardware 
replacement or recovery, relocating available personnel in new office 
space, and replacing communication systems. 

Data backup strategies can include offsite storage by either physically 
transporting media somewhere or by using a backup system that transmits 
data over a communication link. Either way, you should probably use an 
offsite backup location that's in a completely different geographic 

You should also consider maintaining live backup Web sites, mail 
servers, and DNS systems that are ready to go. If you plan these right, 
they'll kick into action immediately as soon as anything at your main 
site goes down. 

To get in touch with key employees after a disaster, you might need 
conventional-phone alternatives such as cell phones and Voice over IP 
(VoIP) tools. However, if cell towers and other communication lines 
fail, then those technologies will also be useless. You could consider 
getting satellite phones if your business needs justify the cost. 

You'll also need a quick exit strategy. If you must evacuate the area, 
what will you take, aside from obvious essentials? You could gather 
disk drives that contain mission-critical data and other devices if you 
have time. One easy way to help protect hardware and documents you 
might need to take with you or leave behind is to waterproof them by 
using a product such as Space Bags (see URL below). Having a big safe 
or vault to store hardware might be a good idea too. After all, if the 
building collapses, Space Bags won't be much help. 

In addition, you might consider the fact that you might have to leave a 
lot of data behind. If it's sensitive information, then it should be 
encrypted in case the hardware falls into the wrong hands in your 
absence. You probably won't have time to start encrypting data during a 
crisis, so you need to have such a process in place beforehand. 

Those are a few ideas that might help you review your disaster recovery 
plans. As I've written before, you need to be ready to take action 
quickly on short notice and be ready to recover quickly from events 
that strike with little or no advance warning. A comprehensive disaster 
response and recovery plan is part of good business security.

You can find more information about disaster recovery for OSs, 
databases, email systems, and more in numerous articles on our Web 


The Microsoft Professional Developers Conference 2005 (PDC05) is this 
week in Los Angeles. Check out Paul Thurrott's PDC05 blog on our Web 
site to find out the latest development news from LA.


==== Sponsor: Scalable Software ====

Supercharging SMS for Effective Asset Management
   Cost control and license compliance have risen to the top of the IT 
asset and desktop management agenda. Learn to map Microsoft's SMS to 
specific business objectives and examine the pitfalls of relying solely 
on SMS to achieve business IT asset management objectives. Download 
this free white paper now and find out how you can leverage technology 
to bridge the gap between technical professionals and your CFO.


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security 
Alerts, which inform you about recently discovered security 
vulnerabilities. You can also find information about these 
discoveries at

McAfee and Microsoft Warn About ASP.NET Forms Authentication
   McAfee published a white paper that helps developers understand how 
to better protect against replay attacks in applications based on 
ASP.NET. Microsoft also published an article about the problem, which 
pertains to forms authentication. Both Microsoft and McAfee recommend a 
series of defenses.

eEye's Lengthy Laundry List of Vulnerabilities
   Since the end of March, eEye Digital Security has discovered no less 
than nine vulnerabilities in Microsoft products, two in RealNetworks 
products, and one in Macromedia products. No patches are publicly 
available for any of these problems. 


==== Resources and Events ====

Windows Connections 2005 Conference--October 31 - November 3, 2005
   At the Manchester Grand Hyatt in San Diego, Microsoft and Windows 
experts present over 40 in-depth sessions with real-world solutions you 
can take back and apply today. Register now to save $100 off your 
conference registration and attend sessions at Microsoft Exchange 
Connections free!

Identify the Key Security Considerations for Wireless Mobility
   Wireless and mobile technologies are enabling enterprises to gain a 
competitive advantage through accelerated responsiveness and increased 
productivity. In this free, on-demand Web seminar, you'll receive a 
checklist of risks to factor in when considering your wireless mobility 
technology evaluations and design. Sign up today and learn all you need 
to know about firewall security, transmission security, OTA management, 
management of third-party security applications, and more!

Get Ready for the SQL Server 2005 Roadshow in Europe
   Back By Popular Demand--Get the facts about migrating to SQL Server 
2005! SQL Server experts will present real-world information about 
administration, development, and business intelligence to help you 
implement a best-practices migration to SQL Server 2005 and improve 
your database-computing environment. Receive a one-year membership to 
PASS and one-year subscription to SQL Server Magazine. Register now.

Discover SQL Server 2005 for the Enterprise. Are you prepared?
   In this free, half-day event you'll learn how the top new features 
of SQL Server 2005 will help you create and manage large-scale, 
mission-critical, enterprise database applications--making your job 
easier. Find out how to leverage SQL Server 2005's new capabilities to 
best support your business initiatives. Register today!

Cut Your Windows XP Migration Time by 60% or More!
   If your organization is considering--or has already begun--migrating 
your operating system to Windows XP, then this Web seminar is for you. 
Sign up for this free event and you'll learn how to efficiently migrate 
your applications into the Windows Installer (MSI) format and prepare 
them for error-free deployment and what steps you need to package your 
applications quickly and correctly and more!

Walking the Tightrope Between Recovery and Continuity
   There's a big difference between the ability to quickly recover lost 
or damaged data and the ability to keep your messaging operations 
running normally before, during, and after an outage. In this free Web 
seminar, you'll learn what the technical differences between recovery 
and continuity are, when each is important, and what you can do to make 
sure that you're hitting the right balance between them.


==== Featured White Paper ====

How to Solve the Anti-Spam Dilemma
   In this free white paper, learn why older spam prevention 
technologies using traditional content filtering don't work against the 
latest spammer tactics--and why more corporate email administrators are 
turning to a managed email security service. Discover how to achieve 
email security with multiple-layer protection, minimize false 
positives, cut email administration costs, and keep user communities 
happy and productive. Download your copy today!


==== Hot Release ====

Download Free: Patch & Spyware Management in one easy-to-use GUI.
   Is your network safe from Spyware? The first step to securing your 
network is to remove spyware, adware, and malware. Next, patch your 
systems to stop re-infestation. Remediate Spyware and install Patches 
with Shavlik NetChk Protect for a Complete Security Solution.
   To download free software visit:


==== 3. Security Toolkit ==== 

Security Matters Blog: Some Vulnerabilities Are Downright Funny 
   by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=13892:4FB69

Full Disclosure is a decent mailing list, although the conversation can 
at times become childish and full of offensive language. Once in a 
while, a truly funny post comes across the list to lighten the 
discussion. Read this blog item for a little comedic relief. 

   by John Savill, http://list.windowsitpro.com/t?ctl=13891:4FB69 

Q: I'm trying to copy a user profile, but the Copy To button is grayed 
out in the dialog box in the System Control Panel applet. How can I 
access that functionality?

Find the answer at

Security Forum Featured Thread: Securing Microsoft Access
   A forum participant has a Microsoft Access database on the company 
network and wants some people to be able to read it and others to be 
able to make changes to it. When he chooses what he thinks are the 
proper security settings in Tools, Security, he gets a "Not a valid 
account name or password" error message. Does he need to save an .mdw 
file to a particular folder, and can he create passwords on the fly? 
Join the discussion at 


==== Announcements ====
   (from Windows IT Pro and its partners)

Get All the Scripting Answers You Need
   If you haven't seen the Windows Scripting Solutions newsletter, 
you're missing out on an exclusive monthly resource that shows you how 
to automate time-consuming administrative tasks by using our expert-
reviewed downloadable code and scripting techniques. Subscribe now and 
find out how you can save both time and money. Plus, get online access 
to our popular "Shell Scripting 101" series--click here:

SQL Server Magazine Has What IT Professionals Need
   Get SQL Server Magazine and get answers! Subscribe today and get an 
entire year for just $39.95--that's 44% off the cover price. You'll 
also gain exclusive access to the entire SQL Server Magazine article 
database (over 2300 articles) and get the Top SQL Tips handbook (over 
60 helpful tips) FREE. This is a limited-time, risk-free offer, so 
click here now:


==== 4. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

Make Your Public PCs More Resilient
   Jackson Backup offers the Jackson Armor Card, a PCI card that 
provides fast recovery technology for computers in schools, libraries, 
cyber cafes, and other public places. Jackson Armor Card is designed to 
protect a PC's OS and program settings; it guards against any form of 
corruption or unwanted modification, accidental or intentional damage 
to the hard drive, hacking, viruses, tampering, and most accidents 
including formatting. To recover the PC's original settings and data 
after an incident, you simply reboot the system. The Jackson Armor Card 
costs $79.99. For more information, go to

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving 
you time or easing your daily burden? Tell us about the product, and 
we'll send you a T-shirt if we write about the product in a future 
Windows IT Pro What's Hot column. Send your product suggestions with 
information about how the product has helped you to 
   whatshot at windowsitpro.com.

Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and 
solutions in the Windows IT Security print newsletter's Reader to 
Reader column. Email your contributions (500 words or less) to 
r2rwinitsec at windowsitpro.com. If we print your submission, you'll 
get $100. We edit submissions for style, grammar, and length.


==== Sponsored Links ====

Argent Versus MOM 2005
   Download Argent Versus Microsoft Operations Manager 2005

Is Your Office Truly Fax Integrated?
   Download this free whitepaper from Faxback and find out!


==== Contact Us ==== 

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://list.windowsitpro.com/t?ctl=13894:4FB69
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- salesopps at windowsitpro.com


This email newsletter is brought to you by Windows IT Security, 
the leading publication for IT professionals securing the Windows 
enterprise from external intruders and controlling access for 
internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list