Given the recent headlines from Jason Rodriguez, personnel or ex-personnel committing murders by gunning down fellow employees, how can your emergency plan be prepared? The Army can’t protect itself from a high ranking officer, who decides to go on a shooting spree. How does a company plan for an ex-employee, who was fired two years ago, to come back and shoot at random people in the office. Does your emergency plan include mock scenarios of anything similar? How can we plan for something as horrific as this? Unfortunately we have to plan for the worse, it is better to be prepared than not.

Last Friday, I attended my fourth BarcampBank. It was in a suburban area of Chicago (Naperville) and the event was located at the Illnois Credit Union League offices. It is always interesting to see the slight differences in how these events come to life but this event, for me, didn’t disappoint. There were about twenty participants for the day and everyone else was new to the whole Barcamp vibe and experience.

As technology folks, we like to get technical (read: geeky) from time to time. If you’re like us, this is the post for you. WARNING: Heavy technical speak ahead.

I’m completely a visual type of person. I really enjoyed this infographic data from Focus.com.

If you haven’t heard by now, there’s a new application being launched by Jack Dorsey, who originally founded Twitter, called Square. It’s an iPhone based payments app that allows credit card processing. Here’s a demo by Kevin Rose showing off the product. Enjoy.

USB flash drives are a very important part of our day-to-day activities. When a network is down, it provides an alternate method to copy/exchange files between computers. But in the strange world we live in, there is something dark underneath in any great invention, and there is no difference here. The great USB memory stick can be used by bad guys & gals for abusive practices. Not only is your network security at risk here, but your private or sensitive data can simply vanish out of your well protected private network to the wild world out there; who knows how it is going be used. Look at it this way, even if I am an employee of the institution, I can simply bring a contaminated USB memory stick and plug it into my network connected PC, and soon enough, the potential that the whole network could be infected with virus, worms or other unwanted malware skyrockets. The funny thing here is that the user may not be aware of what has happened here. Also, if the user is a bad person then on the way home he/she can take a copy of your highly guarded financial data!

The risks are enormous here, but we need to have a great balancing act between business needs and security, as both go hand-in-hand. In my opinion, the strategy should be based on one of the basic security principles; users should be given authorizations to services such as USB drives, CD/DVD, registry access etc. based on business needs as well as on the least privilege principle. This way you can minimize the potential security risks and continue to keep your business safe from intrusion!

Attacks. There are many attacks out there, but one of them stands out as it become very popular among the hacker community. Most hackers gain unauthorized access to websites and break into back-end databases through this attack; the SQL injection attack. This attack can happen when the sloppy web designer releases a webpage with an input text box without checking the proper input parameter validation. An attacker can send and execute SQL commands through input text boxes and gain the access to the back-end database. In online banking websites, there are so many input text boxes starting with the sign-up, sign-in, customer comments, and inside account pages. There should be a code behind all of these text boxes to check proper parameter validation to ensure that the input text does not have any type of SQL commands or parameters embedded in. I have seen so many log-in pages with userid and password boxes that are not validated for proper parameters mentioned above. A bad guy can get unauthorized access and download the entire database. There is a lot of information out there about SQL injection attacks; you can learn and take precautions as to not become a victim of this. The following are some of the things that you could take as precautions:

• Sanitized the input data. For an example, if the text box is expecting a number, do not allow the user to enter text, vise-versa. Scan the input data through the code to filter out any SQL commands and parameters.

• Again validate the data before executing the back end SQL query to ensure there are no embedded commands in the SQL query variables.

• Encrypt the data such as userId and passwords so hacker can not access them to gain access to the site and the back-end database.

• Ensure that the account setup to execute the back-end database is setup based on least privileges. Not only this account, all user and application accounts should be based on least privileges.

• Ensure all error messages are very generic and do not give any clues to the attacker unnecessary information that can be used to brake in to your website.

Well, I’ll tell you. Let me start by saying I do think the overall benefits of Virtualization heavily outweigh the risks.
Since I don’t want this to be a doom and gloom blog, I’ll start with the positives of Virtualization.

• Less hardware costs for servers and maintenance, but routers and switches too with VLANing.
• Saving valuable physical space in server rooms.
• Going green with energy consumption and generator/battery backups.
• Normalizing platforms across multiple systems.
• Agility in an environment. Imagine if you had a server crash, you can just boot up a Virtual Machine and like that you are good to go!
• Saving money in licensing. I’m not an expert at all on licensing, but I know vendors have laxed on licensing because they are real sure how to manage it with virtualization.

Now, I’ll focus more on the potential risks of Virtualization because they aren’t discussed as much as the benefits, and we are security people…it’s what we do!

The videos for the FinovateSpring conference have been posted and are now up. We prepared close to 10 hours for this seven minutes and based off audience, they really liked what we did. Thanks to Jim Bruene and Eric Mattson again for the opportunity!