Tuesday 29 April 2014

Zero-day IE unprotected, Windows XP exposed

Microsoft is trying to gauge the seriousness of a zero-day flaw in all Internet Explorer browsers from versions 6 through 11 and whether it warrants issuing an out-of-band fix before May's Patch Tuesday.

The vulnerability, which is being exploited in the wild, allows remote code execution within the browser and could be carried out by luring users to specially crafted Web pages. It then enables attackers to assume the same privileges as the current user.

+ Also on Network World: Secure browsers offer alternatives to Chrome, IE and Firefox | Best browsers for safe surfing +

While Microsoft investigates, it recommends that users deploy its Enhanced Mitigation Experience Toolkit (EMET) 4.1, whose default setting helps protect IE. EMET can be configured using group policy.

It also recommends blocking Active X Controls and Active Scripting by setting IE security zone settings to “high.” This may cause some Web sites to behave incorrectly. “If you have difficulty using a website after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites,” Microsoft says. “This will allow the site to work correctly even with the security setting set to High.”

According to Ross Barrett, a security engineer at Rapid7, the known exploit relies on Adobe Flash. “Disabling or removing flash will block the known exploit, but does not address the root cause issue in Internet Explorer,” he says in a blog post.

He notes that this is the first major issue to hit Windows XP since Microsoft stopped supporting the operating system April 8. The Microsoft security advisory doesn’t mention XP as an affected system since the company no longer provides security updates for it.

There are some mitigating factors surrounding the vulnerability, Microsoft says, including that some default-mode configurations that may lessen the threat it poses. Microsoft says:

By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.

By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.

An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker's website.


Best Microsoft MCTS Certification, Microsoft MCP Training at certkingdom.com

Monday 14 April 2014

Fifteen Top-Paying Certifications for 2014

It's always a good idea to take stock of your skills, your pay, and your certifications. To that end, John Hales, Global Knowledge VMware instructor, has outlined 15 of the top-paying certifications for 2014. With each certification, you'll find the average (mean) salary and a brief description.

Based on the 2014 IT Skills and Salary Survey conducted by Global Knowledge and Penton and completed in October 2013, the rankings below are derived from certifications that received the minimum number of responses to be statistically relevant. Certain certifications pay more but are not represented due to their exclusive nature. Examples include Cisco Certified Internetworking Expert (CCIE) and VMware Certified Design Expert (VCDX). This was a nationwide survey, and variations exist based on where you work, years of experience, and company type (government, nonprofit, etc.).

Certified in Risk and Information Systems Control (CRISC) - $118,253
The non-profit group ISACA offers CRISC certification, much in the way that CompTIA manages the A+ and Network+ certifications. Formerly, "ISACA" stood for Information Systems Audit and Control Association, but now they've gone acronym only.

The CRISC certification is designed for IT professionals, project managers, and others whose job it is to identify and manage risks through appropriate information systems (IS) controls, covering the entire lifecycle, from design to implementation to ongoing maintenance. It measures two primary areas: risk and IS controls. Similar to the IS control lifecycle, the risk area spans the gamut from identification and assessment of the scope and likelihood of a particular risk to monitoring for it and responding to it if/when it occurs.

Since CRISC's introduction in 2010, more than 17,000 people worldwide have earned this credential. The demand for people with these skills, and the relatively small supply of those who have them, result in this being the highest salary for any certification on our list this year.

To obtain CRISC certification, you must have at least three years of experience in at least three of the five areas that the certification covers, and you must pass the exam, which is only offered twice a year. This is not a case where you can just take a class and get certified. Achieving CRISC certification requires effort and years of planning.


Certified Information Security Manager (CISM) - $114,844
ISACA also created CISM certification. It's aimed at management more than the IT professional and focuses on security strategy and assessing the systems and policies in place more than it focuses on the person who actually implements those policies using a particular vendor's platform.

More than 23,000 people have been certified since its introduction in 2002, making it a highly sought after area with a relatively small supply of certified individuals. In addition, the exam is only offered three times a year in one of approximately 240 locations, making taking the exam more of a challenge than many other certification exams. It also requires at least five years of experience in IS, with at least three of those as a security manager. As with CRISC, requirements for CISM certification demand effort and years of planning.

Certified Information Systems Auditor (CISA) - $112,040
The third highest-paying certification is also from ISACA; this one is for IS auditors. CISA certification is ISACA's oldest, dating back to 1978, with more than 106,000 people certified since its inception. CISA certification requires at least five years of experience in IS auditing, control, or security in addition to passing an exam that is only offered three times per year.

The CISA certification is usually obtained by those whose job responsibilities include auditing, monitoring, controlling, and/or assessing IT and/or business systems. It is designed to test the candidate's ability to manage vulnerabilities, ensure compliance with standards, and propose controls, processes, and updates to a company's policies to ensure compliance with accepted IT and business standards.

Six Sigma Green Belt - $109,165
Six Sigma is a process of analyzing defects (anything outside a customer's specifications) in a production (manufacturing) process, with a goal of no more than 3.4 defects per million "opportunities" or chances for a defect to occur. The basic idea is to measure defects, analyze why they occurred, and then fix the issue and repeat. There is a process for improving existing processes and a slightly modified version for new processes or major changes. Motorola pioneered the concept in the mid-1980s, and many companies have since followed their examples to improve quality.

This certification is different from the others in this list, as it is not IT specific. Instead, it is primarily focused on manufacturing and producing better quality products.

There is no organization that owns Six Sigma certification per se, so the specific skills and number of levels of mastery vary depending on which organization or certifying company is used. Still, the entry level is typically Green Belt and the progression is to Black Belt and Master Black Belt. Champions are responsible for Six Sigma projects across the entire organization and report to senior management.

Project Management Professional (PMP®) - $108,525
The PMP certification was created and is administered by the Project Management Institute (PMI®), and it is the most recognized project management certification available. There are more than half a million active PMPs in 193 countries worldwide.

The PMP certification exam tests five areas relating to the lifecycle of a project: initiating, planning, executing, monitoring and controlling, and closing. PMP certification is for running any kind of project, and it is not specialized into sub types, such as manufacturing, construction, or IT.

To become certified, individuals must have 35 hours of PMP-related training along with 7,500 hours of project management experience (if they have less than a bachelor's degree) or 4,500 hours of project management experience with a bachelor's or higher. PMP certification is another that requires years of planning and effort.

Certified Scrum Master - $107,396
Another project management-related certification, Certified Scrum Master is focused on software (application) development.

Scrum is a rugby term; it's a means for restarting a game after a minor rules violation or after the ball is no longer in play (for example, when it goes out of bounds). In software development, Scrum is a project management process that is designed to act in a similar manner for software (application development) projects in which a customer often changes his or her mind during the development process.

In traditional project management, the request to change something impacts the entire project and must be renegotiated – a time-consuming and potentially expensive way to get the changes incorporated. There is also a single project manager.

In Scrum, however, there is not a single project manager. Instead, the team works together to reach the stated goal. The team should be co-located so members may interact frequently, and it should include representatives from all necessary disciplines (developers, product owners, experts in various areas required by the application, etc.).

Where PMP tries to identify everything up front and plan for a way to get the project completed, Scrum takes the approach that the requirements will change during the project lifecycle and that unexpected issues will arise. Rather than holding up the process, Scrum takes the approach that the problem the application is trying to solve will never be completely defined and understood, so team members must do the best they can with the time and budget available and by quickly adapting to change.

So where does the Scrum Master fit in? Also known as a servant-leader, the Scrum Master has two main duties: to protect the team from outside influences that would impede the project (the servant) and to chair the meetings and encourage the team to continually improve (the leader).

Certified Scrum Master certification was created and is managed by the Scrum Alliance and requires the individual to attend a class taught by a certified Scrum trainer and to pass the associated exam.
Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com


Citrix Certified Enterprise Engineer (CCEE) - $104,240
The CCEE certification is a legacy certification from Citrix that proves expertise in XenApp 6, XenDesktop 5, and XenServer 6 via the Citrix Certified Administrator (CCS) exams for each, the Citrix Certified Advanced Administrator (CCAA) for XenApp 6, and an engineering (advanced implementation-type) exam around implementing, securing, managing, monitoring, and troubleshooting a complete virtualization solution using Citrix products.

Those certified in this area are encouraged to upgrade their certification to the App and Desktop track instead, which focuses on just XenDesktop, taking one exam to become a Citrix Certified Professional - Apps and Desktops (CCP-AD). At this point though, the CCEE is available as long as the exams are available for the older versions of the products listed.

Citrix Certified Administrator (CCA) for Citrix NetScaler - $103,904
The CCA for NetScaler certification has been discontinued for NetScaler 9, and those with a current certification are encouraged to upgrade to the new Citrix Certified Professional - Networking (CCP-N). In any case, those with this certification have the ability to implement, manage, and optimize NetScaler networking performance and optimization, including the ability to support app and desktop solutions. As the Citrix certification program is being overhauled, refer to http://training.citrix.com/cms/index.php/certification/ to view the certifications available, upgrade paths, etc.

Certified Ethical Hacker (CEH) - $103,822
The International Council of E-Commerce Consultants (EC-Council) created and manages CEH certification. It is designed to test the candidate's abilities to prod for holes, weaknesses, and vulnerabilities in a company's network defenses using techniques and methods that hackers employ. The difference between a hacker and a CEH is that a hacker wants to cause damage, steal information, etc., while the CEH wants to fix the deficiencies found. Given the many attacks, the great volume of personal data at risk, and the legal liabilities possible, the need for CEHs is quite high, hence the salaries offered.

ITIL v3 Foundation - $97,682
IT Infrastructure Library (ITIL®) was created by England's government in the 1980s to standardize IT management. It is a set of best practices for aligning the services IT provides with the needs of the organization. It is broad based, covering everything from availability and capacity management to change and incident management, in addition to application and IT operations management.

It is known as a library because it is composed of a set of books. Over the last 30 years, it has become the most widely used framework for IT management in the world. ITIL standards are owned by AXELOS, a joint venture company created by the Cabinet Office on behalf of Her Majesty's Government in the United Kingdom and Capita plc, but they have authorized partners who provide education, training, and certification. The governing body defined the certification tiers, but they leave it to the accredited partners to develop the training and certification around that framework.

The Foundation certification is the entry-level one and provides a broad-based understanding of the IT lifecycle and the concepts and terminology surrounding it. Anyone wishing for higher-level certifications must have this level first, thus people may have higher certifications and still list this certification in the survey, which may skew the salary somewhat.

Citrix Certified Administrator (CCA) for Citrix XenServer - $97,578
The CCA for XenServer certification is available for version 6 and is listed as a legacy certification, but Citrix has yet to announce an upgrade path to their new certification structure. Those with a CCA for Citrix XenServer have the ability to install, configure, administer, maintain, and troubleshoot a XenServer deployment, including Provisioning Services. As the Citrix certification program is being overhauled, refer to http://training.citrix.com/cms/index.php/certification/ to view the certifications available, upgrade paths, etc.

ITIL Expert Certification - $96,194
The ITIL Expert certification builds on ITIL Foundation certification. It is interesting that ITIL Expert pays less on average than ITIL Foundation certification. Again, it’s likely the salary results may be somewhat skewed depending on the certifications actually held and the fact that everyone who is ITIL certified must be at least ITIL Foundation certified.

To become an ITIL Expert, you must pass the ITIL Foundation exam as well as the capstone exam, Managing Across the Lifecycle. Along the way, you will earn intermediate certifications of your choosing in any combination of the lifecycle and capability tracks. You must earn at least 22 credits, of which Foundation accounts for two and the Managing Across the Lifecycle exam counts for five. The other exams count for three each (in the Intermediate Lifecycle track) or four each (in the Intermediate Capability track) and can be earned in any order and combination, though the official guide suggests six recommended options. The guide is available at http://www.itil-officialsite.com/Qualifications/ITILQualificationScheme.aspx by clicking on the English - ITIL Qualification Scheme Brochure link.

Cisco Certified Design Associate (CCDA) - $95,602

Cisco's certification levels are Entry, Associate, Professional, Expert, and Architect. Those who obtain this Associate-level certification are typically network design engineers, technicians, or support technicians. They are expected to design basic campus-type networks and be familiar with routing and switching, security, voice and video, wireless connectivity, and IP (both v4 and v6). They often work as part of a team with those who have higher-level Cisco certifications.

To achieve CCDA certification, you must have earned one of the following: Cisco Certified Entry Networking Technician (CCENT), the lowest-level certification and the foundation for a career in networking); Cisco Certified Network Associate Routing and Switching (CCNA R&S); or any Cisco Certified Internetwork Expert (CCIE), the highest level of certification at Cisco. You must also pass a single exam.

Microsoft Certified Systems Engineer (MCSE) - $95,276
This certification ranked number 14 with an average salary of $95,505 for those who didn't list an associated Windows version and $94,922 for those who listed MCSE on Windows 2003, for the weighted average of $95,276 listed above.

The Microsoft Certified Systems Engineer is an old certification and is no longer attainable. It has been replaced by the Microsoft Certified Solutions Expert (yes, also MCSE). The Engineer certification was valid for Windows NT 3.51 - 2003, and the new Expert certification is for Windows 2012. There is an upgrade path if you are currently an MCSA or MCITP on Windows 2008. There is no direct upgrade path from the old MCSE to the new MCSE.

Citrix Certified Administrator (CCA) for Citrix XenDesktop - $95,094

The CCA for XenDesktop certification is available for versions 4 (in Chinese and Japanese only) and 5 (in many languages including English). Those with a current certification are encouraged to upgrade to the new Citrix Certified Associate - Apps and Desktops (CCA-AD). In any case, those with this certification have the ability to install, administer, and troubleshoot a XenDesktop deployment, including Provisioning Services and the Desktop Delivery Controller as well as XenServer and XenApp. As the Citrix certification program is being overhauled, refer to http://training.citrix.com/cms/index.php/certification/ to view the certifications available, upgrade paths, etc.

Friday 11 April 2014

Microsoft drags customers 'kicking and screaming' into its world of faster updates

Mandates Windows 8.1 Update to receive future patches; evidence of commitment to constant OS refreshes, say experts

Microsoft's demand that Windows 8.1 users install this week's major update was another signal that the company is very serious about forcing customers to adopt its faster release strategy, experts said today.

"Microsoft is going to drag organizations and users into this new world of faster updates kicking and screaming," said Michael Silver of Gartner in an email. "Microsoft wants users to trust it to keep their systems updated. Maybe they figure forcing organizations to deploy [Windows 8.1 Update] will get them used to taking updates and keeping current."

Earlier this week, Microsoft shipped Windows 8.1 Update (8.1U), adding that to obtain future updates, including fixes for vulnerabilities distributed each month on "Patch Tuesday," Windows 8.1 users had to install 8.1U.

"Failure to install this Update will prevent Windows Update from patching your system with any future updates starting with updates released in May 2014," Microsoft said.

May 13 is the first Patch Tuesday that will require 8.1U.

That requirement got the attention of users. And not in a good way.

"What happened to Microsoft's Lifecycle policy with providing customers with a 24-month timeframe before ending support of a superseded operating system RTM/Service Pack?" asked a user identified as "wdeguara" in a comment appended Tuesday to Microsoft's blog-based announcement. "By immediately withdrawing all future security updates for Windows 8.1 RTM, in the eyes of most enterprise customers you are effectively performing an immediate End-of-Life on Windows 8.1 RTM.

"I know that Microsoft wants its customer base to adopt updates to its Windows platform faster, but immediately dropping security patching on the Windows 8.1 RTM release is just plain crazy," wdeguara added.

But to Silver, that is exactly Microsoft's intent.

Others see similar method to Microsoft's madness.

"The reality is that Microsoft is moving the OS toward a more service-oriented model," said Wes Miller, an analyst with Directions on Microsoft, in a Thursday telephone interview. "This reflects the fact that there are shifting sands, that Microsoft is trying to move toward one servicing model for a variety of platforms. They're trying to harmonize Windows Phone and Windows with one servicing model that works for everyone."

From Miller's perspective, Microsoft was striving for a mobile-style model for Windows that would not only rely on more frequent updates, but one with a goal of getting the bulk of users onto each new this-is-current update or version.

Other Microsoft customers joined wdeguara to criticize the forced migration, which had not been announced prior to Tuesday and which they saw as a betrayal of the 24-month rule that has given them two years from the launch of a service pack to upgrade from the original, called "RTM" in Microsoft-speak to reference "release to manufacturing."

"This is a massive shift from a patching perspective," said Julian Harper, an IT manager, in one of several messages posted to the Patchmanagement.org mailing list on the topic. "For years, we've had [two] years to plan service pack roll outs and now we're given one month. And this is on top of the fiasco that was Windows 8.1 for volume license customers."

Previously, Microsoft had said that the 24-month rule for Windows, once reserved for service packs, would apply to Windows 8 and its successors, including Windows 8.1 of October 2013, even though the latter was not labeled as a "service pack." Customers on Windows 8 RTM, which shipped in October 2012, would have until Jan. 12, 2016 to migrate to Windows 8.1. After that date, Windows 8 RTM will not be eligible for security updates and other fixes and enhancements.

"Microsoft has the most generous and transparent support policies, but everything depends on what they call the new code," said Silver. "A 'service pack' has a support policy. A 'version' has a support policy. Something with a different name, well, Microsoft can do what it wants."

Miller wasn't shocked at the complaints from enterprise IT personnel, like Harper. "It bothered me, too," Miller said. "The support lifecycle page doesn't reflect this, and it absolutely should," he continued, referring to Microsoft's support timetable for Windows 8 and Windows 8.1. "Customers need to be able to keep track of what they have to do for support."

Andrew Storms, director of DevOps at CloudPassage, a San Francisco-based cloud security firm, acknowledged the historic nature of the Windows 8.1 Update's deployment requirement.

"What was surprising to me was that there was no prior notification from Microsoft," Storms said. "But what was not so surprising was that they made this decision. The number of SKUs that they support is getting out of hand. Microsoft can only support so many products. At some point, they just have to cut it."

Storms sympathized with corporate IT administrators nervous about the rapid release pace.

"Given the environment they're in, the complaints were well justified," Storms said. Traditionally, that has been an environment where companies downloaded an update, tested it for weeks or even months, then slowly deployed it to devices.

"That's an ongoing process that's constantly in motion," said Storms of the practice. "But we know everyone needs to move to [a process] where you have to take the updates as they are. So this really calls for a new way of thinking. IT must rethink the environment that they're in."

In other words, enterprises may not like Microsoft mandating 8.1U but they'll have to learn to live with not only that, but future demands, too. "If the [software vendors] are moving faster than you can keep up with using the traditional methodology, you're going to have to just take [the updates]," Storms said.

Microsoft did not reply to questions, including why it mandated 8.1U and whether it believed the requirement is a change of its 24-month rule.


Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com