Sunday, 29 June 2014

Network World's 2014 State of the Network survey

Aligning IT with the business has been a top priority of IT organizations for the past few years, but that is changing, according to the latest State of the Network Survey. IT has apparently made enough headway on the alignment issue that other priorities are coming to the fore. The No. 1 business objective of the 282 IT respondents is decreasing operational costs, while the top technology objective is lowering IT operational costs through server consolidation and overall IT simplification. Continue for more survey results.

When asked about the benefits of SDN, network flexibility is by far the most anticipated benefit, followed by simplified network operation and management. Reducing CAPEX and OPEX are far down on the list, which means IT might have a hard time convincing the CEO and CFO to take the plunge into the world of SDN if there’s no clear financial benefit.

So, where are people deploying SDN? According to our survey, the most popular place for SDN pilot projects is the data center (14%), followed by enterprise/WAN (10%). And a few brave souls (6%) are tackling both. But a full 50% of respondents are still sitting on the sidelines.

The data center is expected to be the biggest beneficiary of SDN technology, according to respondents, followed by enterprise/WAN. Only 10% of respondents plan to take on SDN deployments in both the data center and throughout the enterprise/WAN. And a full 33% of respondents said that SDN is not on their radar at all.

When it comes to thought leadership in the emerging field of SDN, a full 52% of respondents said they weren’t sure, which means there’s plenty of opportunity for an established vendor or an upstart newcomer to grab the attention of enterprise IT buyers. In the meantime, the usual suspects are at the top of the list, with Cisco at 22%, Juniper at 12%, HP at 11% and Nicira/VMware with a combined 14%.

When it comes to security related challenges, clearly IT execs are facing a number of new problems, with advanced persistent threats high on the list, following by mobile/BYOD, and cloud security. But surprisingly the No. 1 challenge was end users. Respondents said getting awareness and cooperation from end users was their biggest headache.

Productivity-related challenges fell into the very traditional categories, with money being far and away the top impediment to increased IT productivity, according to respondents. Traditional concerns like security, privacy and finding the right talent were at the top of the list. At the bottom on the list are two seemingly hot technologies – video and social media. But it seems that enterprise IT has bigger fish to fry.

Protecting the network/data center against data breaches and data leaks is Job One, according to respondents. Traditional IT metrics like uptime and optimizing end-to-end performance were high on the list. Interestingly, respondents put cloud-related projects lower down on their priority lists.

Protecting the network/data center against data breaches and data leaks is Job One, according to respondents. Traditional IT metrics like uptime and optimizing end-to-end performance were high on the list. Interestingly, respondents put cloud-related projects lower down on their priority lists.

Bad news for Satya Nadella: Nearly half of respondents say a migration to Windows 8 isn’t even on their radar. Only 7% of enterprise IT respondents have migrated to Microsoft’s latest OS, while only 10% are in the pilot stage.

Cloud services are certainly gaining in popularity, but among our respondents, enthusiasm for Infrastructure-as-a-Service is pretty tepid. Only 15% of respondents are using IaaS, with another 7% piloting and 10% researching. However, 45% of respondents don’t have IaaS on their radar.

IT execs in our survey are making good progress when it comes to implementing a BYOD policy. Already, 18% have rolled out a BYOD policy, with another 18% in the pilot stage. Only 30% of respondents are ignoring the need for a formal BYOD policy.

Our respondents were gung-ho when it comes to server consolidation: a full 44% have already implemented this cost saving measure, while 9% were in the pilot stage, 14% were researching and another 13% had server consolidation on their radar.

Our respondents were gung-ho when it comes to server consolidation: a full 44% have already implemented this cost saving measure, while 9% were in the pilot stage, 14% were researching and another 13% had server consolidation on their radar.

The move toward flattening the data center – moving from a traditional three-tier, spanning-tree architecture to something more streamlined and efficient – appears to be going strong. Eighteen percent of respondents have already achieved some level of data center network flattening, while 17% are in the research phase and 9% are actively piloting.

The move toward flattening the data center – moving from a traditional three-tier, spanning-tree architecture to something more streamlined and efficient – appears to be going strong. Eighteen percent of respondents have already achieved some level of data center network flattening, while 17% are in the research phase and 9% are actively piloting.

WAN optimization is a proven money saver for enterprise IT. And adoption of this technology appears to be on the rise, with 16% of respondents having achieved some level of WAN optimization, another 18% in the pilot phase and 17% researching the technology.



Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com


Monday, 16 June 2014

Three best practices for reducing the risk of SQL injection attacks

This column is available in a weekly newsletter called IT Best Practices. Click here to subscribe.

SQL injection attacks have been around for more than 10 years. Database security experts know they are a serious problem. Now a recently unsealed Second Superseding Indictment against a notorious group of Russian and Ukrainian hackers shows just how damaging this type of attack can be.

The indictment provides a long list of companies that have suffered costly data breaches where the root cause has proven to be a SQL injection. According to the indictment:

Beginning on or around Dec. 26, 2007, Heartland Payment Systems was the victim of a SQL injection attack that resulted in malware being placed on its payment processing system and the theft of more than 130 million card numbers and losses of approximately $200 million.
In or about early November 2007, a related company of Hannaford Brothers Co. was the victim of a SQL injection attack that resulted in the later placement of malware on Hannaford's network, the theft of approximately 4.2 million card numbers.
Between January 2011 and March 2012, Global Payment Systems was the victim of SQL injection attacks that resulted in malware being placed on its payment processing system, the theft of more than 950,000 card numbers, and losses of approximately $92.7 million.
In or around May 2007,NASDAQ was the victim of a SQL injection attack that resulted in the placement of malware on its network and the theft of login credentials.

I think you are beginning to see the pattern here. Other companies cited in this indictment as victims of attacks include 7-Eleven, JC Penney, Carrefour S.A., Wet Seal, Commidea, Dexia Bank Belgium, JetBlue Airways, Dow Jones, Euronet, Visa Jordan Card Services, Diners Club International, lngenicard US and an unnamed bank.
MORE ON NETWORK WORLD: Free security tools you should try

The indictment goes on to say that “conservatively, the defendants and their co-conspirators unlawfully acquired over 160 million card numbers through their hacking activities. As a result of this conduct, financial institutions, credit card companies, and consumers suffered hundreds of millions in losses, including losses in excess of $300 million by just three of the corporate victims, and immeasurable losses to the identity theft victims due to the costs associated with stolen identities and fraudulent charges.”

These particular breaches occurred in 2007. Think how many additional breaches, large and small, have occurred since then.

I think it will come to light that the recent Target, Neiman Marcus and Michaels breaches also might stem from SQL injection attacks of some sort. Though it hasn’t been made public, security experts are already saying that the Target breach used SQL injection to install malware on the point-of-sale systems where the attackers were then able to collect the card numbers out of memory. Many people don’t realize that SQL can be bidirectional. It can be used to drain the database but it also can be used to modify and upload to a database. An attacker can use SQL injection to upload the malware into the database system and then have that system send out the malware to all the POS endpoints.

Structured Query Language is flawed because of the way it was architected. It can be fooled into trying to interpret data as an instruction. On the other hand, there’s a lot of capability in SQL that makes it attractive to developers, especially for web applications.

Since the consequences of SQL injection attacks can be so damaging, I asked Michael Sabo of DB Networks about best practices that companies can follow in order to reduce their risk of this threat. Sabo says there’s no silver bullet, but he does have some advice.

“Often you will hear, ‘if you just do this, or just do that, the problem will go away’,” says Sabo. “But it’s not that simple. Any individual countermeasure can go a long way but it is not going to close the threat. It doesn’t work that way.”

He says that one popular countermeasure that is promoted by the Open Web Application Security Project (OWASP) is to write perfect code. “Even if I write perfect application code, I can still be vulnerable because the vulnerabilities come in through third-party software that I had nothing to do with,” says Sabo. “Look at Ruby on Rails. Who knew that the underlying framework was vulnerable? It affected 250,000 websites with a SQL injection vulnerability because those developers built their websites on top of the vulnerable framework.”

Sabo says there are instances in which they have found vulnerabilities in the relational database management system itself. “Oracle has had SQL injection vulnerabilities in the RDMS itself, so regardless of how good I write my application code, I can still be vulnerable,” he says.

Short of having perfect code, there are three critical things companies can do to reduce the risk of experiencing a SQL injection attack.

The first is to conduct an inventory of what you have as far as databases go, and understand their connections to applications. “Many companies are completely unaware of some of the databases in their environment,” says Sabo. “And even if they know about all their databases, often what happens is the database is being exposed on network segments that it’s not supposed to be exposed on. This is not a database problem per se, but a networking problem.”

For example, Sabo says a company might bring up a database in a test environment and then forget to close it down at the end of testing. Often that database might have default passwords, and sometimes it has real data. Developers do this sort of thing because they want to stress test the application and they use real rather than fake data because they think no one will ever see it.

Then there is the mapping issue. What applications are mapped to the database, and are they the correct ones? “Maybe for a test, a production database was connected up to a test database for a short while and then the connection was left by accident. Or a production database is mapped to an application that was retired, or that no one knows about. These things happen,” says Sabo. “So our first best practice is to provide visibility and an inventory into what databases you have and what they are mapped to.”

The next step is to continuously monitor what is going on between your application and the database. This is actually a recommendation from NIST. You will want to know if there is any rogue traffic going on there. This is where you look for SQL injections because you see the real SQL going across. There are tools that continuously monitor this traffic and detect if there is an unauthorized attempt at modifying data or getting data out.

And finally, the last best practice is to protect the database network with data loss prevention tools. “If you start to see credit card information coming out over the network and you know it shouldn’t be coming out that way, you know there is a problem,” says Sabo.

If your organization has some serious data to protect, and you know how common SQL injection attacks are, then it may benefit you to put these recommendations into practice.


Best Microsoft MCTS Certification, Microsoft MCITP Training at certkingdom.com