Protect Your Mobile Workforce from Firesheep

One of the hottest discussion topics in networking circles recently has been Firesheep, an extension to the Mozilla Firefox web browser. Firesheep allows a hacker to access someone else’s browsing session when they are sharing the same Internet connection.  The shared public wireless network at your local coffee shop, for example, provides an amateur hacker this opportunity.  At this point, Firesheep has been downloaded more than 598,000 times.

Firesheep works by hijacking the unencrypted cookie that is often sent by a website to the user’s computer after a successful login. The cookie is stored on the user’s computer, and is used to facilitate authentication, store site preferences, and track shopping cart contents, among other uses. With the hijacked cookie, a hacker can masquerade as the victim. taking actions as that user on the site, and potentially revealing confidential data (i.e., who all your ‘friends’ are).

To understand the impact of Firesheep when it’s in action, read this excellent article “The Firesheep don’t even look up.

Although Firesheep has some alarming implications for your network and IT security, a strong countermeasure is available: using a virtual private network (VPN) service, as recommended in “Five Ways to Shear Firesheep,” an article from ZDNet.

SSL VPNs are a great way to ensure that a conversation between two parties is not subject to eavesdropping by a 3rd party, such as a hacker. By utilizing a VPN service that is built using secure sockets layer (SSL) technology,  the security of the data of your mobile and remote network users is greatly increased. The MegaPath Managed SSL VPN service encrypts all of a user’s web session using the Triple Data Encryption Standard (3DES), while also allowing the for user-based policy enforcement and custom access control policies.

This means your mobile employees can use clientless MegaPath VPNs managed service to safely login to your corporate network from anywhere,  on any device—even when using an open WiFi network at a coffee shop.

Have your users encountered Firesheep? What measures are you taking to protect remote network access?  Are you considering the security of your confidential business data when performing a cost/benefit analysis of using a managed security service?

Posted on the MegaPath Connectivity Blog as “Protecting Your Mobile Workforce from Sheep (Firesheep, that is)”

Ethernet in the First Mile

A true Business Ethernet service uses traditional copper wiring to deliver the bandwidth (up to 20 Mbps), service-level agreements (SLAs), and features that are needed for today’s demanding applications–including video and voice.

Take another look at Business Ethernet for applications such as these:

  • Large enterprises: Gain connectivity options for satellite offices and provide alternative access for business continuity.
  • Retail and quick-service restaurants: Run many applications simultaneously, including point-of-sale, video monitoring, and supply chain systems. Improve response times for transactional data.
  • Government, healthcare, education: Support high-bandwidth applications like video conferencing, telemedicine, and e-learning.
  • Small and midsize businesses: Transfer multimedia content and large data files between locations and remote workers.
  • Any organization: Create virtual private networks (VPNs) to extend applications to remote employees, customers, and business partners over the Internet. Support voice over IP (VoIP) for economical voice communications.

As these examples show, a business-class Ethernet service delivers the capacity and flexibility needed for many types of business communications. And when you choose a managed services solution from a provider like MegaPath, Ethernet becomes an even more valuable networking option for your business.

How is your organization using Ethernet services?

Posted on  the MegaPath Connectivity Blog as “Take Another Look At Ethernet”.

Time to Step Up your Security Practices

The United States Secret Service, working in collaboration with Verizon, recently released a report [PDF] investigating cybercrimes which reveals that data breaches of electronic records last year involved external agents 70% of the time, insider agents 48% of the time, that 11% of the events implicated business partners, and that 27% involved multiple parties.  The good news was that the overall number of data breaches was down from the previous year.  While we are making progress, this report should serve as a call to all businesses to step up their security practices, as the report shows that organized crime was responsible for 85% of all of the data stolen last year, and they are not going to simply give up and go away.

An important step that any business conducting electronic transactions needs to take is to make sure they are PCI DSS compliant.  Recently MegaPath took the step to become a PCI Security Standards Council Participating Organization, so that we are in a better position to be able to assist our customers with meeting the core elements of the standard.  Step one is to Build and Maintain a Secure Network so that your business can Protect Cardholder Data. Your business also need to Maintain a Vulnerability Management Program and Implement Strong Access Control Measures.  Regularly Monitoring and Testing Networks is an important part of the continuous security process, and Maintaining an Information Security Policy is a best practice your business needs to implement to achieve its security goals.

PCI DSS 2.0 is nearing release, which also makes this an important time to review your current practices.  Computerworld has an article talking about what is included and the new standard, as well as what is not, and InformationWeek has a recent blog post with some idea on how you can maintain compliance while keeping costs in control.

As always, MegaPath is ready to secure your network with our Managed Security Solutions.  As a PCI Compliant Network, and a Participating Member of the PCI Security Standards Council, we continue to be in a leading position to help your business achieve compliance. In addition, the MegaPath Payment Processor Extranet service is ready and able to provide quick, reliable connectivity to top credit, debit, gift and private label card payment and check payment processors through our fully redundant network connections.  And as always, our NOC offers proactive 24×7 monitoring and support on these services, so you can have the peace of mind from knowing experts are managing your security and communications, allowing you to focus on your business.

Posted on  the MegaPath Connectivity Blog as “Now is the Time to Step Up your Security Practices”.

Be Ready for PCI Changes Coming July 1

Just a friendly reminder to those who process credit card transactions that July 1 is a key date, in terms of security compliance.  On this date all North American merchants who process transactions must be making use of Payment Application Data Security Standard (PA-DSS) verified  payment applications, in support of the Payment Card Industry Data Security Standard (PCI DSS).  A payment application is anything that processes a credit card transaction.  For example, the machine that swipes a credit card in a gas pump and the point of sale (POS) device at a convenience store counter are both considered payment applications, and need to be certified.  Failure to use verified devices could result in penalties.

Also, as this post over at NetworkWorld points out, all PCI DSS compliant businesses that are processing credit cards need to make sure that none of their Wi-Fi networks are using WEP (Wired Equivalent Privacy) to secure their access points after June 30, 2010.  Current access points offer WPA or WPA2 (Wi-Fi Protected Access) as a security protocol; however, if you have older access points in your network, you need to make sure they are not using the deprecated WEP protocol, as it is not secure.  Leaving such access points in place would jeapordize the PCI DSS standing of a merchant.

One last bit of PCI DSS news this month concerns the cycle at which updates to the PCI DSS standard will be published by the the PCI Security Standards Council.  It was announced earlier this week that it will move to a three-year cycle when updating the technical standards for protecting payment card information. This new schedule will give merchants more time to adopt the changes, which has been a common request.

If you have questions about how to make sure your network is up to the task of providing compliant data security measures to safeguard your business and protect customer data, give us a call.  We’re ready to assist you with PCI DSS issues, and connect you to our PCI DSS approved payment processor extranet, which will ensure your business is using a secure network that is ready to protect the transactions your business relies on.

Posted on the MegaPath Connecticity Blog.

Picking A Partner: 6 Criteria For Selecting An MSP: Part 3

In the previous post in this series, I wrote about 2 more of the 6 areas you should give consideration to when choosing a Managed Services Provider (MSP).  I went over some questions  to ask your potential partner when  looking at the MSP’s professional staff and their certifications, as well as what you might take into consideration when looking at  the partnerships the MSP has within the industry. Wheter you are an enterprise IT manager or a business owner you need to consider what level of best practices and professional developlemt your potential partner is committed to, as you want to make sure your MSP is as dedicated to what they do  as your are to running your business.  We also discussed Service Level Agreements, and how important they are, since you want to be sure that your MSP is ready to stand behind what they promise.  In this third and final  post in this series I am going to go over the last two criteria you should keep in mind, which focus on the operational capabilities of the MSP.

5. Network Operations

You are going to be relying on your MSP to keep you connected to your customers, partners and employees.  You need to make sure that the MSP is providing 24-7-365 operational support on all of the managed services.  Does the MSP provide such support? Do they do so from redudant, physically seperate locations?  Is their Network Operations Center (NOC) staffed with certified professionals?  Does the MSP proactively monitor data, voice and security services from the NOC? Do they offer tools and portals so that you can directly monitor your managed services? Will you be automatically alerted if there are any events that effect your service? Is your MSP using advanced Networl Management Systems (NMS) and Operational Support Systems (OSS) in the NOC?

6. Security Operations

Security operations are critical to the success of any business in the current environment.  You need to be sure that the MSP you select is capable of preventing security issues from interfering with your business, and that they can keep your  data and  ongoing communications secure.  Does you MSP operate a Security Operations Center (SOC)? Does the MSP offer a turnkey Managed Security Service (MSS) that takes a comprehensive multi-layer approach? Does the  MSP offer security alerting, logging, and reporting? Do they provide visibility in security operations via a web based customer portal?

It is my hope that you will take these six criteria in hand when evaluating which Managed Services Provider you will entrust with your business communcation needs.  We have put together a whitepaper entitled How to Choose a Managed Network Services Provider (PDF) that we hope you find useful as you make your evaluation.

Posted on the MegaPath Connectivity Blog.

Picking A Partner: 6 Criteria For Selecting An MSP: Part 2

Last week, in part 1 of this series, I wrote about 2 of the 6 areas you should give consideration to when choosing a Managed Services Provider (MSP).  I went over how a business owner or enterprise IT manager should look at the service offerings that their potential MSP brings to the table, and discussed what to look for in the potential partner’s network infrastructure and capabilities.  As someone who owns and operates your own business, and is an expert in your field, you really need to make sure your partner is an expert in what they do as well, and makes use of industry best practices.  If you are  a decision maker on technology matters for your enterprise business, this also holds true, as you want to be sure your MSP is in a position to offer a robust and complete service with a high level of quality.  This week, I am going over two more criteria you should have in mind as you make your evaluation.

3. Certifications and Partnerships

The partner you pick is going to provide a vital service to your business operation. You want to be sure that the MSP’s staff, as well as their partners, are ready and up to the task. Does the MSP encourage the professional development of their staff? Does the MSP have industry certified experts who are able to leverage the latest technological advancements? Does the MSP work with major equipment vendors, that have proven themselves in the marketplace? Does the MSP execute proven industry best practices? Can they provide for you a list of team members who hold professional and industry certification from goups like ITIL, CompTIA, (ISC)² and PMI, as well as form vendors such as Cisco, Juniper, Microsoft, SonicWall/Aventail and IBM?

4. Service Level Agreements

You need to make sure thay you can rely on the data, security and voice services your MSP is going to provide.  The best way to do this is to see what your partner will put into writing regarding service level assurances (SLAs).  Does the MSP publish SLA info on their website? Are the SLAs included in your contract? Does the SLA provie a rememdy if the level of service is not met?  Does the MSP offer specific SLAs for specific products and services?  Are you elligible to recieve credits in the event of a service outage?

There are two other criteria that I am going to cover next week in the third and final part of this series.  Be sure to check back, so that you have the complele list as you evaulate your potential partner.

Posted on the MegaPath Connectivity Blog.

Picking A Partner: 6 Criteria For Selecting An MSP: Part 1

Master MSP, MegaPath, Managed ServicesBusiness today is more competitive than ever, and you’ve made the decision to implement managed services to meet the challenges of the marketplace.  You’ve identified that you need to lower operating costs, and help your bottom line.  You know that at the same time you need access to leading technology platforms so that your business can stay in constant contact with your customers, partners and employees.  You need to increase the level of support you are receiving on your network, but you are not looking to add more staff.  In fact, what you need to do is make the IT budget within your business very predictable.  You also need to be able to adapt to changing market conditions, so that when your business takes off, you will be able to scale your voice and data capabilities, all while keeping sensitive data safe and secure.  You know that if you are free to focus on the core business, and don’t need to worry about running a next generation communications platform, you will have the ability to execute and accelerate growth.  The only question remaining is: How do you choose a managed services provider (MSP)?

When it comes to such an important decision, it is a good idea to have some criteria in mind, so that you can compare and evaluate the options available to you.  In part 1 of this post, I am going to cover 2 of the 6 selection criteria that you should consider when picking a strategic outsourcing partner for your business.  You are serious about your business, and you need to know that the partner is, too.   You need to make the correct choice, and pick a partner who will work with you and help you increase your profitability.   

1. Service Offerings

Whether you are running a small business, or a larger enterprise, you need to make sure that the services you need are available from the MSP you choose to work with.  Does the MSP provide a full spectrum of access technologies, from DSL, Cable and Wireless to DS3, Ethernet and Satellite?  Does the MSP provide voice solutions that support your current phone system or PBX? Does the MSP offer a hosted voice solution that is fully managed, and scales to meet your needs? Does the MSP offer managed security services and virtual private networks that can interconnect your multi-site business?  Do they offer project management services to ensure peace of mind during implementation? Can they install, support and manage any required equipment? 

2. Network Coverage and Capabilities

Your business needs to stay in touch with customers, partners and employees no matter where they are located, and no matter what device they are using to communicate with.  You need to make sure that the network your MSP is operating is up to the task.  Does the MSP have a national footprint that is able to provide the coverage you need?  Does the network have Points of Presence in multiple locations, so that you are never far from the core of the network?  Does the MSP provide robust interconnectedness to the Internet?  Can the network integrate your voice and data traffic, saving you money? Does the MSP offer multiple classes of services that are capable of making sure your calls always get through?  Is the core network using next generation optical technologies to ensure the fastest delivery of your communications? 

In part 2 of this post, I will provide 2 more selection criteria you can use when choosing the right partner for your business. I will discuss the last two in part 3.  Taken together, you will be able to evaluate the capabilities of your potenial patner, and make the best decision for your business.

Posted on the MegaPath Connectivity Blog.

Cisco Partner Summit: Networks Without Borders

 MegaPath is a Master Cisco Managed Services Channel Partner, and so we were invited to Cisco Partner Summit again this year. The event was in San Francisco, and gave us a chance to get together with one of our important technology partners and get their view of the networked economy. Last year, during the Executive Exchange, I had a chance to participate in a small, informal discussion with Cisco CTO Padmasree Warrior. This year, I got a chance to join the Executive Exchange with SVP Keith Goodwin, who came up with the theme of the summit, which was “Write the Rules. Own the Game.” Goodwin said this message spoke to the opportunity for partners to take advantage of significant market transitions. It was meant to be a bold statement, about how Cisco’s partners can help their customer face transitions in business, and write new rules for success, which will allow them to own the game by competing under these new rules. The overall message that Cisco had at Partner Summit was very clear: Managed Services are going to continue to be one of the largest drivers of the networked economy, and Cisco is going to continue to focus on these market transitions by aligning their architectures around them.

MSCP. MSP Master, Cisco Managed Services Partner Master

Brian Billick was a surprise guest speaker at the event, and gave some very good insights into leadership that can be applied to any business situation, as well as to football. Martin De Beer told us that video was the future, and predicted that by 2013 90% of all IP traffic would be video; apparently, 60% of all traffic on Cisco’s internal network is already video. It was also pointed out how the generation entering the workplace now is used to making use of real-time video communication and collaboration tools, as well as social media, and that they will expect to find these same tools in the workplace. Certainly, Quality of Service (Q0S) and MPLS are key capabilities which enable video to move across networks, and will be required to successfully scale to meet this demand.

Noted author and speaker Jason Jennings also gave a great talk, before CEO John Chambers took the stage for his closing keynote. The VAR Guy has a nice write up on his blog of the presentation, which covered what Jennings said where the 5 rules for long term business success. One thing Jennings said was that “[a company’s] culture is the ultimate competitive advantage”, and I found this encouraging.

Chambers was upbeat, saying that the recent challenges to our economy had provided a unique opportunity, and that Cisco’s partners had done very well with the opportunity. He went on to say that by focusing on collaboration and cloud based services, we were ready to see continued business acceleration. He then gave a demonstration of the collaborative capabilities of the latest Cisco products, and showed how they allowed increased efficiencies in the workplace, while making better use of limited resources.

So, of course, Cisco continues to stress the importance of Borderless Networks. These are business platforms that allow your customers, partners and employees to connect with each other, at any time, on any device, no matter where they are located. By taking advantage of access technologies such as Broadband Connectivity, Business Ethernet, Premium T1, and Wireless Broadband, and combining them with services such as Managed Security, Hosted VOIP and Managed SSL VPNs, these networks without borders can accelerate the growth of your business, regardless of size, by allowing you to make decisions faster, respond to customer needs quicker, and increase your ability to adapt to an ever-evolving business environment.

Posted on the MegaPath Connectivity Blog.

Credit Card Security Is Serious Business

 Yesterday Janet Wong published an article on our blog about how a lack of security compliance can be costly to your business. Fewer than 24 hours later, VentureBeat reported how a certain Google search revealed the credit card numbers of some Blippy users. (Blippy is a social shopping site that describes itself as ‘a fun and easy way to see and discuss what everyone is buying’). The most recent post I’ve seen on VentureBeat asks if this incident will damage their business.

Philip Kaplan, one of the cofounders of Blippy (who some may remember as Pud at F——dcompany.com), has posted his response to the situation on Blippy’s blog. Blippy reports they worked with Google to remove the search results in about 2 hours time. It is also interesting to note that Blippy includes a special section entitled ‘Security’ on their Privacy Policy page.

All of this makes Janet’s post very timely, and I encourage you all to read it. To note that protecting the private data that customers (or in this case site users) entrust to your business is critically important almost seems like a given. While the saying goes ‘there’s no such thing as bad publicity’, in a case like this, I doubt it will hold true.

Posted on the MegaPath Connectivity Blog.

The Need for Speed: Behind What You’re Really Speed Testing

 What’s your broadband speed? There has been much said lately about measuring the speed of broadband connections, especially as relates to the FCC’s National Broadband Plan. The FCC has even placed two different tools on their Broadband.gov website in an attempt to provide consumers with information regarding the speed and quality of their broadband connection. Both of these tools, one from Ookla, and the other from Measurement Lab (founded by the New America Foundation’s Open Technology Institute, the PlanetLab Consortium, and Google) have their methodologies published on the FCC website. FCC Chairman Julius Genachowski has said that “Transparency empowers consumers, promotes innovation and investment, and encourages competition, and it seems that placing these test on the Broadband.gov website is an attempt to foster that idea.

Business customers need to be aware, though, many factors come into play that can affect the results of these tools when trying to test the speed of a broadband connection. Starting with the computer that is actually performing the test, there is the possibility that it is resource constrained. For example, if the computer has other software running during the test, such as a screen saver, email application, antivirus application or business applications, these other programs could limit the resources available to the testing application and the required Java environment, which can affect the outcome of the test. And let’s be honest, that’s a very common occurrence.

Moving away from the focus on a single computer, there could be additional business traffic on the network in your office or store. For example, if the broadband speed test is being performed while other users are active on the network — for example, downloading inventory reports, watching training videos, or receiving email — again, the results of the test can be affected.

The type of network the computer is on can also affect the test. For example, if the computer is connected to the Internet via Wi-Fi, delay can be introduced into the test results and affect the test, as the wireless path can be degraded by various types of interference.

And then there are many issues that come into play with the architecture of the Internet, and the technology of the connection you are using. There are very different physical characteristics between DSL, Cable, T1, Ethernet, Fiber, Satellite and 3G Wireless networks. Each of these network technologies, by definition, can affect the results of the test. Also, as you can see from the methodology descriptions, the test makes use of TCP and DNS, which can affect the results. The tests make a best guess to determine the location closest to your networks physical location, based on IP address look ups; these are educated guesses, but they can still be wrong, and you may find yourself testing against a site that the test thinks is logically close, but due to the complexity of Internet traffic routing could actually be far from your network.

These speed tests are trying to measure a changing, dynamic environment, and the two endpoints of the test (your computer and the test server) may not reflect the path your business traffic actually travels. There are many points along the path the test packets take, starting with your computer and your local network, and including your service provider’s network, the other networks your service provider peers with, content delivery networks that can sit as on overlay on these networks, the path the DNS server look up takes, the access network the test server sits on, and the test server itself, which could be resource constrained by the number of simultaneous tests being performed.

The net-net of bandwidth and business broadband speeds
Business users need to know that they are getting the bandwidth they require to communicate with their customers, partners and employees. Performing these tests on your broadband connection will give you one data point when you are making a decision on upgrading bandwidth, but there are many other factors that you need to take into consideration. What is the nature of the traffic you need to move across your network? What business applications are you running? How many users will be sharing the same connection? At what time of day do you need the best network performance? Is your network traffic secure? Does your network provide Quality of Service to make sure that your voice traffic has priority over the emails and web traffic moving across the network?

For consumers, the results of multiple speed tests over time, and performed at different times of day, will give them some information regarding the performance of their home network connection. When performing a test, they should make sure to be the only user of the network (i.e., the kids can’t be watching YouTube upstairs), and be sure to close all other applications on their computer. Businesses, though, should work with their Managed Service Provider to make sure that broadband speed test results are one data point taken in context with all of the other complexities involved in operating a next generation business network.

Posted on the MegaPath Connectivity Blog.