Viet Son Net

Citing new research, Gartner announced that 60 percent of virtual servers are less secure than the physical ones that they replace. The situation is expected to remain constant through 2012 before falling to 30 percent in 2015. Gartner warns that one of the causes has to do with the fact that many virtualization deployment projects are happening without the involvement of the information security team, at least not in the initial architecture and planning stages.

Indeed, the issue is not related to virtualization being inherently insecure, says Neil MacDonald, vice president and Gartner fellow. MacDonald noted however that, “most virtualized workloads are being deployed insecurely. The latter is a result of the immaturity of tools and processes and the limited training of staff, resellers and consultants.”

As a relatively new platform, the use of a hypervisor represents a new threat vector in which new vulnerabilities have not yet been discovered. To better secure the hypervisor, Gartner recommends that it should be kept as “thin” as possible while at the same time tweaking the configuration to harden it against unauthorized modifications.

In addition, Gartner also suggested that “Virtualization vendors should be required to support measurement of the hypervisor/VMM layer on boot-up to ensure it has not been compromised. Above all, organizations should not rely on host-based security controls to detect a compromise or protect anything running below it.”

For more on this story:
- check out this article at Network World
- check out this article at IDG News

Aging security technology continues to be embedded in many IT systems even though they’ve outlived their usefulness and could be replaced by better and more efficient tools.

CSOonline.com took an informal survey recently to see what IT shops are relying on for security and came up with a list of four technologies that have outlived their usefulness.

Among the antiques:

• Antivirus software: It’s time to have a variety, not just rely on one software package.
• Firewalls: Experts say they are almost useless.
• IAM and multi-factor authentication: It takes too long to get them working correctly.
• Network Access Control (NAC): Overrated and takes years to get it to function properly.

Instead of looking to the past to see what has worked, look ahead to see what’s coming out that could provide a better perimeter for your systems.

For more on aging security technologies:
- see this CSOonline.com article

Congress is looking at ways to plug a hole that increasingly is letting hackers gain access to a company’s data. A bill, passed in the House and awaiting action in the Senate, would require software companies to inform Internet users of privacy and security risks associated with file-sharing programs.

The software, known as peer-to-peer programs, or P2P, is often used to download music and movies and is the largest portion of Internet traffic. But it can also lead to the inadvertent sharing of documents, a problem linked to plenty of data breaches lately.

The bill would require software developers to clearly tell users when their files are made available to other users over the Internet. It would require file-sharing software to display a pop-up box alerting Internet users when they encounter such programs. The bill would also let consumers and employers block or disable file-sharing programs.

The Federal Trade Commission is on a campaign to make people aware of P2P vulnerabilities. The agency says drivers license numbers, social security numbers and other personal data has been compromised many times in recent months.

“This bill will let people know-in a way that they can understand-that their personal files are being shared with complete strangers,” said Sen. Amy Klobuchar (D-Minn), one of the co-sponsors of the P2P legislation.

For more on P2P legislation:
- see TheHill.com blog
- see this Computerworld article

There’s plenty of talk these days about where IT is going after recovering from the recession. Will it be growing domestically or will the trend toward outsourcing continue to eliminate jobs in the continental United States?

Will new technologies consolidate existing systems and remove redundancies in workers’ daily tasks–making a human hand less essential?

CIO.com reports in a recent blog that baby boomers and Gen Xers are steering Millennials away from a career in IT. The reason is outsourcing and cost cutting. But blogger Sharyn Leaver, of Forrester Research IT, writes that IT-related jobs are still the best potential career path for young, smart graduates looking for a place to hang their hat and grow their careers.

Here are some of her reasons:

• Businesses will depend more and more, not less, on IT functions.
• IT will become more embedded, not less, in every kind of business scenario.
• The need for technical expertise is growing as businesses work to consolidate and get the best profits from their products.

There are plenty of IT careers that are hot right now–security for one. And one piece of advice from pros is to learn Drupal, a free software package that makes publishing and managing social content on the web easy.

Meanwhile, look around to find gaping holes in IT processes. There are likely many jobs that need an IT expert to fill in the gaps once the recession ends. Think of it this way: Even COBAL, that old mainframe language, still needs to be maintained now and then. And where are the IT workers who know how to do that?

For more on the future of IT:
- see this CIO.com article

A new study finds that many companies still have old security vulnerabilities lurking in their systems, leaving a back door open for hackers to get in and attack. The report from Trustwave is based on an analysis of more than 1,900 penetration tests and more than 200 data breach investigations conducted for clients including American Express, MasterCard and several large retailers.

Until now, many companies have been relying on finding the latest vulnerabilities, not reaching back to old and supposedly well-understood ones. But the finding sets the stage for companies to do another inventory of their systems, looking for cracks that may have been left in place for years.

Are you one of these companies? And would it be worth your while to patch your system to prevent an opening?

The most common vulnerability discovered during Tustwave’s penetration tests involved the management interfaces for web application engines such as WebSphere and ColdFusion. Amazingly, in many cases, the management interfaces were accessible directly from the Internet and had little or no password protection.

There is some good news out of this survey. It means that companies will not have to provide expensive fixes to a problem easily and more cheaply solved.

For more on old vulnerabilities:
- see this CIO.com article

We’ve been asking for more than a year about what IT jobs will be hot when the recession ends. Now that time is just about here, and we have a general idea of what will be hot.

There is new demand for specialized skills, as well as some tried-and-true ones to keep the shop operating. Computerworld’s survey of the hottest IT skills for 2010 includes:

• Programming/Application Development – These skills are needed to meet the demand for new systems and projects.
• Help Desk/Technical Support - This skill set is at the bottom of the bottom rung, but every IT shop has a strong demand for people who make the help desk hum in 2010. It may be the fastest way to get your foot in the door.
• Networking - There aren’t enough networking professionals out there to handle the growing complexity of networks and the stresses placed on them by virtualization, cloud computing and security demands.
• Project Management - There’s a growing demand for professionals who understand technology and how it fits in the overall business strategy.
• Security - We’re not sure why this isn’t at the top of the list. We would place it as the biggest challenge for IT executives this year. The need for IT professionals to be well-schooled in cybersecurity skills should be at the top of anybody’s list.
• Business Intelligence - BI skills are growing in importance especially for small and midsize companies that don’t have the budget to do a year’s worth of R&D.

For more on IT skills in demand:
- check out this Computerworld.com article

Most passwords are easy to guess. Take a stab at it and see if your officemate uses his or her name, kids’ names or dog’s to get into their system.

These days, it’s important to protect your password at every step of the way. InfoWorld.com has a few tips on how to create a secure password that cannot be hacked.

• Never pick a password that has anything to do with you personally.
• Don’t use real words. Make a few up.
• Mix letters, upper and lower case, numbers and symbols to create the best word such as jOx12$#.
• Take this advice seriously and make sure your staff does, too.

For more on safe passwords:
- Check out this InfoWorld.com article

It’s time to think about China from a security perspective and not just as an afterthought. It’s time to figure out how to prevent Chinese hackers from getting anywhere near your systems in the wake of recent disclosures about its hack attacks on Google and other sites.

Here are a few points from GovInfoSecurity.com to consider if you are concerned about hackers from China:

• Determine your risk, and remember there is no patch available to protect you against this risk.
• Evaluate your vulnerabilities. Can your employees take computers overseas? Are your employees accessing your system from overseas?
• Are you a well-known brand like Google that would give Chinese hackers a big win if they compromised your system?

For more on thinking about China:
- see this GovInfoSecurity.com article