1. Stay informed

Microsoft releases patches on a predictable schedule to facilitate server patch management strategies, but they also release out of band patches when necessary. Your application vendors (and other o/s vendors if you are not a pure MS shop) tend to release patches when they will. Subscribe to all of your vendors’ notification lists, and use a distribution list to make sure nothing is missed because someone is on vacation. Also subscribe to one or more of the leading independent security bulletins so you stay aware of needed patches.

2. Stick to a schedule

Remember that schedule? Use it to make your own server patch management schedule with predictable, published, and inviolate maintenance windows. Patching is not an optional activity, and when the rest of the business knows you patch on the third Thursday of the month, they won’t schedule conflicting tasks. Well, some of them will try, but patching trumps all.

3. Test

Patching goes badly only when patches are deployed to production without testing. Whether you maintain a DR facility that can be used for testing, a scaled down physical environment, or you just take snapshots of your production VMs and test patches in a sandbox, make sure your server patch management strategy includes testing. Vendors test against their vanilla deployments, and against as many combinations as they can of things that follow supported scenarios and best practices. Unless you know for absolute certainty that your systems are ‘pure’, testing is the only way to be sure you won’t run into production issues.

4. Automate automate automate

Even the smallest shops on a shoe string budget can use the free WSUS for the server patch management, but there are very affordable third party applications that can also handle third party applications in the patching process, which you can also leverage when patching your workstations. Even the most expensive, top of the line server patch management applications will be less expensive than the recovery costs associated with that one server that was exploited because it was missing a critical patch.

5. Verify verify verify

Review your server patch management application logs, spot check individual machines, and then run periodic scans with MBSA or a vulnerability assessment tool to make sure that all servers were patched, and any new systems added to your network are fully up to date.

Bonus tip: redundancy is your friend

Nobody wants to spend an entire evening to patch. Having redundancy for all critical services enables you to patch during the day. This improves work life balance sure, but it also means that if a patch does go awry, all hands are already on deck, wide awake, and able to lend a hand, rather than leaving the guy who drew the short straw trying to figure it out alone in the middle of the night, or having to wake everyone else up to assist. Look for redundant domain controllers, overlapping DHCP scopes, using FRS shares instead of relying on a single file server, NLB or clustered applications, etc., to keep single instance services to a minimum.

Use these fundamental tips to make your server patch management strategy the best it can be. Your server uptime and performance will reap the benefits, your users will never suffer from outages, and you might just get to experience some of that work life balance you keep hearing about. Server patch management doesn’t have to be painful; these six tips are the way to go.

If you can’t wait to go shopping online today (and on Cyber Monday), just be aware that the bad guys are just as keen to divert your attention to their infected websites and fake bargain stores. Thus we encourage you to pay particular attention when shopping online and searching for those hot deals. We’ve drawn up a short list of tips that will help you keep focused on protecting your machine and your money yet at the same time ensure you have a great shopping experience.

1. Secure Your PC and Network – Be sure the computer you use has, at a minimum, a firewall, up-to-date antivirus software and the latest version of whichever web browser you are running. At home, ensure your wireless network is password-protected. If you must shop online in a public place, avoid using an unsecured Wi-Fi connection.

2. Use Strong Passwords– A strong, alphanumeric password with at least eight characters is an easy way to help defend your personal information online. It is also recommended that you use different user names and passwords for each online account you have.

3. Shop on Trusted, Secure Websites – Before entering your personal financial information to make a transaction, always make sure that you are using a site that provides encryption for the credit card transaction. Look for the closed padlock on the browser’s address bar or at the bottom of the screen. Also check the browser’s address bar to confirm that the URL begins with “https,” signifying a secure site that provides encrypted communication.

4. Protect Personal Information – Most online shopping will require disclosing information to process a transaction. It is normal to provide contact information like an address and phone number, and, when prompted, your credit card number. However, be wary of any request for additional information, especially if it is received by email claiming to confirm a purchase or asking for additional information. Always contact the merchant directly if you have any doubt about requests for personal information you receive.

5. Be Careful What You Click – While searching online for deals and product reviews, be careful about clicking on hyperlinks you run across in search engine results and holiday e-cards, as well as on social networking sites like Twitter and Facebook, even if it appears that your friends are suggesting a link for you. Always verify the URL address—especially shortened URLs—of any link you run across to ensure it will direct you to a safe, reputable website. One wrong click can lead to malware that could end your holiday shopping season early.

Simple tips but they can make a huge difference to your online shopping experience. Have a good time shopping today, but be careful and wary of the nasty stuff that is lurking out there.

This seemingly backward move is actually quite the opposite; using fax server software to modernize faxing services, integrating fax capabilities with email and printing, and adding fax capabilities directly into EMR/EHR systems makes moving from email to fax a great step forward for small family practices, specialists, and major healthcare institutions alike.

Faxing has always been a way to transfer data between healthcare professionals and other practices, pharmacies, and insurance agencies alike. Faxing is like the lowest common denominator of communications in most businesses; with a phone number in hand, anyone can fax to anyone else that has a fax machine. Because the communications are circuit-based and point-to-point, they are considered more secure than email, which crosses the Internet and could be intercepted by malicious users.

However, faxing can be slow, labor intensive, and there is nothing at all secure about a sensitive fax left sitting in the output bin for anyone to see, so HIPAA has a number of things to say about how healthcare practices must secure their fax machines. But what if there were no fax machines? What if you don’t need to lock up the machine in its own special room? What if you could combine the speed, convenience, ease-of-use, and privacy of your email client with the interoperability of your fax machine? That is where fax server software comes into play.

With fax server software, a user can take a document and simply email to fax, just like they would email to email. Instead of entering an email address or picking a contact from their address book, they can enter a telephone number or pick a contact from their address book and turn that document into a fax all within their existing computer software; nothing to print out and then file or shred after sending; no need to stand at a machine and wait for the busy signal to stop and the paper to pass through the box.

Fax server software integrates with your email server and “fax enables” most pieces of software on a user’s computer. Anyone can email to fax, or even print to fax, without a need for an actual printout on paper, or a machine on a counter. The heart of the system resides on a server in the computer room, and your PC becomes your fax machine. If it can print, then any program you have can email to fax because it will “see” the fax machine as a printer.

Fax server software can also integrate with your EMR/EHR system, enabling inbound faxes to automatically become files attached to medical records, or to take existing records and send them on to insurance companies or referrals. The time saved directly moving data in and out of your EMR/EHR system without first having to print it, and then taking it to the fax machine, sending it, and then filing that paper can add up to hours per week, not to mention the storage space saved by using this email-to-fax capability instead of storing all those printouts.

With all that fax server software has to offer, it is worth looking at an implementation of an email to fax solution in your practice. You’ll be glad you did.

Very few! And those guarantees disappear if the organization does not have adequate security solutions in place. We’re not talking just email security here but web security as well.

A recent survey commissioned by GFI Software among small and medium businesses in the US found that 40% know with certainty that they suffered some sort of security breach as a result of employees navigating to websites that host malware, infected downloads or have been corrupted by malicious code.

The Internet is a hornets’ nest of malware and other nasties and the bad guys are primed to pounce on suspecting users. What is worrying is that despite the high risk of infection, there are still organizations that are not paying attention to the problem or they are doing so for a good but not necessarily the most important reason.

The results show that even in the face of such infections, a majority of web monitoring software users do not cite defense of their network as the main driver for deploying such a solution. 55% of SMBs indicate that defense against infected websites is not their main priority.

A total of 24% of all respondents use it mainly to ensure employee productivity; 13.5% to conserve network bandwidth and speed; and 11.5% to prevent employees from visiting inappropriate sites.

These are all valid reasons to use web monitoring software but what about security?

These results indicate a lack of awareness about the full capabilities of web monitoring software and how these solutions are evolving into critical components of effective SMB network security practices. Protecting the network from malicious websites and downloads should be a top priority for IT managers in addition to concerns over employee productivity and bandwidth management.

The survey found that 70% of those not using web monitoring or filtering software claim that web use is not a problem in their organization. With all the threats that are reported in the media on daily basis, these organizations are really taking a big risk.

Web monitoring solutions that equip IT administrators with an additional layer of network defense against online threats and provide employees with the tools they need to make better, safer decisions while online go a long way in helping SMBs balance the benefits of Internet access with the risks it creates.

The survey of 200 U.S.-based IT decision makers at organizations with between five and 249 employees was fielded by noted polling expert Opinion Matters, between Sept. 29 and Oct. 4, 2011.

Reputation and trust go hand in hand, but from a security perspective this is not always a good thing – particularly when browsing the web.

In a real-life situation, reputation and trust in a brand, product or service – bar some major mishap – don’t change that much. If a hotel is good, in most cases it remains so. If I like a particular brand of clothing, its reputation is usually sound.

Yet, when I go online, how does my level of trust in something and its reputation affect my security?

Let’s say that I like reading a particular online blog. One day the site is hacked and infected with malicious code. The next time I visit that site, there is an increased risk that my machine will be infected as well (especially if I don’t have antivirus installed). Six months down the line, is it still safe to visit that site again?

Now take this example and put it in the context of a busy work environment where employees ‘enjoy’ access to the internet throughout the day. Each employee has his or her favorite websites – most of them innocuous and posing little legal threat to the company.

With such a widespread increase in malicious, fraudulent, phishing and scamming sites appearing daily, what guarantees does the IT administrator have that one of the employees will not visit a website that has been compromised and infected by malware? The employee in question had not visited the site for some time and two months earlier it had hijacked by scammers to push malware to unsuspecting readers. The next time that employee visits the site… oops!

So, how can administrators address this problem? How can they proactively prevent employees from visiting sites that could at some point have been compromised, thus putting the network at risk?

The solution is to filter those sites using web reputation. In a similar way that you would choose a hotel or a service on the basis of its reputation among peers or the public, the web reputation approach gives ratings to websites based on a current and future risk analysis.

Depending on the risk factor, websites are either blocked, classified as suspicious or allowed. This gives administrators the edge over traditional approaches such as Site Categorization. Just because ‘News’ sites typically are not a security risk, that doesn’t mean that they may not be the target of scammers or malware creators. So judging risk on the basis of category alone is not enough. Yet if each website is ranked according to its risk factor and this, in turn, defines what action should be taken, online browsing safety increases considerably.

Website Reputation Index provides a “safeness” rating for websites based on their current and future threat profiles. Administrators can implement flexible Internet access policies by blocking sites based on the risks they pose, rather than preventing access to entire categories of websites, and employees can make smarter decisions about visiting websites with which they are not familiar – and even those they are.

Something certainly worth exploring if web filtering and security are key issues for your organization and your sanity as an administrator!

Yesterday, Microsoft released the details of its actions against the alleged controllers of a botnet considered to be very similar to Waledac. Microsoft obtained an ex-parte temporary restraining order which enabled Microsoft to work with ISPs to disconnect the command and control servers from the Internet, severing their connection to the compromised computers.

The complaint from Microsoft alleges that Dominique Alexander Piatti, the dotFREE Group S.R.O., and 22 ‘John Doe’ defendants associated with various IP addresses and domain names, violated both federal and state laws by operating a botnet, causing unlawful intrusion and dissemination of unsolicited bulk email to Microsoft’s detriment. Piatti currently resides in the Czech Republic, and dotFREE Group S.R.O. is a Czech LLC. The ‘John Doe’ defendants are the owners of several registered domains that were a part of the CnC network, but used private registrations for their domain names.

Microsoft’s DCU worked with the Trustworthy Computing Initiative and the Malware Protection Center during the investigation, as well as with customers including Kyrus Tech Inc., who served as a declarant in the case.

This latest victory in the fight against spam is significant for several reasons including:

1. While Kelihos is not as big as Waledac or Rustock were, 3.8 billion spam messages a day is a big number.
2. This is the first time defendants were named and served legal notices on the same day that their servers were taken offline.
3. Kelihos shares significant amounts of code with Waledac, indicating that they were either developed by the same author(s) or that Kelihos was adapted from Waledac.

It also underscores the continuing need for antivirus software at the gateway and on every workstation, as well as anti-spam software for every mailbox. Consider that the Kelihos botnet controlled tens of thousands of computers. The owners of these systems didn’t willingly sign on to generate billions of spam messages each day. They were infected by malware. If they had been running antivirus software with up-to-date definitions, they probably wouldn’t have been infected. Not all of these infected machines were home computers either. Web filtering software on the company network could have prevented corporate computers from being taken over. And even with 3.8 billion fewer spam messages hitting our mail servers daily, there are still billions more trying to flood our inboxes. Implementing anti-spam software on the email server, or using an online filtering service, is a critical requirement for any administrator managing an organization’s email security strategy.

While wireless public networks allow us to be online when and where we want to, they are often not secure. Few realize that they are on a shared network with strangers and not everyone using that network is online to check their email or Facebook. The bad guys are interested in the sensitive data, such as passwords and financial transactions, being sent over the Internet. Public networks are vulnerable to attack and there are numerous hacking programs that are easily downloaded from the web.

The key to protecting your information online is to ensure that the data you are sending over the internet is encrypted. Encryption scrambles the information into a code so that it is not accessible by others.

It is strongly recommended that you either use a website that is encrypted or you use a secure wireless network. A secure website only encrypts the information that you send to and from that site, while a secure network encrypts all the information that you send while you are connected.

How do you know if a hotspot is secure? If you are not required to enter a password to connect to the hotspot, then it is not secure. Also, if you are asked to enter a password through your browser for access, or it asks for a WEP password, it is best to consider that hotspot as unsecured. If, however, you are asked to enter a WPA password, or WPA2 (which is the most secure), then you can use that hotspot with a good level of confidence.

OnGuard Online, maintained by the Federal Trade Commission (FTC) in the US, is a very good source of information and worth visiting if you want more detailed information on how to protect your information and improve security on your devices.

If you use public wireless networks on a regular basis, here are a few tips that will help to keep your information safe from prying eyes:

• Use websites that are fully encrypted. Check the website address and make sure that the site is using ‘https’ and a ‘lock’ icon can be seen at the top or bottom of the page.
• Avoid logging on to websites that are not secure and make sure that you log out when you’re finished using an account. Do not simply close the page.
• Use strong passwords and use a different password for each account you have. If one of your passwords is compromised and you use that for various accounts, you risk giving someone access to more than one account.
• Make sure you’re antivirus software is up-to-date with the latest definitions and you have a firewall (providing inbound and outbound protection) and anti-spyware installed.
• Only access sensitive information, such as online banking portals, from a public network if absolutely necessary. If you need to connect to the office or your home PC, use a Virtual Private Network (VPN) when connected to an unsecured hotspot.
• Always look for a hotspot that is password protected using WPA or WPA2.
• Hide your files. Always turn off file-sharing when using an unsecure public network.

On a final note, if you are accessing confidential information or accessing personal sites or documents bear in mind that you’re not at home but in a public place. You never know who may be looking over your shoulder.

We grumble because we are fingerprinted at airports and we complain because our local High Street has more surveillance cameras than street furniture. We complain because our letterbox is stuffed daily with useless marketing flyers for products we are not interested in.

Gone are the days when we could go about our business without wondering if our every move is being filmed, monitored and ‘ogled’ by someone in authority. We usually blame this state of affairs on governments, officials with an unhealthy paranoia for security and the media.

I would argue, however, that we are as much to blame as the authorities are. The way we have embraced technology – from the use of email to blogging and social networking – has pushed us into a situation where, albeit unconsciously, we have given up a part of our right to privacy.

Data about us can be found everywhere. If you have a loyalty card with your local store, your details are running around in their systems; if you purchase items online, your details are there as well as a nice long list of your personal shopping preferences; if, like nearly half a billion others, you have social network profiles and post pictures and daily updates of what you’re doing, that data is available  in a public forum; if you love tweeting, well thanks for keeping us informed that you’re going on holiday.

Our browsing activity is monitored through cookies on our PCs – what people do online in the privacy of our homes is trapped in a small file – but do most people care? No, they don’t. Today, we are so used to running around with tablets, smartphones full of personal data, photos, contacts, videos, emails, and so on, that we tend to give little thought to security or that we are carrying ‘our personal lives’ on a piece of hardware.

My point being that technology has ‘liberated’ us to such an extent that our lives are somewhat dictated by the technology that we use – and that means sharing information about ourselves; details which 20 years ago could only be found in a register gathering dust in some government office. And, unless you were kind of high-profile individual, even the information stored there was relatively limited.

20 years ago we wouldn’t give an album of photos to anyone except close family; today, we upload photos to the web and share them on Facebook. Ironic, isn’t it?

What is amazing is that we do so without batting an eyelid. We willingly provide our credit card details online; we happily use our loyalty cards; we share our non-working lives with friends and acquaintances on a daily basis through Facebook, MySpace, Twitter and so on. We almost automatically tick the box on user licence agreements without reading the small print.

In many ways, our lives have become more public than ever before. To partake of today’s technology, we have chosen to put aside privacy. Some of us are more careful than others; but not everyone understands the risks. And that is when privacy issues could become a real concern.

Why blocking some websites can be a good thing:

• Users accessing compromised websites and downloading infected files result in lost productivity and this means help desk staff must clean (or restage) users’ workstations. By blocking websites that are not business related you greatly reduce this risk.
• Downloading copyrighted material from the company’s network can expose the company to legal action. Blocking websites that host movies, music, and other content can protect the business from legal exposure.
• While some non-business related Internet access during work hours may not be a problem, users can waste hours surfing the web without even realizing it. Blocking websites can help to make sure users are focusing on their jobs, and not their social network.
• Blocking websites can also help conserve bandwidth for mission critical applications, and keep those charges down.

Why blocking all websites can be a bad thing:

• More and more businesses are turning to social media channels to promote their products and services, and make connections with their customers. Cutting off this channel can prove costly.
• IT is not the only department that uses the Internet to perform their job. Blocking websites can prevent a sales person from researching the competition or even finding out more about a potential customer.
• As more and more users are expected to take work home, permitting them a degree of personal Internet access while at work keeps things fair and protects employee morale, while blocking all Internet access is a short path to resentful employees who will feel untrusted.

How to go about blocking websites the right way:

• Establish an Internet usage policy that is fair and balanced, and ensure that all users are aware of what is considered appropriate and what is not.
• Permit a degree of personal Internet access, but monitor it to ensure it doesn’t impact productivity.
• Educate users on safe Internet habits, and the importance of adhering to policy.
• Implement web filtering software that can protect users from malware, block sites that are obviously not work appropriate, and that can whitelist sites that are business critical, like vendors, partners and customers.

Blocking websites is necessary, but should be done using a fair and open approach, and to protect users and the company’s information, but not with the attitude that you want to control your users. Keeping communications open between users, management and IT, and using the right web filtering solution, helps to ensure the company is protected and users are happy.

It’s official. Intelligent people do dumb things.

Earlier this month, an internet fraudster – who had cashed in nearly half a million pounds – was put behind bars for two years for his part in a gang running various web-based scams.

The gang, whose leaders are still on the run, must have been good. Real good! According to the Metropolitan Police, the group enticed, among others, a doctor, an accountant and a hotel owner, to part with millions of dollars.

The first victim was a Canadian doctor. A member of an Internet dating site, the gang persuaded her to hand over more than $100,000 to a man she met online. He claimed to be a diamond trader.

The next victim, an accountant from Melbourne, fared even worse. He handed over $AUS1.7 million in order to secure a non-existent $500 million loan. Over a period of 14 months, he deposited money into various bank accounts to secure the loans. The accountant attended meetings set up by the gang in England and Dubai and to convince him, he was shown a trunk containing a large quantity of cash.

In a separate scheme, a Swiss hotel owner was conned out of £11,000 in a fraudulent oil investment.

How on earth did they fall victim to these scams? These are very intelligent people, experienced in business or their profession and, I would assume, cautious with their hard-earned cash.

Unfortunately, they came face-to-face with some really clever fraudsters who must have been honing their skills for a long time. It takes a lot of planning and thespian qualities to target three professionals and skim their bank accounts.

The hotelier may be £11,000 poorer but the other two are on the verge of bankruptcy.

How they did not smell a rat when approached by the gang is amazing for a number of reasons. Let’s take the accountant. A trained professional he surely knew enough about investments and finance to realize that not everyone is in a position to offer a $500 million loan, unless you’re talking to a bank or a well-known investment firm. Whatever proof they gave him must have been compelling but for that amount of money, is it possible he did not carry out any background checks? Anyone with that amount of money to lend must be known in investor circles. If someone shows you a trunk full of cash and not a bank statement, doesn’t that seem odd?

The Canadian doctor case is also baffling. Why handover $100,000 to someone you met online? Blinded by love or the promise of greater riches? The lady doctor has learnt her lesson – but too late in the day.

These unfortunate stories show how easy it is for a well-prepared fraudster to entice people. They did not target uneducated or elderly people. No. They were so confident in their abilities that they went for two people who had the money. Why target the small fish when a larger one falls just as easily for the bait?

One motto rings true in these situations: If it is too good to be true, it probably isn’t. The best way to avoid falling for these scams is to be vigilant and suspicious. If an offer comes through the Internet and not through a channel you would expect, beware. If it’s intriguing, do your homework and get advice from a professional or a good friend.

Taking a step back and thinking with a clear mind is all it takes. We all take dumb decisions but there are some that can be avoided.