You could be next
Tim Roberts, a security consultant at Solutionary, has been on the other side of trickery. Roberts was recently hired to infiltrate a company’s buildings and networks – mirroring a crook’s social engineering attempts to get at sensitive personal and corporate data. This was all done for cybersecurity assessment purposes and his findings and solutions are shared in hopes you can avoid being the next victim.
Key Loggers and Post-Its
I approached the front desk and chatted up the assistant (nametag Sarah) and a maintenance worker. “There was a ticket put in a while back. Did you guys not get an email notification that I would be here? We are in the process of doing some migration on the network and there have been some outages at the offices.”
At this point, Sarah locked her system and let me sit down at her desk. Instead of using a lot of gadgets, I just took out the key logger and plugged it in between the keyboard and the system. “Could you go ahead and log back in? I need to pull up a command prompt to test the connectivity.” She did, and the key logger was able to catch her submission. “Actually, because I am going to have to ask you to do that a few times, do you mind just writing down your credentials and then we can trash it once I am finished?” I slid the Post-It stack to her and placed a pen on top as I continued to focus on the system, in an effort to convey that this was normal. She wrote down her password and slid it back to me. As I was snooping around the system, I gained access to network shares and several systems on the network. I also noticed that she had her BitLocker recovery key saved conveniently in the My Documents folder, along with some VPN information.
“Sarah, I noticed you don’t have a laptop. Do you ever do work from home?” She replied, “I am not special enough for a laptop. But, they did give me a tablet that I rarely use. I can’t get the VPN to connect.” I tried to bait her with another question. “Oh yeah? Could you show me how you typically connect from home and what credentials you use? Maybe I can reset some things from here for you.” She continued to explain how to remotely connect to the network. I took some quick notes when she wasn’t paying attention. In the end, I had another gig of data, domain credentials, encryption key and a tutorial about how to connect to the VPN.
Poor gullible Sarah
I’d say this was a successful engagement and most importantly a reminder of how gullible people can be, when you appear legitimate, are sympathetic and helpful.
Security awareness training! This goes beyond the annual awareness campaign and quizzes. This must be ingrained into the culture of your company. Your employees must be aware of the risks that are associated with information security (this includes physical and technical controls).
A Clean Desk policy. Sensitive data should be put away when not in use. Passwords should never be written down and taped to the workstation.
Make sure that your Minimum Baseline Configurations (MBC) includes disabling the physical ports that are unnecessary (ie USB). Aside from physical key loggers, the risk for data leakage is increased when an employee has the capability to copy data to an external storage device.
You don’t have to be paranoid, but skepticism and awareness are traits every employee should have. An employee who is able to discern common traits and mannerisms of a would-be attack, can be the first barrier to prevent compromises like this.
Once I picked the lock to the unalarmed external emergency door, I realized that the client took the extra step of implementing biometric access control. There wasn’t a single person going in or out while I observed. I needed a different way in to the server room. I noticed a security guard station with several monitors and a key box behind the desk. I saw a guard and a maintenance employee were taking a coffee break. “Sorry guys, I’ll just be a moment. I need to get the serial numbers off of these devices. We are doing inventory.” I gave him the face of, “you know, the grind,” shrugged and began writing down anything I saw. “Not a problem,” the guard responded after glancing at my fake badge I made using basic photo editing skills. “You can take them if you want. They don’t work half of the time anyway,” the guard chuckled.
“Could you show me? Maybe I could get corporate to put something in the budget for some new systems.” I made my way behind him, looking at the monitors. Without hesitation, the guard typed in the default password of ‘1111’ and showed me the security issues of the building, where the cameras were located, which ones worked, etc. “I almost forgot.” Turning to the maintenance employee, I asked “You’re with maintenance, correct?” He nodded.
“Awesome, I need to get into the server room for some serial numbers.” This was a big risk, but I figured, why not? “Not a problem. I can let you in.” The guard sat up from his chair and escorted me to the server room. I thanked him for his help and told him that I could take it from there.
A new guard
Again, awareness training would help prevent situations the guards faced. Some awareness programs aren’t robust enough to really get the point across as to the dangers of social engineering and real-world threats. Security awareness training too often becomes routine, just another annual training.
Employees need to understand that security starts with them. Always double-check someone’s story, especially when someone is claiming to need access to this or that or doesn’t badge in. It’s OK to take a minute to call and verify someone’s story and/or credentials. Even if they seem irritated and inconvenienced, it’s better to be safe than sorry.
Change default passwords on devices, even if it only forces a three-pin code for a security system. Switch it up routinely.
Remind the security vendor what risks there are outside of the obvious. Inquisitive security guards who are diligent can make or break your physical security.
Barbecuing your data center
The quarterly employee appreciation BBQ was the perfect time to survey the building undetected. I noticed that nearly all of the badge-restricted areas had doors with the same lever handles. I peeked through the thin window, between a haphazard paper and taping job covering what appeared to be a highly sensitive area. My under-the-door tool allowed me to open a lever door from the other side. Utilizing this, I was able to bypass several restricted areas, including a PBX and server room door. Once inside the server room we had access to systems, networking and telecom devices, butt sets (telephone test sets) and PBX systems. After about 30 minutes of harvesting as much data as possible, we heard someone badge in. Two employees came in, one went straight to his laptop, and the other asked who we were. “I’m Elliot, from XYZ. I’m doing some inventory on the PBX systems.” I interjected as I casually flipped through a clipboard that I had taken from outside. At this point, we were able to gather equipment and devices upon leaving the room.
I found a door that led to the main data center, and passed the cubicle area for what I could only assume was the networking department. This door had two-factor authentication, requiring a four-digit PIN and proximity badge in order to gain access. I noticed that the drop-floor below me could be opened. There was also a handy suction grip conveniently sitting on a table beside the door. I lifted one of the tiles and could have easily crawled under the floor, but I decided against this since I was sporting a white button up and it would have heightened the risk of being exposed. I replaced the tile and instead tried to pick the lock using a bogota-style pick. I was able to bypass the tumbler lock, the two-factor authentication and open the door. I was in the data center and had access to several systems with sensitive data, remote employee VPN devices, laptops, Internet switches, the core switch and more.
How not to get grilled by con men
Use industry best practice when securing your server rooms. This means floor-to-ceiling walls, no lever handles and no windows.
Make sure that your intrusion detection systems cover all external doors and accessible windows.
Don’t leave too big of a gap under doors. This makes it harder to trip exit motion sensors and work the under the door tool.
If you must have a physical key to bypass additional access controls consider a strong lock core and a key management log.
Instill a culture of social and physical awareness, not paranoia. Every employee, vendor, contractor, etc. has a part in security. If employees feel suspicious, encourage them not to be afraid to inquire, challenge and to double-check.
Require badges to be visible at all times. If a certain badge requires an escort, make sure there is an escort. If the badge looks funny, ask to see it.
Keep destruction/shredder bins secure. This goes beyond your run of the mill padlock.
Key to the kingdom
After about an hour of walking around, taking photos, picking the locks on office doors and shredder bins dumpster diving, I gathered quite a bit of sensitive data (some of which included scans of driver licenses and Social Security cards). I successfully used the “under-the-door” tool to bypass a lever handle door which led to the IT department and the data center area. I not only had access to the servers, switches, laptops and a treasure trove of data, but I also found a box of handy “remote employee VPN devices and handbook.”
The Security Control Room contained access to the security cameras and security system, a badge maker, access logs, security staff files and a key box. This box was made out of aluminum and had a generic lock that was easily bypassed (I wanted to try to bypass it, even though I had the guard’s keychain). It had a key spreadsheet on the inside of the door, and several keys hanging in it. There were keys to company vehicles, wiring closets, several rooms and cabinets, elevators and much more. The key that caught my eye was one labeled “Facility 2 – Server Rm.” I had agreed to not take anything outside of the facility, so I couldn’t take the key with me.
“Sorry to bug you, but I am doing a key inventory and John from facility services had given me this key for the Security Control Room, but it doesn’t appear to be working. He said that you should have one and to ask if I could use it for a minute. I promise to bring it right back,” I said as I stood in front of the guard’s desk, smiling and gently tapping the random key on the table.
The security guard paused for a moment, smiled and pulled out a handful of keys. “Well, I suppose, but you better bring my keys back, or I am going to hunt you down.” I made my way back down to the door, unlocked it and then locked it back once inside.
Don’t be so trusting
Tell your guards to stop being so trusting and to never hand their keys over to a random “employee”. Guards are one of the first layers of security, but too many companies often depend on them to be the primary eyes and ears, where the whole employee body should be several eyes and ears.
Don’t forget about the hard locks on doors and cabinets leading to restricted and sensitive areas.
Make sure that your guards are alert and aware. Security guard work can get boring, which enhances distractions (phone, Internet, conversation etc.). Make sure that the guards understand their roles and responsibilities, especially if they are not in-house. The security guard can often make a huge difference in your physical security. They are the first barrier within the facility and should not hesitate to challenge someone’s story.
Always double check and never be afraid to validate the identity of someone. If a would-be attacker doesn’t have a legitimate badge visible or isn’t escorted? Escalate. Did someone piggyback? Ask them to badge in and verify a successful result.
Sure, come on in
During the Open Source Intelligence (OSINT) gathering phase of the assessment, and after performing some remote phishing and charming phone calls, we were able to gather a handful of domain credentials and user naming conventions, which happened to be the same as what LinkedIn shows, even without a professional account (last name, first initial), security policy information, badge details and some names to drop.
I pretended to badge in at the entrance. Once I was in the men’s bathroom, my partner said there were still employees leaving and he had kicked off some wireless scans (to see what was accessible outside the building). After the employees left, I stepped out of the bathroom and walked around the floor, browsing through files, taking pictures of sensitive information left in unlocked destruction bins and trash bins, I might add, beside several printers. I found a couple of untethered laptops (only took one) and the perfect cube to stash our device in. Why was this perfect? Because someone was on vacation and it appears that whomever occupied said cube, had a little home router of his or her own connected. I unplugged it and replaced it with ours.
With our rogue access point in place and hidden behind some empty laptop bags beneath the desk, I made my way out of the building and to my partner’s location. Once in the vehicle, we both connected to the access point and DHCP allowed us to scan several ranges. We were able to compromise a few systems exploiting some known vulnerabilities and by using credentials that we had harvested from the remote portion of the assessment, dump some database tables and spend most of the night in front of dimly lit screens in the hotel parking lot hacking away.
Close the backdoor
Network access should be restricted utilizing methods like Network Access Control (NAC) and Rogue Access Point (AP) detection. This will help to prevent malicious drop boxes and networking devices from leaving a backdoor open into your network for further remote compromise.
It is great if employees are aware of tailgating, but it shouldn’t be as simple as allowing a would-be attacker to catch the door and go through the motion of swiping their badge. Pay attention to the sound of authentication and the color – if technically feasible. Employees should not be offended or afraid to challenge each other if they are not following policy. Restricted access doors should be carefully monitored if there is a need for a time-delay (such as a handicapped employee).
Security outmatched by a smile
I piggybacked my way into the building and picked the lock to the executive office space. I saw that one of the VP’s office doors was open and the office was unoccupied. After a minute in the office, I heard the receptionist return to her desk outside of the VP office. I took a business card off the VP’s desk, noticing that the receptionist is looking in. With a smile I acknowledge her, “I am looking for John Doe. This is his office, right?”
“Yes, but he is in a meeting in the conference room. Did you have an appointment?”
“Kind of. I was supposed to install an encryption client on his laptop today. It would only take a moment.”
“Well, he should be back in about an hour or so. Would you be able to come back then?”
“I have a lot of systems to work on and I would like to go ahead and knock his out while I’m here. I will be heading back to corporate early tomorrow, and I still have a lot to do.”
“Well, let me ask him and see what he says.” She got up and made her way down the hall to the conference room. At this point, I could leave and risk compromising the engagement or gamble with luck.
A few minutes later, she returns and says, “He said that he put a ticket in for something like that, three weeks ago.” Concerned, I followed up with a sympathetic, “Yeah, we’ve been a little backed up; hence the time crunch. Could you let me get the serial number off the bottom of the laptop?” I asked. “I want at least some proof that I came by.” I then started to make my way to the office. Although hesitant, the receptionist follows, smiles, nods, unmounts the laptop and hands it to me.
Good thing IT is backed up
I can’t stress enough how important a security culture is within a company and how a comprehensive security awareness program should be. Social engineering is only one attack vector and is often the most dangerous – because it bypasses investment in technical and physical security controls, when your employee isn’t aware of real dangers that lead to and have led to many compromises.
Price hike clearly didn’t make anyone blink
Microsoft today sold out its Build developers conference in about a minute, the company said.
“Last year we sold out in 20 minutes and in 1 minute this year. Sorry for everyone can’t attend in person,” tweeted Steven Guggenheimer, the executive who leads Microsoft’s developer evangelism group.
Ticket sales opened today at 9 a.m. PT (noon ET), with prices $100 higher, a 5% increase, than in recent years.
The almost-instant sell-out was the fastest in Build’s history. Microsoft exhausted its ticket supply in about 24 hours and 31 hours in 2013 and 2014, respectively, and as Guggenheimer noted, in under an hour last year.
Unlike at past iterations, this year’s Build will not feature Oprah-like product giveaways. “This year, we will forgo hardware in favor of delivering a deeper technical experience for developers,” Microsoft said on the page where out-of-luck developers can add their names to a waiting list.
Last year, attendees received a free HP notebook; in 2012, they got a free Surface RT tablet and a Nokia Lumia 920 smartphone. The Surface RT line has been discontinued.
If Microsoft follows past practice, it will live stream Build’s opening keynote to all comers, and do the same for select sessions on its Channel 9 site. Other sessions will likely be available on-demand a day or so after they’re held.
The firm has yet to disclose a session schedule for Build 2016; like most of its predecessors, it will take place in San Francisco’s Moscone Center.
Build 2016 will run March 30-April 1, with the keynote — typical a two-hours-plus marathon — starting at 8:30 a.m. PT (11:30 a.m. ET) on Wednesday, March 30.
In the high-stakes world of high tech, a subtle look can be enough to know it’s time to jump ship to a new gig
10 signs layoffs are coming for your job next
The signs are usually hiding in plain sight. Your boss doesn’t give you the time of day anymore. Large groups of people go out for lunch — then never come back. The company stock takes a nosedive.
When these things start to happen, it may be time to grab a life jacket and head for the nearest escape raft. Yes, the boat is sinking and about to take you with it.
Don’t go down with the ship. Downsizing and layoffs aren’t a laughing matter for those who suddenly find themselves without a paycheck. But many companies have become a parody of themselves in how they handle such monumental changes. That’s why we decided to have a little fun at their expense. Hopefully if you’ve experienced a layoff yourself, this will give you a laugh, too.
Here’s our take on the signs you should watch out for. If nothing else, you may know what the problem is if your email suddenly doesn’t work.
Co-workers simply … disappear
Weren’t Devin and Susie simply making a run for the nearby food truck? That’s what you thought — but that was Tuesday. Today is Friday. Yes, right before the layoffs begin, you might notice a slow drip of people who peace out for good. Usually it means that something is up, and for some reason others are privy to the details. Time to ask around and find out if you should be the next one to check out one of the mysterious taco trucks.
Big company meeting, little advance notice
The dreaded all-hands meeting — as you might have guessed, a lot of things that aren’t all that good come from it. It could be a new product rollout. Or it could be the word you haven’t been waiting for: you and your colleagues don’t work there anymore. If you get an invite to an “all hands on deck” meeting, maybe you want to have one foot out the door just in case.
The company bus careers right by
You show up to work as normal, coffee in hand and ready to get some work done on the company bus. You see it coming. You make sure your bag is adjusted, laptop in hand.
Then, there it goes. Yes, the company bus has blown by you. Sure, this scenario may be a little far- fetched, but with the way that some companies treat those whom they unceremoniously dump, is it really so unlikely? It might be worth taking the train or walking to the office the next few days if there are any signs of this unsavory behavior.
You start getting strange looks
Maybe you’ve noticed something different about the way your boss looks at you. Their eyes tend to glance off into another direction. You approach him or her with a question, and instead of answering, they suddenly have a phone call or a meeting to run off to. You’re getting the cold shoulder. Was it something you said? A reflection on your performance? Nope, it’s the look of someone who knows too much.
That (dreaded) meeting is cancelled
You likely aren’t thrilled by the weekly calendar invite to the team planning meeting. Before you rejoice that you’ve avoided the most boring part of your week, consider another scenario: It’s cancelled because there’s no one to attend. Companies tend to slack off right before a major cull, so be wary if your schedule suddenly frees up because all those riveting meetings are canceled.
The mood swings low, low, low
Company morale often ebbs and flows. But you may want to pay particular attention to things if there’s a longer, widespread depression spell. You know the feeling — everyone looks around like they’re an extra in “The Walking Dead.” No one chats around their desks or the time-honored water cooler. If you see such symptoms, ask around and see if there’s more to it. This way you don’t have to show up one day to an empty office.
Suspicious training assignment
It may sound innocent enough. A fresh face arrives in the office, and you’re assigned to show them how things work. All goes well until you realize they have the same title and responsibilities as you. Yep, you’re training your replacement. It happens, so be a bit wary about that next eager hire who gets a little too comfy at your desk.
It’s often best to avoid rumors, but sometimes you have to pay attention so that you aren’t left out of the loop when it comes to a potential merger. Yes, usually before a company is acquired by another there is some type of scuttlebut that leaks out. Listen to those who engage in such nefarious talk or implore you to keep information on the down low. This may be your tip that it’s time to dust off the résumé and hit the pavement for a new gig.
Your company’s stock price upends
If you work at a publicly traded company, keeping investors happy is a major part of success. Investors are like your mama: If she’s not happy, ain’t nobody happy. Just like what happened with Twitter, when the stock tanks and numbers (in this case user growth) aren’t good, then get ready to see fewer co-workers around. If things are heading south, perhaps you should be heading out.
The box of shame
Most businesses love Dropbox. It holds onto what you want and is easy to use. Unfortunately, there’s another beloved storage tool that fits the bill: a cardboard box. If you see such a contraption on your desk, you’re probably about to be sent packing. Gathering your stuff and heading out the door is the office equivalent of the walk of shame. The best you can do is to get through it. But at least you’ll have a new toy for your cat.
In major metropolitan areas and smaller cities alike, governments are adopting software-defined networking (SDN) and network function virtualization (NFV) to deliver the agility and flexibility needed to support adoption of “smart” technologies that enhance the livability, workability and sustainability of their towns.
Today there are billions of devices and sensors being deployed that can automatically collect data on everything from traffic to weather, to energy usage, water consumption, carbon dioxide levels and more. Once collected, the data has to be aggregated and transported to stakeholders where it is stored, organized and analyzed to understand what’s happening and what’s likely to happen in the future.
There’s a seemingly endless list of potential benefits. Transportation departments can make informed decisions to alleviate traffic jams. Sources of water leaks can be pinpointed and proactive repairs scheduled. Smart payments can be made across city agencies, allowing citizens to complete official payments quickly and reducing government employee time to facilitate such transactions. And even public safety can be improved by using automated surveillance to assist the police watch high-crime hotspots.
Of particular interest is how healthcare services can be improved. There is already a push to adopt more efficient and effective digital technology management systems to better store, secure and retrieve huge amounts of patient data. Going a step further, a smart city is better equipped to support telemedicine innovations that require the highest quality, uninterrupted network service. Telesurgery, for example, could allow for specialized surgeons to help local surgeons perform emergency procedures from remote locations — the reduction of wait time before surgery can save numerous lives in emergency situations, and can help cities and their hospital systems attract the brightest minds in medical research and practice.
The smart city of today
While the smart city is expected to become the norm, examples exist today. Barcelona is recognized for environmental initiatives (such as electric vehicles and bus networks), city-wide free Wi-Fi, smart parking, and many more programs, all of which benefit from smart city initiatives. With a population of 1.6 million citizens, Barcelona shows that smart city technologies can be implemented regardless of city size.
But even smaller cities are benefitting from going “smart.” In 2013 Cherry Hill, New Jersey, with a population of only 71,000, began using a web-based data management tool along with smart sensors to track the way electricity, water, fuel and consumables are being utilized, then compared usage between municipal facilities to identify ways to be more efficient. Chattanooga, Tennessee, population 170,000, along with its investment to provide the fastest Internet service in the U.S., has recently begun developing smart city solutions for education, healthcare and public safety.
How do cities become smart? The most immediate need is to converge disparate communications networks run by various agencies to ensure seamless connectivity. To achieve this, packet optical based connectivity is proving critical, thanks largely to the flexibility and cost advantages it provides. Then atop the packet optical foundation sits technology that enables NFV and the applications running on COTS (commercial off-the-shelf) equipment in some form of virtualized environment. SDN and NFV allow for the quick and virtual deployment of services to support multiple data traffic and priority types, as well as increasingly unpredictable data flows of IoT.
Decoupling network functions from the hardware means that architectures can be more easily tweaked as IoT requirements change. Also, SDN and NFV can yield a more agile service provision process by dynamically defining the network that connects the IoT end devices to back-end data centers or cloud services.
The dynamic nature of monitoring end-points, location, and scale will require SDN so that networks can be programmable and reconfigured to accommodate the moving workloads. Take for example, allocating bandwidth to a stadium for better streaming performance of an event as the number of users watching remotely on-demand goes up—this sort of dynamic network-on-demand capability is enabled by SDN. Additionally, NFV can play a key role where many of the monitoring points that make the city “smart” are actually not purpose-built hardware-centric solutions, but rather software-based solutions that can be running on-demand.
With virtual network functions (VNF), the network can react in a more agile manner as the municipality requires. This is particularly important because the network underlying the smart city must be able to extract high levels of contextual insight through real-time analytics conducted on extremely large datasets if systems are to be able to problem-solve in real-time; for example, automatically diverting traffic away from a street where a traffic incident has taken place.
SDN and NFV may enable the load balancing, service chaining and bandwidth calendaring needed to manage networks that are unprecedented in scale. In addition, SDN and NFV can ensure network-level data security and protection against intrusions – which is critical given the near-impossible task of securing the numerous sensor and device end points in smart city environments.
Smart city business models
In their smart city initiatives, cities large and small are addressing issues regarding planning, infrastructure, systems operations, citizen engagement, data sharing, and more. The scale might vary, but all are trying to converge networks in order to provide better services to citizens in an era of shrinking budgets. As such, the decision on how to go about making this a reality is important. There are four major smart city business models to consider, as defined by analysts at Frost & Sullivan (“Global Smart City Market a $1.5T Growth Opportunity In 2020”):
Build Own Operate (BOO): In a BOO model, municipalities own, control, and independently build the city infrastructure needed, and deliver the smart city services themselves. Both operation and maintenance of these services is under the municipality’s control, often headed up by their city planner.
Build Operate Transfer (BOT): Whereas in a BOO model, the municipality is always in charge of the operation and management of smart city services, in a BOT model that is only the case after a little while – the smart city infrastructure building and initial service operation is first handled by a trusted partner appointed by the city planner. Then, once all is built and in motion, operation is handed back over to the city.
Open Business Model (OBM): In an OBM model, the city planner is open to any qualified company building city infrastructure and providing smart city services, so long as they stay within set guidelines and regulations.
Build Operate Manage (BOM): Finally, there is the BOM model, which is where the majority of smart city projects are likely to fall under. In this model, the smart city planner appoints a trusted partner to develop the city infrastructure and services. The city planner then has no further role beyond appointment – the partner is in charge of operating and managing smart city services.
SDN and NFV: The keys to the (smart) city
With the appropriate business model in place and the network foundation laid out, the technology needs to be implemented to enable virtualization. Virtualized applications allow for the flexibility of numerous data types, and the scalability to transport huge amounts of data the city aims to use in its analysis.
SDN and NFV reduce the hardware, power, and space requirements to deploy network functions through the use of industry-standard high-volume servers, switches and storage; it makes the network applications portable and upgradeable with software; and it allows cities of all sizes the agility and scalability to tackle the needs and trends of the future as they arise. Like the brain’s neural pathways throughout a body, SDN and NFV are essential in making the smart city and its networks connect and talk to each other in a meaningful way.
How should the enterprise address the growing adoption of wearables?
The Internet of Things and wearable technology are becoming more integrated into our everyday lives. If you haven’t already, now is the time to begin planning for their security implications in the enterprise.
According to research firm IHS Technology, more than 200 million wearables will be in use by 2018. That’s 200 million more chances of a security issue within your organization. If that number doesn’t startle you, Gartner further predicts that 30% of these devices will be invisible to the eye. Devices like smart contact lenses and smart jewelry will be making their way into your workplace. Will you be ready to keep them secure even if you can’t see them?
According to TechTarget, “Although there haven’t been any major publicized attacks involving wearables yet, as the technology becomes more widely incorporated into business environments and processes, hackers will no doubt look to access the data wearables hold or use them as an entry point into a corporate network.”
While it’s true that IT cannot possibly be prepared for every potential risk, as an industry we need to do a better job of assessing risks before an attack happens. This includes being prepared for new devices and trends that will pose all new risks for our organizations.
How many of us read the news about a new data breach practically every day and have still yet to improve security measures within our own organizations? If you’re thinking “guilty,” you’re not alone. Organizational change can’t always happen overnight, but we can’t take our eyes off the ball either.
In a 2014 report, 86% of respondents expressed concern for wearables increasing the risk of data security breaches. IT Business Edge suggests, “With enterprise-sensitive information now being transferred from wrist to wrist, businesses should prepare early and create security policies and procedures regarding the use of wearables within the enterprise.” Updating policies is a smart move, but the hard part is anticipating the nature and use of these new devices and then following through with implementing procedures to address them. It seems it may be easier said than done.
We all know that wearables pose security challenges, but how do IT departments begin to address them? This can be especially challenging considering that some of the security risks lie on the device manufacturers rather than the teams responsible for securing the enterprise network the technology is connected to. Many wearables have the ability to store data locally without encryption, PIN protection, or user-authentication features, meaning that if the device is lost or stolen, anyone could potentially access the information.
Beyond the data breach threat of sensitive information being accessed by the wrong hands, wearables take it a step further by providing discreet access for people to use audio or video surveillance to capture sensitive information. Is someone on your own team capturing confidential information with their smartwatch? You may not realize it’s happening until it’s too late.
How can we effectively provide security on devices that appear insecure by design? It seems the safest option is to ban all wearables in the enterprise – there are too many risks associated with them, many of which seemingly cannot be controlled. If this thought has crossed your mind, I may have bad news for you. This isn’t really an option for most organizations, especially those looking to stay current in today’s fast-paced society. TechTarget’s Michael Cobb explains, “Banning wearable technology outright may well drive employees from shadow IT to rogue IT – which is much harder to deal with.”
If the threat of rogue IT isn’t enough to convince you, also consider that there may very well be real benefits of wearables for your organization. According to Forrester, the industries that will likely benefit from this technology in the short term are healthcare, retail, and public safety organizations. As an example in the healthcare field, Forrester suggests that “the ability of biometric sensors to continually monitor various health stats, such as blood glucose, blood pressure and sleep patterns, and then send them regularly to healthcare organizations for monitoring could transform health reporting.” There are many examples for other industries, and the market continues to evolve every day.
It all boils down to this: enterprise wearables present a classic case of risk versus reward. We know there are many security risks, but are the potential rewards great enough to make the risks worthwhile? This answer may vary based on your industry and organization, but chances are there are many real business opportunities that can come from wearable technology.
If you haven’t already, it’s time to start talking with your teams about what those opportunities are and the best ways to ease the associated risks. As we all know, the technology will move forward with or without us and the ones who can effectively adapt will be the ones who succeed. It’s our job to make sure our organizations are on the right side of that equation.
Object lessons from infamous 2005 Sony BMG rootkit security/privacy incident are many — and Sony’s still paying a price for its ham-handed DRM overreach today.
Hackers really have had their way with Sony over the past year, taking down its Playstation Network last Christmas Day and creating an international incident by exposing confidential data from Sony Pictures Entertainment in response to The Interview comedy about a planned assassination on North Korea’s leader. Some say all this is karmic payback for what’s become known as a seminal moment in malware history: Sony BMG sneaking rootkits into music CDs 10 years ago in the name of digital rights management.
“In a sense, it was the first thing Sony did that made hackers love to hate them,” says Bruce Schneier, CTO for incident response platform provider Resilient Systems in Cambridge, Mass.
LogRhythm CEO hobbies
Mikko Hypponen, chief research officer at F-Secure, the Helsinki-based security company that was an early critic of Sony’s actions, adds:
“Because of stunts like the music rootkit and suing Playstation jailbreakers and emulator makers, Sony is an easy company to hate for many. I guess one lesson here is that you really don’t want to make yourself a target.
“When protecting its own data, copyrights, money, margins and power, Sony does a great job. Customer data? Not so great,” says Hypponen, whose company tried to get Sony BMG to address the rootkit problem before word of the invasive software went public. “So, better safe than Sony.”
The Sony BMG scandal unfolded in late 2005 after the company (now Sony Music Entertainment) secretly installed Extended Copy Protection (XCP) and MediaMax CD-3 software on millions of music discs to keep buyers from burning copies of the CDs via their computers and to inform Sony BMG about what these customers were up to. The software, which proved undetectable by anti-virus and anti-spyware programs, opened the door for other malware to infiltrate Windows PCs unseen as well. (As if the buyers of CDs featuring music from the likes of Celine Dion and Ricky Martin weren’t already being punished enough.)
The Sony rootkit became something of a cultural phenomenon. It wound up as a punch line in comic strips like Fox Trot, it became a custom T-shirt logo and even was the subject of class skits shared on YouTube. Mac fanboys and fangirls smirked on the sidelines.
“In a sense, [the rootkit] was the first thing Sony did that made hackers love to hate them,” says Bruce Schneier, Resilient Systems CTO.
Security researcher Dan Kaminsky estimated that the Sony rootkit made its mark on hundreds of thousands of networks in dozens of countries – so this wasn’t just a consumer issue, but an enterprise network one as well.
Once Winternals security researcher Mark Russinovich — who has risen to CTO for Microsoft Azure after Microsoft snapped up Winternals in 2006 — exposed the rootkit on Halloween of 2005, all hell broke loose.
Sony BMG botched its initial response: “Most people don’t even know what a rootkit
is, so why should they care about it?” went the infamous quote from Thomas Hesse, then president of Sony BMG’s Global Digital Business. The company recalled products, issued and re-issued rootkit removal tools, and settled lawsuits with a number of states, the Federal Trade Commission and the Electronic Frontier Foundation.
Microsoft and security vendors were also chastised for their relative silence and slow response regarding the rootkit and malware threat. In later years, debate emerged over how the term “rootkit” should be defined, and whether intent to maliciously seize control of a user’s system should be at the heart of it.
In looking back at the incident now, the question arises about how such a privacy and security affront would be handled these days by everyone from the government to customers to vendors.
“In theory, the Federal Trade Commission would have more authority to go after [Sony BMG] since the FTC’s use of its section 5 power has been upheld by the courts,” says Scott Bradner, University Technology Security Officer at Harvard. “The FTC could easily see the installation of an undisclosed rootlet as fitting its definition of unfair competitive practices.”
Bill Bonney, principal consulting analyst with new research and consulting firm TechVision Research, says he can’t speak to how the law might protect consumers from a modern day Sony BMG rootkit, but “with the backlash we have seen for all types of non-transparent ways (spying, exploiting, etc.) companies are dealing with their customers, I think in the court of public opinion the response could be pretty substantial and, as happened recently with the EU acting (theoretically) because of [the NSA’s PRISM program], if the issue is egregious enough there could be legal or regulatory consequences. “
As for how customers might react today, we’ve all seen how quickly people turn to social media to take companies to task for any product or service shortcoming or any business shenanigans. Look no further than Lenovo, which earlier this year got a strong dose of negative customer reaction when it admittedly screwed up by pre-loading Superfish crapware onto laptops. That software injected product recommendations into search results and opened a serious security hole by interfering with SSL-encrypted Web traffic.
In terms of how security vendors now fare at spotting malware or other unsavory software, Schneier says “There’s always been that tension, even now with stuff the NSA and FBI does, about how this stuff is classified. I think [the vendors] are getting better, but they’re still not perfect… It’s hard to know what they still let by.”
Noted tech activist Cory Doctorow, writing for Boing Boing earlier this month, explains that some vendors had their reasons for not exposing the Sony rootkit right away. “Russinovich was not the first researcher to discover the Sony Rootkit, just the first researcher to blow the whistle on it. The other researchers were advised by their lawyers that any report on the rootkit would violate section 1201 of the DMCA, a 1998 law that prohibits removing ‘copyright protection’ software. The gap between discovery and reporting gave the infection a long time to spread.”
Reasons for hope though include recent revelations by the likes of Malwarebytes, which warned users that a malicious variety of adware dubbed eFast was hijacking the Chrome browser and replacing it, by becoming the default browser associated with common file types like jpeg and html.
Schneier says it’s important that some of the more prominent security and anti-virus companies — from Kaspersky in Russia to F-Secure in Finland to Symantec in the United States to Panda Security in Spain — are spread across the globe given that shady software practices such as the spread of rootkits are now often the work of governments.
“You have enough government diversity that if you have one company deliberately not finding something, then others will,” says Schneier, who wrote eloquently about the Sony BMG affair for Wired.com back in 2005.
The non-profit Free Software Foundation Europe (FSFE) has been calling attention to the Sony BMG rootkit’s 10th anniversary, urging the masses to “Make some noise and write about this fiasco” involving DRM. The FSFE, seeing DRM as an anti-competitive practice, refers to the words behind the acronym as digital restriction management rather than the more common digital rights management.
F-Secure Chief Research Officer Mikko Hypponen: “I guess one lesson here is that you really don’t want to make yourself a target.”
Even worse, as the recent scandal involving VW’s emissions test circumvention software shows, is that businesses are still using secret software to their advantage without necessarily caring about the broader implications.
The object lessons from the Sony BMG scandal are many, and might be of interest to those arguing to build encryption backdoors into products for legitimate purposes but that might be turned into exploitable vulnerabilities.
One basic lesson is that you shouldn’t mimic the bad behavior that you’re ostensibly standing against, as Sony BMG did “in at least appearing to violate the licensing terms of the PC manufacturers” TechVision’s Bonney says.
And yes, there is a warning from the Sony BMG episode “not to weaponize your own products. You are inviting a response,” he says.
95% of all firewall breaches are caused by misconfiguration. Here’s how to address the core problems
Firewalls are an essential part of network security, yet Gartner says 95% of all firewall breaches are caused by misconfiguration. In my work I come across many firewall configuration mistakes, most of which are easily avoidable. Here are five simple steps that can help you optimize your settings:
* Set specific policy configurations with minimum privilege. Firewalls are often installed with broad filtering policies, allowing traffic from any source to any destination. This is because the Network Operations team doesn’t know exactly what is needed so start with this broad rule and then work backwards. However, the reality is that, due to time pressures or simply not regarding it as a priority, they never get round to defining the firewall policies, leaving your network in this perpetually exposed state.
You should follow the principle of least privilege – that is, give the minimum level of privilege the user or service needs to function normally, thereby limiting the potential damage caused by a breach. You should also document properly – ideally mapping out the flows that your applications actually require before granting access. It’s also a good idea to regularly revisit your firewall policies to look at application usage trends and identify new applications being used on the network and what connectivity they actually require.
* Only run required services. All too often I find companies running firewall services that they either don’t need or are no longer used, such as dynamic routing, which typically should not be enabled on security devices as best practice, and “rogue” DHCP servers on the network distributing IPs, which can potentially lead to availability issues as a result of IP conflicts. It’s also surprising to see the number of devices that are still managed using unencrypted protocols like Telnet, despite the protocol being over 30 years old.
The solution is to harden devices and ensure that configurations are compliant before devices are promoted into production environments. This is something a lot of organizations struggle with. By configuring your devices based on the function that you actually want them to fulfil and following the principle of least privileged access – before deployment – you will improve security and reduce the chances of accidentally leaving a risky service running on your firewall.
* Standardize authentication mechanisms. During my work, I often find organizations that use routers that don’t follow the enterprise standard for authentication. One example I encountered is a large bank that had all the devices in its primary data centers controlled by a central authentication mechanism, but did not use the same mechanism at its remote office. By not enforcing corporate authentication standards, staff in the remote branch could access local accounts with weak passwords, and had a different limit on login failures before account lockout.
This scenario reduces security and creates more opportunities for attackers, as it’s easier for them to access the corporate network via the remote office. Enterprises should therefore ensure that any remote offices they have follow the same central authentication mechanism as the rest of the company.
* Use the right security controls for test data. Organizations tend to have good governance stating that test systems should not connect to production systems and collect production data, but this is often not enforced because the people who are working in testing see production data as the most accurate way to test. However, when you allow test systems to collect data from production, you’re likely to be bringing that data down into an environment with a lower level of security. That data could be highly sensitive, and it could also be subject to regulatory compliance. So if you do use production data in a test environment, make sure that you use the correct security controls required by the classification the data falls into.
* Always log security outputs. While logging properly can be expensive, the costs of being breached or not being able to trace the attack are far higher. Failing to store the log output from their security devices, or not doing so with enough granularity is one of the worst things you can do in terms of network security; not only will you not be alerted when you’re under attack, but you’ll have little or no traceability when you’re carrying out your post-breach investigation. By ensuring that all outputs from security devices are logged correctly organizations will not only save time and money further down the line but will also enhance security by being able to properly monitor what is happening on their networks.
Enterprises need to continuously monitor the state of their firewall security, but by following these simple steps businesses can avoid some of the core misconfigurations and improve their overall security posture.
Younger IT workers are increasingly choosing independence over full-time employment. Is the ‘open talent economy’ right for you too? Three 20- and 30-somethings share their experiences.
Call it what you will — the “open talent economy,” “freelancing,” the “gig economy,” “contracting” — working for yourself is having a moment, particularly in high tech.
Once upon a time, IT pros went freelance only when driven there by circumstances like a bad economy, a layoff or an overabundance of their particular skill set. Or they turned to consulting in the sunset of their careers, tired of cubicle farms and long commutes. Now, millennials, who this year became the largest proportion of the labor force, are leading the charge to change the tech industry’s perception of self-employment.
It’s common knowledge that the cohort of workers 35 and under prefer a flexible, DIY workstyle, using their personal mobile devices to communicate and work from anywhere at any time. What’s not so commonly known, however, is that some millennials — some say it’s a growing number — are eschewing traditional employment altogether to work as independents.
“A large number of millennials are choosing a different path in terms of what they want in their professional life,” says Alisia Genzler, executive vice president at Randstad Technologies, a high-tech talent and solutions company. “We are seeing more and more of them choose freelancing and contract work over traditional jobs, more so than in previous generations.”
Millennials came of age and graduated from college during the Great Recession, many saddled with debt and unable to find a job. While some eventually made their way into the corporate workforce, others stayed independent, either by choice or by circumstance. “We now have a generation of workers who never had full-time jobs,” says Can Erbil, an economics professor at Boston College who studies the labor market. “That is not the exception but more the norm for them.” What’s more, millennials grew up in an educational environment that stressed project-oriented work, he adds, so short-term sprints are a natural cadence for them.
” We now have a generation of workers who never had full-time jobs. ”
Can Erbil, professor of economics, Boston College
The recession also taught millennials that a traditional job and long-term loyalty to an employer don’t necessarily mean security. “A lot of them look at their parents who had jobs with one company for a long time, only to be laid off, so [millennials] want to keep their options open,” says John Reed, senior executive director at Robert Half Technology.
And benefits are increasingly becoming decoupled from employers — with the Affordable Care Act guaranteeing individual access to health insurance, workers don’t have to be on a payroll to be covered. In fact, according to an article in Money magazine, only 31% of college graduates last year received employer-provided health insurance, compared to 53% in 2000.
High tech is gig-friendly
Millennials may be blazing the path, but freelancing is an option that can work for employees at any age, proponents argue. A 2014 study found that 53 million U.S. workers were freelancing to some extent — that’s 34% of the workforce. Millennials were the largest group of survey respondents who said they were freelancing, at 38%, according to the report, which was commissioned by Freelancers Union and Elance-oDesk, the freelance marketplace platform now called Upwork. But 32% of those over 35 likewise indicated they were working independently.
Daniel Masata, senior vice president at staffing and recruitment firm Adecco Engineering & Technology, says he’s seeing the trend across all age groups. Baby Boomers, for example, might freelance to keep their hand in or supplement retirement income. Gen-Xers may have been laid off during the last recession and either had difficulty getting rehired or just decided to go independent. Ten years ago, 75% of candidates for technology jobs were seeking full-time employment, Masata estimates. Today, it’s only about 50%.
The high-tech industry is particularly well-suited to the gig economy. The software development cycle, for example, has become well-defined and compartmentalized, making it easier to farm out, says Andrew Liakopoulos, principal within the human capital practice at Deloitte Consulting and an expert on what Deloitte calls the “open talent economy.”
In fact, IT is one of the first markets where Deloitte noticed the freelancing trend. “The millennials were the ones who, after being forced into [freelancing], actually have used what was happening in the macro environment to their advantage,” says Liakopoulos. “And IT was the first occupation where we saw them doing it.”
To discover what impact the gig economy might have on tech employees of any age, Computerworld sought out millennials who are working independently. Some are freelancing indefinitely, some are using freelancing as a stepping stone to a better job, and some of them say they are committed to contract work for their entire careers. Although freelancing has its downsides, specifically the risk of not finding enough good-paying work and the lack of benefits like paid time off and company-subsidized healthcare, all say their experience as independent workers offers many advantages.
Read on to hear their stories and determine whether gig work might be right for you.
Rejecting perfectly good jobs (at Microsoft!)
Erik Kennedy joined Microsoft as a program manager straight out of school after graduating in 2010 from Olin College of Engineering with a bachelor’s in electrical and computer engineering. But at age 25, after three years with the company, he decided to strike out on his own.
erik kennedy independent tech worker
UI/UX programmer Erik Kennedy says he makes money at about the same rate as when he worked at Microsoft, but as a freelancer, he’s able to take significant time off for travel.
Although Microsoft was a good employer, Kennedy says, he felt stifled by the atmosphere of a large company. He wanted to pick his own projects. “Hypothetically, my boss’s boss’s boss’s boss’s boss could make a decision that could affect what I did on a day-to-day basis,” he explains. “I wanted a little more freedom and was willing to take a little more risk.”
The inherent insecurity of freelancing means that it’s not suitable for everyone, says Kennedy. “You kind of ‘lose your job’ every two to six months” as projects turn over, he says. “If you can handle that, then it’s a great deal.”
The area in which Kennedy specializes — UI/UX (user interface, user experience) — is in high demand, which lessens his risk. Based in the Seattle area, Kennedy works mostly for startups and nonprofits, with a few name-brand technology companies like Amazon in the mix for variety.
So far, two and a half years in, Kennedy’s been happy with his decision. “I make money at about the same rate [as I did at Microsoft], but I’ve taken off more time for travel since becoming a freelancer,” he says. He even got married last year, after which he and his bride travelled the world for eight months. “It’s such a millennial thing to do, and we would have never been able to do that if I had a full-time job,” says Kennedy.
Paying off the mortgage — in your 30s
Steven Boyd, 33, went freelance in 2011 after working as a developer in a series of full-time jobs. At one employer he learned SketchFlow, a part of Microsoft’s Visual Studio, and now specializes in it. “At first I was scared” to go independent, Boyd admits. “I felt that I needed that stability you get from a full-time permanent position.” But then he realized that security was an illusion. One startup where he worked couldn’t make its payroll one month. He was tired of being assigned projects, rather than choosing his own, and felt underappreciated.
steven boyd independent contractor
SketchFlow developer Steven Boyd feels more appreciated as an independent contractor — and he’s paid off the mortgage on the family home.
Today, he picks his own projects and clients (which range from large corporations to startups and nonprofits), works when he wants to and by his estimation is financially secure. In fact, he makes much more money than he did at his previous positions, which topped out at $110,000 a year. “And I had to really negotiate hard for that.” In 2013, he made close to $250,000, but “worked way too much,” he says. In 2014, he scaled back to working 30 hours a week and still earned $180,000.
He’s paid off the mortgage on the family home in the Denver area, bought several rental properties and started a scholarship fund at his alma mater, Colorado State University, to encourage minority students to pursue computer science. “To be able to amass that sort of money in such a short period of time would be nearly impossible as a full-time employee,” he notes.
He doesn’t miss the benefits; his wife works full-time and so provides health insurance for him and their four-year-old son. Nor does he miss paid vacations — saying he never took them anyway — but relishes having the flexibility to take big chunks of time off when life requires it. Recently, for example, Boyd took a hiatus to care for his son for three months while their babysitter recovered from surgery.
Both Kennedy and Boyd recommend working a few years at a traditional job before trying freelancing. “I couldn’t see someone coming straight out of school and being successfully independent,” says Boyd. “It takes a while to learn how to deal with people and different types of scenarios.” By working a traditional job first, Kennedy says, he built up a good network that he could tap for business when he went solo.
Keeping skills sharp
Independent work can be as valuable to long-term career growth as a technical degree, says Katy Tynan, author of the book Free Agent: The Independent Professional’s Roadmap to Self-Employment Success. That’s because freelancers are typically required to pick up new skills quickly, says Tynan, who worked in IT for 15 years. Staying at a traditional IT job for years can cause employees to lose relevance, she says. “Things tend to stay the same within an organization; you don’t have to rapidly learn new things.”
In many enterprise shops, “You have to jump through all sorts of hoops just to learn a new technology,” says Ron Pastore, 35, who made the switch to freelancing two years ago. “You end up molded into what they need you to be, and then if they don’t need you anymore, you’re out there in the market with limited skills,” he says.
ron pastore independent IT contractor
Software engineer Ron Pastore works primarily with startups — for a reduced rate plus equity. “Going back to traditional employment would be my worst-case scenario,” he says.
Pastore has no college degree, but excelled in programming at an early age. He worked as a software engineer in various full-time positions for 10 years, but ultimately wanted more flexibility and felt limited by traditional employment, he says.
Married with two children, the Rockland, N.Y.-based Pastore says he is more secure financially today than before, because he’s not depending on one source of income. He estimates he makes 15% to 20% more today than he did at corporate jobs, “though this is not an apples-to-apples comparison,” he says. “I work mainly with startups, at a reduced rate plus equity.” He also works many fewer hours than he did as an employee and says he has no trouble finding clients.
Pastore hopes he’ll never hold a corporate full-time job again. “Going back to traditional employment would be my worst-case scenario,” he says. For his part, Kennedy says he is not averse to going back to a full-time job, but for now freelancing makes sense for him.
The job you want, not the job that’s offered
Whether they stay in freelancing or not, younger programmers are showing just how confident they are in their ability to fashion the career they want, not the one that’s offered by corporations. If the job doesn’t suit, they have no problem walking away from it. Boyd, for example, says he recently rebuffed the advances of a recruiter for Microsoft. The job sounded attractive, “and I probably would’ve taken it if it wasn’t so much travel,” he says. “I like this flexibility of being independent.”
With the proportion of millennials in the workforce continuing to grow (some forecasts say they will make up 75% within the next decade), this is likely to be a permanent change in the labor market. “As you look where this is heading, there’s no turning back,” says Deloitte’s Liakopoulos. A substantial proportion of younger workers do not want to become part of the old economy, he says. “They don’t want to be tethered to an organization. They want to continue being entrepreneurial. And they [plan] to use freelancing to create the flexibility they want in their lives.”
So many big data and analytics-focused startups are getting funding these days that I’ve been inspired to compile a second slideshow highlighting these companies. This new batch has reined in some $250 million this year as they seek to help organizations make sense of the seemingly endless pool of data going online.
So many big data and analytics-focused startups are getting funding these days that I’ve been inspired to compile a second slideshow highlighting these companies (see “13 Big Data and Analytics Companies to Watch” for the previous collection). This new batch has reined in some $250 million this year as they seek to help organizations more easily access and make sense of the seemingly endless amount of online data.
Headquarters: Redwood City, Calif.
Funding/investors: $9M in Series A funding led by Costanoa Capital and Data Collective.
Focus: Its data accessibility platform is designed to make information more usable by the masses across enterprises. The company is led by former Oracle, Apple, Google and Microsoft engineers and executives, and its on-premises and virtual private cloud-based offerings promise to help data analysts get in sync, optimize data across Hadoop and other stores, and ensure data governance. Boasts customers including eBay and Square.
Headquarters: Menlo Park, Calif. (with operations in India, too)
Funding/investors: $15M in Series B funding led by Scale Venture Partners and Next World Capital, bringing total funding to $23M.
Focus: Data science-driven predictive analytics software for sales teams, including the newly released Aviso Insights for Salesforce. Co-founder and CEO K.V. Rao previously founded subscription commerce firm Zuora and worked for WebEx, while Co-founder and CTO Andrew Abrahams was head of quantitative research and model oversight at JPMorgan Chase. The two met about 20 years ago at the National Center for Supercomputing Applications.
Headquarters: San Francisco
Funding/investors: $156M, including a $65M round in March led by Wellington Management.
Focus: Cloud-based business intelligence and analytics that works across compliance-sensitive enterprises but also gives end users self-service data access. This company, formed by a couple of ex-Siebel Analytics team leaders, has now been around for a while, has thousands of customers and has established itself as a competitor to big companies like IBM and Oracle. And it has also partnered with big companies, such as AWS and SAP, whose HANA in-memory database can now run Birst’s software.
Headquarters: Mountain View
Funding/investors: $39M, including a $20M Series C round led by Intel Capital in August.
Focus: A founding team from VMware has delivered the EPIC software platform designed to enable customers to spin up virtual on-premises Hadoop or Spark clusters that give data scientists easier access to big data and applications. (We also included this firm in our roundup of hot application container startups.)
Headquarters: San Francisco
Funding/investors: $76M, including $40M in Series E funding led by ST Telemedia.
Focus: Big data analytics application for Hadoop designed to let any employee analyze and visualize structured and unstructured data. Counts British Telecom and Citibank among its customers.
Deep Information Sciences
Funding/investors: $18M, including an $8M Series a round in April led by Sigma Prime Ventures and Stage 1 Ventures.
Focus: The company’s database storage engine employs machine learning and predictive algorithms to enable MySQL databases to handle big data processing needs at enterprise scale. Founded by CTO Thomas Hazel, a database and distributed systems industry veteran.
Headquarters: Santa Cruz
Funding/investors: $48M, including a $30M B round in March led by Meritech
Focus: Web-based business intelligence platform that provides access to data whether in a database or the cloud. A modeling language called LookML enables analysts to create interfaces end users can employ for dashboard or to drill down and really analyze data. Founded by CTO Lloyd Tabb, a one-time principal engineer at Netscape, where he worked on Navigator and Communicator. Looker claims to have Etsy, Uber and Yahoo among its customers.
Headquarters: Palo Alto
Funding: $14M, including $11M in Series A funding in May, with backers including Chevron Technology Ventures and Intel Capital.
Focus: Semantic search engine that plows through big data from multiple sources and delivers information in a way that can be consumed by line-of-business application users. The company announced in June that its platform is now powered by Apache Spark. Co-founder Donald Thompson spent 15 years prior to launching Maana in top engineering and architect jobs at Microsoft, including on the Bing search project.
Headquarters: Cambridge, Mass.
Funding/investors: $20M, including $15M in Series B funding led by Ascent Venture Partners.
Focus: This company, which got its start in Germany under founder Ingo Mierswa, offers an open source-based predictive analytics platform for business analysts and data scientists. The platform, available on-premises or in the cloud, has been upgraded of late with new security and workflow capabilities. Peter Lee, a former EVP at Tibco, took over as CEO in June.
Headquarters: Redwood Shores, Calif.
Funding/investors: $10M in Series A funding in March, from Crosslink Capital and .406 Ventures.
Focus: The team behind Informatica/Siperian MDM started Reltio, which offers what it calls data-driven applications for sales, marketing, compliance and other users, as well as a cloud-based master data management platform. The company claims its offerings break down silos between applications like CRM and ERP to give business users direct access to and control over data.
Headquarters: Palo Alto
Funding/investors: $900K in seed funding from investors including Andreessen Horowitz and Formation8.
Focus: A “data science platform for the unstructured world.” Sensai’s offering makes it possible to quantify and analyze textual information, such as from news articles and regulatory filings. The company is focused initially on big financial firms, like UBS, though also has tech giant Siemens among its earlier customers. Two of Sensai’s co-founders come from crowdfunding company Rally.org.
Funding/investors: $13.25M, including a $10M Series A round led by Foundry Group, New Enterprise Associates and Madrona Venture Group
Focus: This iPhone app enables businesses to tap into smartphone users (or “Fives”) to clean up big data in their spare time for a little spare cash. The idea is that computing power alone can’t be counted on to crunch and analyze big data. Micro-tasks include everything from SEO-focused photo tagging to conducting surveys.
Headquarters: Mountain View
Funding/investors: $23M, including $15M in January in Series B funding led by Scale Venture Partners.
Focus: Provides cloud services designed to simplify the collection, storage and analysis of data, whether from mobile apps, Internet of Things devices, cloud applications or other sources of information. This alternative to Hadoop platforms and services handles some 22 trillion events per year, according to the company, which has a presence not just in Silicon Valley, but in Japan and South Korea as well.
Want proof? Industry leading vendors are snatching up OpenStack-based companies
This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter’s approach.
IT is headed toward being something more akin to a utility service, transformed by OpenStack’s open standardized cloud architecture, which will improve interoperability and render vendor lock-in a thing of the past.
Initially a solution adopted by smaller ISVs lacking the capital to build private clouds, OpenStack-based cloud solutions are shaping up to be the logical choice for large enterprise as industry leaders, including IBM, Cisco, EMC, HP and Oracle, bet on its value for defining the next-generation model for business computing.
These industry giants have been snatching up OpenStack-based companies over the past couple years, building up their capabilities around the architecture. IBM and Cisco are some of the latest to close deals, with their respective acquisitions of Blue Box and Piston Cloud Computing. Other relevant acquisitions include EMC’s purchase of Cloudscaling, Oracle’s Nimbula acquistion, and Cisco’s MetaCloud acquisition.
OpenStack’s value for business lies in its capacity for facilitating seamless private-to-public scalability and extensive workload portability, while removing the need to lay out capital to acquire and maintain depreciating commodity hardware.
These companies see that innovations in open clouds will inevitably win out as the premiere solution for business data management. The days of commodity hardware and internally managed datacenters are rapidly fading. With cloud services available on a pay-as-you-go basis and infrastructure as a service (IaaS) removing the need to invest in commodity hardware, customers will look at performance, pricing and quality of service as the most important factors in choosing a cloud provider, while maintaining the freedom to easily switch if a better option comes along.
OpenStack’s core strength is interoperability, allowing for seamless scaling across private and public environments, as well as easier transition and connectivity across vendors and networks.
Companies like IBM and Cisco buying up OpenStack-based providers to bolster their own hybrid cloud solutions does not mean the architecture will lose touch with its open-source roots. Open standards and interoperability go hand-in-hand and are at the heart of OpenStack’s unique capabilities.
What we are seeing is the maturation of OpenStack, with major names in business computing positioned to mainstream its adoption by leveraging their financial, IP, R&D resources and brand trust to meet complex demands and ensure confidence from large enterprise organizations transitioning to the cloud.
Cisco listed OpenStack’s capabilities for enhancing automation, availability and scale for hybrid clouds as playing a major role in its new Intercloud Network, while HP is utilizing OpenStack to facilitate its vendor-neutral Helion Network, which will pool the services of Helion partners to offer global workload portability for customers of vendors within their network.
Adoption of OpenStack by these providers signals a major shift for the industry, moving away from dependence on hardware sales and heavy contractual service agreements to a scalable IaaS utilities model, where customers pay for what they need when they need it and expect it to just work. Providers may need to shoulder the burden of maintaining datacenters but will reap the reward of pulling the maximum value from their commodity investments.
Interoperability may seem like a double-edged sword for companies that were built on their own software running exclusively on their own hardware. But the tide is shifting and they realize that closed platforms are losing relevance, while open architecture offers new opportunities to expand their business segments, better serve customers, and thrive with a broader customer base.
Cisco recently added new functionalities for its Intercloud offering, extending virtual machine on-boarding to support Amazon Virtual Private Cloud and extending its zone-based firewall services to include Microsoft Azure. Last year, IBM partnered with software and cloud competitor Microsoft, each offering their respective enterprise software across both Microsoft Azure and the IBM Cloud to help reduce costs and spur development across their platforms for their customers. OpenStack furthers these capabilities across the quickly expanding list of providers adapting the cloud architecture, enabling a vendor-agnostic market for software solutions.
Open standardized cloud architecture is the future of business IT, and OpenStack currently stands as the best and only true solution to make it happen. Its development was spurred by demand from small ISVs who will continue to require its capabilities and promote its development, regardless of whether large enterprise service providers are on board.
However, its inevitable development and obvious potential for enterprise application is forcing the hand of IT heavyweights to conform. Regardless if they’d prefer to maintain the status quo for their customers, the progress we’ve seen won’t be undone and the path toward vendor neutrality has been set.