By Paul Mazzucco, Xand Chief Security Officer
Posted April 9 2014
You’ve likely seen or heard about it in the news: a critical vulnerability in the OpenSSL cryptographic library has been exposed. This vulnerability, known as the "Heartbleed Bug," allows anyone on the Internet to read the memory of systems protected by vulnerable versions of the OpenSSL software.
This issue should be considered extremely critical due to its impact, long exposure, ease of exploitation, the absence of application logs indicating an exploit attempt, and the widespread availability of exploit code.
The flaw resides in the OpenSSL implementation of the TLS/DTLS (Transport Layer Security) protocols' heartbeat extension (RFC6520) due to a missing bounds check. This vulnerability reveals 64KB of memory per request to a connected client or server. An attacker can keep reconnecting or can keep requesting an arbitrary number of 64KB chunks of memory content during an active TLS connection until they have achieved their objectives.
Vulnerable: OpenSSL versions 1.0.1 through 1.0.1f (inclusive) and version 1.0.2-beta
Not vulnerable: Branches 1.0.0 and 0.9.8
This vulnerability is resolved in OpenSSL version 1.0.1g. According to the OpenSSL advisory, version 1.0.2 will be fixed via 1.0.2-beta2. The CTU research team recommends upgrading immediately.
Products that use OpenSSL libraries, such as SSL termination devices, load balancers, secure web gateways, web application firewalls, and other embedded devices, may also be vulnerable. Coordination of vulnerability status and mitigation steps should be taken.
After patching the vulnerability, revoke any primary key material (e.g., X.509 certificates and private keys) used by a vulnerable TLS service, and issue and distribute new keys.
In addition, consider potential compromise of secondary key material, such as usernames and passwords exchanged with a vulnerable TLS endpoint. Reset secondary key material such as passwords and encryption keys, and invalidate and reset any exposed session keys and session cookies.
OpenSSL Security Advisory
Heartbleed Bug Vulnerability
Ubuntu Security Network (USN)
Red Hat Common Vulnerabilities and Exposures (CVE)
Xand Customer Support:
As always, the Xand Operations Center is available 24x7 to provide up-to-date status information or additional details, should you have any questions regarding this issue.
Xand staff attended the SecureWorld Boston Expo this week, joining companies such as Cisco, IBM, Radware, and McAfee. Visitors to our booth came with two specific areas of interest.
First: Security-as-a-Service (SaaS). IT decision makers are increasingly seeking outsourcing partners to assist in maintaining secure systems both in data centers and in the cloud.
It was interesting to hear the need for SaaS coming from hardware and software platform vendors, as well as security service consulting and staffing firms. The demand for reliable SaaS partners appears to be strong across the industry.
The second area of interest was cloud security. As cloud adoption by businesses and enterprise organizations continues to grow at a rapid pace, many security professionals have questions about access, compliance, and control. Multi-factor authentication techniques and VPN security were hot items on the lists of many of the pros we talked to.
Clearly security now dominates every IT-related conversation; and in a world of interconnected systems and growing compliance mandates, it’s clear that maintaining high levels of security is no longer a one person job.
What trends are you seeing in IT security? Does your organization utilize SaaS? Do you have dedicated security staff or do you use outsourcing partners? Let us know in the comments section below, we’d love to know you thoughts.
By Paul Mazzucco, Xand Chief Security Officer
Posted February 21, 2014
With the latest round of credit card and personal data breaches in the news, the release of the new PCI DSS 3.0 Security Standard is timely indeed. The overall need of data service providers in every level of the transaction process to develop security best practices is now more important than ever.
With Version 3.0, the PCI Security Standards Council (PCI SSC) focuses on flexibility, education, awareness, and security as a shared responsibility. There are several important changes taking place in the jump from Version 2.0 to the new 3.0 framework, and IT Decision Makers will want to make sure their infrastructure and service providers are up to date to ensure maximum levels of security for their critical data.
Key drivers for PCI DSS Version 3.0 include an overall lack of education and awareness from the Council in terms of coverage responsibility, especially in terms of emerging technologies such as Cloud and Virtualization. Weak passwords and authentications challenges, third party security, slow self-detection in response to malware and other threats, and an inconsistency in assessments were also factors in the update.
When surveying the PCI DSS landscape, it’s critical for those charged with protecting cardholder data to be aware of the multiple access points to their information and where responsibility falls when working with complex infrastructure systems. The PCI Council sets various standards and benchmarks for manufacturers, developers, and providers. For example, at Xand our data center facilities fall into the Service Provider category. This places our company under the PCI Data Security Standards (PCI DSS) umbrella. When searching for a managed services provider, be sure that the level of PCI classification is clearly provided upfront, as this is vitally important in determining lines of demarcation in data protection responsibilities.
Lack of knowledge around payment card security and, more telling, poor implementation and maintenance of the PCI standards are huge contributing factors in why security breaches happen. In my role as Chief Security Officer, I spend each day working to make sure Xand’s systems are up to date with the latest compliances. Although the PCI DSS standards serve as a great guide against which we test ourselves, building an overall security policy and a proper employee training program is key to make sure that the human element of our security standards remains tight. Standards of security are unfortunately always playing catch-up against the newest attack vectors and companies cannot simply allow a stamp of compliance to govern their security mandates.
Security is a dynamic field, and those who rest on their laurels often find themselves quickly exposed. When dealing with outsourced solutions providers or managed services vendors, don’t just accept a logo on their website as a rubber stamp for security. Be sure to ask what version of the compliance they adhere to, when the last update was conducted, and how often the organization undertakes audits. These criteria separate the wheat from the chafe in IT security.
In regards to PCI, the PCI Security Standards Council has made several important improvements in the PCI DSS certification in version 3.0. The updated version of PCI DSS tackles the following:
- Provide stronger focus on some of the greater risk areas in the threat environment
- Provide increased clarity on PCI DSS & PA-DSS requirements
- Build greater understanding on the intent of the requirements and how to apply them
- Improve flexibility for all entities implementing, assessing, and building to the Standards
- Drive more consistency among assessors
- Help manage evolving risks / threats
- Align with changes in industry best practices
- Clarify scoping and reporting
- Eliminate redundant sub-requirements and consolidate documentation
Ask your provider which version of PCI DSS they are certified for. Version 2.0 will be supported until December 2014 and many companies will hold off on updating until the last possible moment. With greater transparency and a more nuanced approach to Cloud, Virtualized, and Multi-Tiered environments, taking the extra steps to ensure your provider is up to date with PCI DSS Version 3.0 may save some tremendous security headaches down the road. Updating frameworks can be a cumbersome process, but I felt it was of upmost importance to secure the latest PCI DSS update for Xand to give our clients the maximum level of protection available. Xand is privately owned and funding is in place to fully support security initiates. However other providers may be hampered by financial restraints, operational shortfalls, or simply a lack of expertise to keep up on the vast changes coming from PCI.
In addition to maintaining a wide scope of compliances and managing several security systems, I’m often called to take part in client meetings at Xand, where I answer questions and scope out security concerns. The point here isn’t to outline my day (busy!) or sell you on Xand (although we love new customers!) but rather to highlight the importance of having dedicated in-house security personnel. Not every Cloud or Managed Services Provider is in a position to have such dedicated security resources. Use this as another benchmark when seeking a partner for PCI DSS compliant systems.
Overall, the jump from PCI DSS Version 2.0 to 3.0 is an important one, not just for MSPs but for the industry as a whole. Even those who don’t deal directly with cardholder data would do well to seek out infrastructure solutions partners who adhere to PCI DSS mandates, as the practices set forth by the framework can do much to hedge against the risk of a unmitigated security disaster.
The following updates from Day 2 of VMware Partner Exchange 2013 arrive courtesy of Xand Senior Vice President of Technology Denoid Tucker. Take it away, Denoid!
Live Updates from VMware Partner Exchange – Day 2
By Denoid Tucker
Day 2 of the general conference session brought out the two top VMware executives to talk about the focus for VMware in 2013, starting with newly appointed VMware CEO Pat Gelsinger. Pat kept it pretty high-level and boiled the agenda down to three major initiatives: The Software Defined Data Center, Hybrid Cloud, and End-User Computing.
The “Software Defined Data Center” is a term hot on VMware’s lips this year. Pat describes it as essentially abstracting the fundamental components of the data center-- compute, storage, and network—and then “pooling” those resources to be used across differing workloads, with the end goal of then ultimately automating the delivery and management of those resources.
“Hybrid Cloud” as VMware defines it is their ever-expanding support for the management and integration of other Cloud platforms running alongside VMware products. With VMware’s acquisition of DynamicOps back in July of last year, they now have the ability to provision Cloud services between different hypervisors and Public Cloud providers. The rebranded solution is now called vCloud Automation Center. Based on the features and functionality of the product, vCloud looks to be solidly in line with VMware’s vision for fully managing the entire Cloud ecosystem.
“End User Computing” is VMware’s expanded version of Virtual Desktop Infrastructure (VDI) to include all kinds of devices, including smartphones and tablets, to create an end-to-end platform for workforce mobility. With their newly renamed group of products called Horizon Suite, VMware continues to expand it focus beyond virtualizing desktop environments, with the aim of offering users access anywhere, anytime, and on any device. I believe this will revolutionize the way we all work and interact with the applications we use on a daily basis. Horizon promises to extend the same accessibility that our personal, social, and entertainment mobile apps provide today to enterprise environments. The platform itself is not the end of the discussion, however. The success of End User Computing success will ultimately rely on the end-user’s experience. If not designed, deployed, and managed properly the new suite could create frustration with end-users.
Next up was VMware President and COO Carl Eschenbach. Carl launched right into the numbers and really got the assembled partners fired up about the market opportunity in 2013. Carl reiterated throughout his talk that 85% of all VMware sales come from partners like Xand, and has held steady at that level for several years with no indicators of changing in the future. Eschenbach shared some other interesting statistics as well:
- VMware’s bookings were up 40% from Q3 to Q4 2012.
- They are experiencing 22% Y/Y revenue growth.
- The Managed Services market will grow to $41.5 billion in 2013.
Carl tied these numbers to the fact that VMware sells almost no services to end customers, counting on service providers to provide this role to end-users. VMware continues to be primarily interested in license revenue. Carl also emphasized that the push to the complete Software Defined Data Center resided squarely in the hands of the partner base—VMware is counting on partners to make this future a reality, and their opinion is that the future is bright.
That’s it for today. I will get into some technical details around virtualized storage, sizing and performance pitfalls for high-performance Clouds, and End User Computing later this week.
Denoid Tucker is Xand’s Senior Vice President of Technology.
Members of the Xand Sales, Marketing, Technical, and Operational staff are on site in Las Vegas this week taking part in the VMware Partner Exchange 2013 conference. The VMware Partner Exchange is the year’s largest VMware convention for partners and service providers. The forum is dedicated to educating and enabling providers to sell and deploy VMware products and solutions successfully, as well as to provide them with the latest and greatest updates from VMware.
Our team members provided the following updates live from the convention floor today:
The Software Defined Data Center (SDDC) is the future
Legacy OS dynasties are broken, so it's out with the old and in with the new. The management of these systems has brought the IT industry to its knees.
Traditional Data Centers are still bottlenecks, with the physical network being the #1 roadblock.
- VMware reports that customers who utilize VMware IaaS solutions will save 27% on their IT budgets this year.
- On average, they will also INCREASE revenue through IT operational efficiencies by 22%.
Mobile Solutions on the Horizon
Mobile solutions are complex and nearly impossible for IT managers to handle. VMware’s new Horizon Suite promises to simplify by securely delivering and managing all of these intricate applications across ALL devices
Access corporate apps anywhere, anytime, but corporate IT control allows for administrators to set user-based policies for standardization.
VMware estimates enterprises can increase TOTAL worker productivity by 6% once Horizon is rolled out to all end-users.
Jaguar/Land Rover just rolled out Horizon to all of their worldwide employees.
Be sure to check back here at info.xand.com later in the week for more updates from VMware Conference Exchange 2013.
Xand is excited to announce the promotion of Yatish Mishra to President and CEO. Mr. Mishra brings over 26 years of senior IT and executive leadership experience to the Xand team with an extensive background in the data center industry.
“Xand is excited to have landed such an outstanding executive with Yatish’s proven industry track record to lead the company’s continued growth and strategic vision moving forward,” said Brian St. Jean, Partner at ABRY Partners. “His deep understanding of the data center, managed services and cloud computing sectors will strengthen Xand’s ability to maintain their leadership position in the Northeast region.”
Since first coming to Xand in July of 2012, Mishra has overseen tremendous revenue growth, a vast amount of new construction projects, as well as the successful integration of three companies into one leading data center platform.
“I’m thrilled to have been given this opportunity to lead such a talented, well-positioned company as Xand,” said Yatish Mishra. “The ideal geographic location of Xand’s six facilities in the Northeast, combined with our flexible cloud, managed services and business continuity offerings and strong focus upon customer service excellence make us a very attractive play for enterprises with demanding IT infrastructure requirements.”
Please click the link below for the full press release announcement and join us in offering a big congratulations to Yatish!
Click here to download PDF copy of the release.
Our Operations team reports that all Xand data centers are functioning normally, with additional staff onsite at all six locations.
Xand New England’s Marlboro, Mass. site is reporting over 20” of snow on the ground and still more coming down, with wind gusts upwards of 35 MPH. Our Marlboro facility proactively converted to Emergency Generator late last night to avoid stress on the UPS systems, but commercial power remains live at the location.
Please check back here for the latest storm updates, and also follow Xand on Twitter @XandLLC. As always, our Network Operations Centers are available 24x7 to provide updates and information - http://www.xand.com/support/
The National Weather Service is predicting significant snowfall for Massachusetts and Connecticut beginning Friday, February 8, through Saturday, February 9.
Xand has taken precautionary measures to guard against any potential interruption of service during this storm. Our backup generators have been topped off and all fuel vendors are standing by to make further deliveries in the event of an extended commercial power interruption. Special arrangements have also been made to increase staffing levels in order to maintain operations during and after the storm across all Xand facilities.
As always, our New England Network Operations Center (NOC) is available 24x7x365 to provide current status reports. The NOC may be reached by phone at 508-281-7600 x4 or via email at email@example.com. For support in our New York and Pennsylavia facilities, please see www.xand.com/support. You may also reference the Xand website (www.xand.com) and follow us on Twitter @XandLLC for the latest information. Stay safe and thank you for choosing Xand!
Exciting news hitting the wires today by way of a press release-- Xand is adding 35,000 square feet of new Disaster Recovery workspace.
When Hurricane Sandy struck the East Coast last fall, our six facilities provided a home to nearly 1,000 customer staff members on site during the storm and throughout its aftermath, with the Valley Forge, Pennsylvania facility hosting nearly half of those alone.
We were even able to accommodate several new clients whose previous providers were unable to meet their Recovery Time Objectives (RTOs). Leveraging our cloud platform, workspace recovery seats and other technologies, we were successfully able to accommodate every client request during the storm, turning no one away, while safely maintaining 100% uptime in all of their data center facilities.
Our CEO, Yatish Mishra, had this to say about Xand's storm response in the press release:
“During Hurricane Sandy, we enabled a multitude of businesses and organizations to rapidly
rebound from the devastating effects of the storm,” said Yatish Mishra, Xand’s President &
CTO. “With the addition of over 35,000 square feet of brand new workspace, we’re excited to
offer even more disaster recovery options for our existing customers, while continuing to
welcome new clients who are reassessing their current business continuity needs.”
Please follow the link to our Press Release section to read "Xand Adds Over 35,000 Square Feet of Disaster Recovery Workspace"
Interested in learning how Xand can help your organization meet its Disaster Recovery objectives? Click here to contact our team today.
A new report from highly cited global analyst firm 451 Research praises Xand's six data center footprint and disaster recovery offerings.
"Xand has chosen its assets wisely," analyst Michael Levy states in the report. "By purchasing facilities on the periphery or outside of city centers on the East Coast, it positions itself as a primary disaster-recovery provider for Boston, New York and Philadelphia. Its geography redundancy is strong and its operations are neat and seamless."
Click here to download the full 451 Research report
The report also highlights Xand's concentrated efforts to expand Data Center and Disaster Recovery square footage across all locations and also praises the strategic location and stability of our Westchester County facility, which services the NYC Metro market.
"The area has faced three major incidents in the past 10 years that disrupted datacenter services – 9/11, the 2003 blackout and most recently, Hurricane Sandy – Xand believes the market will take disaster recovery very seriously from this point forward and look not only to its Hawthorne facility, but its Pennsylvania and Massachusetts locations as well. Xand did not suffer a single minute of downtime during any of these events," the report states.
The report goes on to cover the increased demand for Xand's proven Disaster Recovery services following the devestating events of Hurricane Sandy.
To learn more about how Xand can help your organization develop primary, secondary, and even tertiary business continuity and disaster recovery plans, please visit www.xand.com.