Vol 01 - Edition 08
.
By
Beth Cohen
I recently consulted with
a company that had a mission critical financial and project
management application that had thousands of network hits a day.
The company had been supporting the system in their so-called
data center — OK it was more like a data closet, well really
just a closet. At least the server was not sitting under
somebody's desk! When the company's systems administrator left
the company, I suggested using a managed service provider (MSP)
for systems support. For about $200 a month, the company "hired"
a fully supported server system and no longer needed a full-time
UNIX systems administrator anymore.
Wow, is it that cheap? It sounds too good to be true, but it
is true.
MSP: Turn Your Network Over to a Managed Service Provider
A MSP provides delivery and management of network-based
services, applications, and equipment to homes, offices, or even
other service providers. Managed service providers can be either
hosting companies or access providers. Their services can range
from fully outsourced network management arrangements, including
advanced features like IP telephony, messaging and call center
management, virtual private network (VPN) access, and managed
firewalls, to simply providing web hosting services for your
company's external website. Initially, ISPs offered these types
of services starting about 8 years ago, when they found that
they could sell extra capacity in their data centers to their
customers.
MSPs usually offer a myriad of options to choose from;
including, but not limited to the amount of disk space, number
of processors, platform (usually Linux, Windows or Solaris),
server access (web based, file transfer protocol or telnet) and
scalable bandwidth. MSPs come in two basic flavors — shared or
dedicated. Shared services mean that your system is located on a
server with other businesses and dedicated services mean that
you basically own the box.
 When
you purchase a dedicated server, you are buying the use of an
entire machine reserved for your use alone. The MSP still builds
the machine for your business to their standard specifications
and supports it fully. You will generally have more flexibility
about what tools you are permitted to install and nobody but you
can crash the machine (an unlikely scenario nowadays). If your
application is large or you require specialized software, this
may be the only option available. The cost for a dedicated
server can be surprisingly reasonable, starting at around $150 a
month.
If you are on a tight budget and you have a standard
application, such as a storefront web server or brochure ware,
you might consider a shared solution. Again, as the dedicated
option outlined above, you can choose the amount of disk space,
available bandwidth, platform, and tool set to work with. Be
aware, when you buy shared services; you are sharing a machine
with other customers. It sounds dangerous because you will never
know with whom you are sharing your site, but it is completely
transparent and secure. If the MSP is at all reputable, this can
be a very inexpensive and secure option. If you find this
arrangement makes you nervous at all, pay the extra money for a
dedicated server.
Shared services are not only for web hosting either. You can
purchase helpdesk services, disk storage, enterprise-class
systems, or almost any type of system you need. This is the ASP
model of providing managed services. A few years ago during the
Internet boom, everyone thought that ASPs were going to be the
next wave of a great IT transformation. So far the promise of
the ASP industry has not fulfilled the hype, but for the right
application, this can still be a viable and cost effective
option.
Advantages: The advantage to using a MSP is that you
are able to purchase the service and support for a wholly
managed solution from a data center that your business would
otherwise never be able to build, afford or maintain by
yourself. These data centers are constantly updated with the
latest security methods and systems technologies — another
expensive headache you do not need. Outsourcing your server
support can be a very cost effective approach because you
can purchase exactly the services that your business needs —
when you need them. Expanding your online business is as
simple as purchasing additional services. Numerous large and
small companies provide these managed services — ranging
from WorldCom and ATT to small, specialized downstream
providers.
Disadvantages: There are some disadvantages to
choosing this service model. If you have any special
requirements, you will need to find a MSP that has the
special tools to customize your applications or systems that
you need. Since hundreds of companies provide these
services, it should not be difficult to find what you are
looking for, but the more specialized your needs, the more
dependent you are on a specific provider. Another potential
downside — this industry is going through a serious
shakedown. Many providers will washout in the next few years
as the industry consolidates. One way of minimizing your
risk is to use two MSP companies — if one goes out of
business, you will have time to transfer your account to
another with no service disruption.
Let's face it, when you outsource your network services to a
MSP, you are literally putting all your eggs in another
company's basket. It's important to thoroughly research your
options before commit to any third-party business.
There are five key questions to ask when choosing an MSP:
- Business track record: How long has the company
been in business, what are its prospects for the future?
Check its Dunn & Bradstreet rating.
- Quality of facilities: What does the facility
look like? How many data centers does the company have? Does
it have fully redundant power and network connectivity? Is
it subleasing space from another provider?
- Upstream providers: Who is the MSP getting is
Internet service from? Does it have multiple network access
points?
- Administration tools: Does it have a set of
administrative tools for you? Are they easy to use and
secure?
- Technical support: Are technicians available
ardoun-the-clock? Does the MSP guarantee response times if
there is a issue? Is the MSP proactive when there is a
problem?
The Bottom Line
Your company's website, Intranet, enterprise resource planning,
accounting and other systems are all business critical
functions. In the past, you have always supported them on-site,
but you know that your IT resources are stretched very thin.
Does it make sense to move your application servers to a MSP
instead of supporting them in-house or using a collocation
service? Probably. A MSP can offer your business security,
different levels of support, and bandwidth all for a price that
you could never hope to match any other way. |
|
This Month's Tip:
Business continuity planning should be considered carefully.
(MSPAlliance) - Wednesday, July 26, 2006 - Organizations have been
increasingly concerned with surviving a major disaster and are implementing
business continuity plans in reaction. Business continuity plans should be
performed by all organizations with the time and resources in relation to the
level of risk and the specific constraints. The overwhelming response has been
to have employees work at home in the event of a disaster, employing personal
high-speed Internet connections.
However, there are many factors to consider when drafting a business
continuity plan. Organizations should make sure to review their projected needs
during a crisis with their telecommunications providers, as phone companies have
a policy of taking care of business customers first. Telecom providers should
realize that more people will be working from home and that present residential
service plans will be inadequate for their needs.
Organizations should also keep several ways to connect to the Internet
available, including DSL, dial-up and wireless. Also, some telecoms will not be
operational during a disaster. Organizations should make sure they have the
proper continuity plans in place to address infrastructure and support, and it
is much better to work on solutions now than waiting for disaster to strike.
This month, Microsoft released ten bulletins that fix a total
of twenty-six vulnerabilities. Most of these vulnerabilities affect client-side
applications, several of which have been used in various zero-day malware and
web-based attacks. We are seeing a continuation in the trend of application
level bugs versus operating system flaws with the exception of some very old
IPv6 issues finally being fixed, and another Server Service problem being
corrected.
This Month's Bulletins
Critical
MS06-057 - Vulnerability in Windows Shell Could Allow
Remote Code Execution
MS06-058 - Vulnerabilities in Microsoft PowerPoint Could
Lead to Remote Code Execution
MS06-059 - Vulnerabilities in Microsoft Excel Could
Allow Remote Code Execution
MS06-060 - Vulnerability in Microsoft Word Could Allow
Remote Code Execution
MS06-061 - Vulnerabilities in Microsoft XML Core
Services Could Allow Remote Code
MS06-062 - Vulnerabilities in Microsoft Office Could
Lead to Remote Code Execution
Important
MS06-063 - Vulnerability in Server Service Could Allow
Denial of Service
Moderate
MS06-056 - Vulnerability in ASP.NET Could Allow
Information Disclosure
MS06-065 - Vulnerability in Windows Object Packager
Could Allow Remote Execution
Low
MS06-064 - Vulnerability in TCP-IP IPv6 Could Result in
Denial of Service
Bulletin Summary
MS06-056
Vulnerability in ASP.NET Could Allow Information Disclosure (922770)
http://www.microsoft.com/technet/security/bulletin/MS06-056.mspx
Microsoft Severity Rating: Moderate
Severity Rating: Low
Description
This vulnerability is of a low risk by nature. As a cross-site-scripting issue,
this vulnerability could lead to the disclosure of potentially sensitive
information and in some cases could allow an attacker the ability to perform the
same functions that the target user could perform on the affected website.
Attempts to exploit this vulnerability would require user
interaction.
Recommendations
While this is a low risk vulnerability, many web-based attacks and phishing
schemes are beginning to use such methods to trick unsuspecting users. As such,
this patch should be installed as part of your normal change control process.
--------------------------------------------------------------------------------
MS06-057
Vulnerability in Windows Shell Could Allow Remote Code Execution (923191)
http://www.microsoft.com/technet/security/bulletin/MS06-057.mspx
Microsoft Severity Rating: Critical
Severity Rating: Critical
Description
This Microsoft Bulletin addresses the zero-day vulnerability that eEye Digital
Security warned customers about last week, which has been exploited in the wild.
The way in which Internet Explorer handles the WebViewFolderIcon ActiveX object
allows for remote code execution in the context of the logged-in user.
Recommendations
This is a known zero-day vulnerability, and while it requires an attacker to
trick users into visiting a malicious website, it is already being used on the
Internet. This patch should be installed as soon as possible. Those that cannot
install the patch right away can follow the workaround advice in the eEye
Research Alert.
--------------------------------------------------------------------------------
MS06-058
Vulnerabilities in Microsoft PowerPoint Could Lead to Remote Code Execution
(924163)
http://www.microsoft.com/technet/security/bulletin/MS06-058.mspx
Microsoft Severity Rating: Critical
Severity Rating: Critical
Description
This bulletin deals with four different issues within Microsoft PowerPoint. Each
of the issues result in remote code execution in the context of the logged-in
user.
By CVE number the four issues are:
CVE-2006-3435 - PowerPoint Malformed Object Pointer
CVE-2006-3876 - PowerPoint Malformed Data Record
CVE-2006-3877 - PowerPoint Malformed Record Memory Corruption
CVE-2006-4694 - PowerPoint Malformed Record
Recommendations
All of the vulnerabilities addressed with this patch, while requiring user
interaction, result in remote code execution in the context of the logged-in
user. It is recommended that you install this patch soon and remind users not to
open unsolicited documents sent to them via email.
--------------------------------------------------------------------------------
MS06-059
Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (924164)
http://www.microsoft.com/technet/security/bulletin/MS06-059.mspx
Microsoft Severity Rating: Critical
Severity Rating: Critical
Description
This patch fixes four separate issues in Microsoft Excel:
CVE-2006-2387 - Excel Malformed DATETIME Record
CVE-2006-3431 - Excel Malformed STYLE Record
CVE-2006-3867 - Excel Handling of Lotus 1-2-3 Files
CVE-2006-3875 - Malformed COLINFO Record
Each of these issues results in remote code execution in the
context of the logged-in user, but only after the user is tricked into opening a
malicious Excel file.
Recommendations
These vulnerabilities were disclosed, and used, in the wild previous to the
Microsoft bulletin; therefore, we recommend that you install this patch as soon
as possible and remind users not to open unsolicited email attachments.
--------------------------------------------------------------------------------
MS06-060
Vulnerability in Microsoft Word Could Allow Remote Code Execution (924554)
http://www.microsoft.com/technet/security/bulletin/MS06-060.mspx
Microsoft Severity Rating: Critical
Severity Rating: Critical
Description
We're sensing a pattern. With this bulletin, Microsoft has addressed four
vulnerabilities in Microsoft Word. Like the Excel issues in the previous
bulletin, some of these issues were made public previous to today's patch
release. The vulnerabilities are:
CVE-2006-3647 - Word Remote Code Vulnerability
CVE-2006-3651 - Word Mail Merge
CVE-2006-4534 - Word Malformed Stack
CVE-2006-4693 - Word for Mac Vulnerability
These vulnerabilities, when exploited, allow for remote code
execution in the context of the logged-in user.
Recommendations
Because exploits for these vulnerabilities may already exist, we recommend that
you apply this patch soon and remind users to not open unsolicited email
attachments.
--------------------------------------------------------------------------------
MS06-061
Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code (924191)
http://www.microsoft.com/technet/security/bulletin/MS06-061.mspx
Microsoft Severity Rating: Critical
Severity Rating: Critical
Description
This Microsoft bulletin addresses two issues with Microsoft XML services. The
first issue, CVE-2006-4685, is a lower risk information disclosure bug in the
way that the XMLHTTP ActiveX control incorrectly interprets an HTTP server-side
redirect. The second issue, CVE-2006-4686, is a more serious remote code
execution bug that can be triggered via a malicious web page.
Recommendations
Continuing the trend of serious client-side vulnerabilities, this issue can
allow for code execution from a remote computer. There are no known workarounds
for this issue so we recommend that you install this patch as soon as possible.
--------------------------------------------------------------------------------
MS06-062
Vulnerabilities in Microsoft Office Could Lead to Remote Code Execution (922581)
http://www.microsoft.com/technet/security/bulletin/MS06-062.mspx
Microsoft Severity Rating: Critical
Severity Rating: Critical
Description
This is yet another bulletin for Microsoft Office -- four issues that all allow
for remote code execution:
CVE-2006-3434 - Office Improper Memory Access Vulnerability
CVE-2006-3650 - Office Malformed Chart Record Vulnerability
CVE-2006-3864 - Office Malformed Record Memory Corruption
CVE-2006-3868 - Office Smart Tag Parsing Vulnerability
Each of the four issues require user interaction and result in
the system allowing for remote code execution in the context of the logged-in
user.
Recommendations
As this has proven to be a popular attack vector for malware authors in the
past, it is recommended that this patch be installed soon and users reminded to
not open unsolicited email attachments.
--------------------------------------------------------------------------------
MS06-063
Vulnerability in Server Service Could Allow Denial of Service (923414)
http://www.microsoft.com/technet/security/bulletin/MS06-063.mspx
Microsoft Severity Rating: Important
Severity Rating: Medium
Description
The title of this bulletin claims that this patch is fixing a Denial-of-Service
vulnerability, but upon further inspection one will notice that there is also a
remote code execution issue as well.
CVE-2006-3924 is the Denial-of-Service vulnerability that
stems from the way that the server service handles certain network messages. The
second issue fixed in this bulletin is CVE-2006-4696, which is a remote code
execution vulnerability in the way that the service handles certain network
messages. Note that in order to exploit this issue, an attacker would require
valid logon credentials for the attacked machine.
Recommendations
These vulnerabilities present a fairly low risk from remote attackers as a
typical organization will not allow UDP ports 135, 137, 138, and 445, and TCP
ports 135, 139, 445, and 593 through their corporate gateways. As such, we
suggest that you can install this patch as part of your normal change control
procedures.
--------------------------------------------------------------------------------
MS06-064
Vulnerability in TCP-IP IPv6 Could Result in Denial of Service (922819)
http://www.microsoft.com/technet/security/bulletin/MS06-064.mspx
Microsoft Severity Rating: Low
Severity Rating: Low
Description
This bulletin fixes three Denial-of-Service vulnerabilities in Microsoft's
implementation of IPv6. Each vulnerability has its own CVE numbers, and each
results in a denial of service:
CVE-2004-0790 - ICMP Connection Reset
CVE-2004-0230 - TCP Connection Reset
CVE-2005-0688 - Spoofed Connection Reset
Note that by the CVE numbers that these vulnerabilities have
been known to Microsoft for quite some time.
Recommendations
The risk here is very low, so this patch can be installed as part of your normal
upgrade management process.
--------------------------------------------------------------------------------
MS06-065
Vulnerability in Windows Object Packager Could Allow Remote Execution (924496)
http://www.microsoft.com/technet/security/bulletin/MS06-065.mspx
Microsoft Severity Rating: Moderate
Severity Rating: Medium
Description
This bulletin addresses an issue, CVE-2006-4692, that exists in Windows Object
Packager due to the way that file extensions are handled. Upon user interaction,
this vulnerability allows for remote code execution in the context of the
logged-in user.
Recommendations
User interaction is required for this vulnerability to be used in a successful
attack. This means that not only would a user have to visit a malicious website,
but also click on a number of dialogue boxes before exploitation would occur. We
recommend you install this patch as part of your normal patch management process
and remind users to not visit potentially malicious websites or run unknown
code. |
We will be one of the exhibitors at the Seacoast Chambers'
Schmooze. Come by and check us out!
[