Hot on the heels of COMMON, the Upper Midwest Security Alliance (UMSA) last week welcomed the 6th annual Secure360 Conference to St. Paul, Minnesota. Hundreds of attendees packed the RiverCentre for interesting keynote presentations and a full agenda of breakout sessions. Topics ranged from speaking effectively about technical topics to non-technical people, to the new and emerging threats of 2011. A presenter from the FBI discussed the devastating effects of industrial espionage, and a representative of the Israeli Security Forces spoke to the scary reality of the future of terrorism.

If you’ve been following the security news this week, you no doubt have heard about latest breach, this time involving Michaels craft stores. In locations spanning 20 states, criminals have been intercepting credit and debit card transactions long before the data is able to be secured in the database. Despite the use of PCI-approved point of sale (POS) devices, it’s believed that the approved devices were brazenly swapped out (yes, swapped out!) with compromised devices that could then pass the card number and PIN information to a nearby perpetrator. This is similar to a breach at Hancock Fabrics, another craft store chain, in 2009. Why have smaller retailers been targeted for this type of attack? One reason might be that they often have fewer staff, making it an easy task to distract those that are working. Unattended checkout lanes allow an accomplice to move in and tamper with a POS device. No amount of database and server technology can prevent this form of social engineering attack. Even in countries that have migrated toward chip-based cards and readers, thieves have been known to disable the chip-reading sensor, forcing the card owner to swipe the card on the device.

“Skimming” is the name given to the act of collecting credit card data as the card is swiped through a magnetic reader. This is typically accomplished using a (concealed) physical modification to an ATM or POS device. The technology has advanced to where even a diligent employee or consumer is sometimes unable to detect its presence. Keyboard overlays may even supply the associated PIN number over a Bluetooth connection. Sadly, this means that you could very well be the unwitting victim of credit card fraud even before the ATM has had time to dispense your cash. Card usage analytics may be the best way to detect this type of crime, but that means card issuers are forced to work in a reactive mode. One thing is certain: the increasing frequency and sophistication of these types of attacks are going to have card issuers working hard to develop more sophisticated prevention and detection measures.

My recent downtown travel has opened my eyes to just how much there is to see and do in Minneapolis and St. Paul. I have lived and worked in the western suburbs since my move to Minnesota in the summer of ’09, and I’m a little embarrassed to say that I haven’t made much effort to explore the downtown area of either city. From the architectural magnificence of the Minnesota State Capitol and the Cathedral of St. Paul, to the fun of the river parks and museums, there is something here for everyone. I know I’ll be returning often this summer! To share this “discovery,” my photograph this week is of one of the staircases inside the Capitol (click the image for a bigger view) leading up to the Senate Chambers. From the dramatic marble pillars, to the intricate stonework, I think you’ll agree that the architecture is quite stunning. I hope you like what I was able to capture on digital film.

For more information on PowerTech’s suite of IBM i security solutions, visit www.powertech.com

Cheers!

- rt

The vendor Expo has packed up and closed its doors, and hundreds of out-of-town attendees and speakers have long departed. So ends COMMON’s annual meeting for another year.

The event was hugely successful for all the Help/Systems brands. And, having the annual meeting in our corporate hometown of Minneapolis allowed us to command a larger-than-normal presence. The exposition was well attended and a lot of attendees visited us to discuss the latest in security, automation, and database functions. I spent a little time at our booth between my presentations as it’s always fun to see familiar faces, as well as an opportunity to meet new people. Our evening social event was a huge success, and we had throngs of people enjoying food and cocktails down at “The Local” pub. During this event, we were excited to give away a fantastic iPad, as well as a scaled-down version of the Koenig coffeemaker that many people enjoyed using at our booth during the Expo. The round of applause for the excited winners suggested our enthusiasm was not unfounded. Does it get any better than that?

On a personal level, I was honored to be recognized as a “COMMON Speaker of Merit.” This award is based on attendee surveys from prior events, and is a combined evaluation of session content and, of course, a speaker’s ability to present it. Thanks to everyone who attended my sessions this year—it’s always a pleasure to help educate and share security information with so many of you. It was reassuring to see smiling faces in the audience after I discovered that “public speaking” beats out even “death” as most people’s biggest fear! I learned that interesting tidbit during an award-winning presentation by Randall Munson on the topic of “How to be a Fantastic Technical Speaker.”

So au revoir COMMON; we’ll see you again soon! (St. Petersburg in October and Anaheim in May.)

This week’s photograph is of a beautiful custom-painted chopper I saw for sale recently. Although (unfortunately) I didn’t purchase the bike, I thought it was suggestive of the imminent arrival of those hot summer days.

For more information on PowerTech’s suite of IBM i security solutions, visit www.powertech.com.

Cheers!

- rt

I frequently preach to security audiences about the dangers of “insider threat,” so it was interesting to read a recent article by Tam Harbert in Computerworld magazine, entitled “When Trusted IT Pros Go Bad.”

While many organizations assume that a breach of their perimeter defenses represents the greatest risk, studies indicate that the majority of data that is lost, stolen, or damaged, happens as a result of an authorized user operating inside the firewall. On IBM i, this can be partly attributed to the fact that many organizations base their security on the legacy model of menus and command line restrictions. Unfortunately, with IBM i support of powerful TCP/IP services, a user isn’t always presented with a menu or restricted from executing commands. A user simply has to supply a user profile and password—something that most users are given as soon as they’re hired—to gain full access to the data assets. Sadly, our “State of IBM i Security” study shows that many companies deploy easily decipherable user profile naming conventions and require only simple passwords. Too often, administrators leave open doors to their systems by allowing numerous enabled profiles with default passwords.

While we might acknowledge the possibility of an application user exceeding their authority to access restricted data, or using authorized data in an unapproved way (for example, downloading information to a USB device), the article was a chilling reminder of something far more sinister: When a trusted IT user goes rogue.

The article leveraged a series of shocking real-world examples to portray how the most dangerous users in any environment are those with powerful access and the knowledge to use it. When a user holds a position of trust, it can be that much more difficult to identify and remedy the situation. Article examples highlighted the challenge that several employers faced when they were unable to simply fire an employee who possessed the virtual keys to the kingdom. One company went as far as concocting a ruse to send a rogue employee on an urgent cross-country flight! This provided a window of several hours for other staff to change passwords and secure the IT assets he had administrator access to. Such extreme measures became necessary after it came to light that the employee owned a company that had sold more than a half-million dollars in pirated software to his employer.

Another company made the mistake of incorrectly handling the firing of an extremely powerful employee after they discovered evidence of various illegal activities. While the employee’s manager and a security guard were hurrying to his office, a human resources representative called the employee to tell him to stay put. Unfortunately, suspecting he had been discovered, the employee had adequate time to delete an encryption key ring. This ring contained the only copies of encryption keys for about 25 employees in the legal and contract departments. (The article pointed out the irony in that many companies don’t back up this type of information due to its sensitive nature.) This had the effect of permanently encrypting the data and amounted to an estimated 18 person-years of lost productivity.

Corporate embarrassment is often overlooked as an additional challenge posed by rogue employees. Companies prefer not to shine a spotlight on the fact that their controls were breached by one of their own. Take the case of the system administrator who brought down a Fortune 500 company with “logic bombs” designed to cause entire banks of servers to crash. Originally a star performer in the IT department, the employee was granted immunity from prosecution in return for her help to fix the issue, and also with the agreement to never speak publicly about the incident. According to Larry Ponemon, a renowned security researcher, the company didn’t want her “going on Oprah and talking about how she broke the backbone of a Fortune 500 company.”

The motivation for any employee to turn rogue typically falls into one of two categories: financial gain and revenge. When that user operates within the “circle of trust,” it can be difficult to detect illegal activities as they often are able to get greater access and subsequently cover their tracks. Examples of employees seeking financial gain include hacking ATMs to dispense cash but not record the transaction (Bank of America), and stealing valuable computer code (Goldman Sachs). Revenge usually manifests itself in internal damage to the infrastructure or data assets. Attacks in recent years have included code set to destroy data on nearly 5,000 servers (Fannie Mae), and a disgruntled worker who included logic that affected 1,000 computers and caused about $3 million in damages (UBS PaineWebber.)

It’s unlikely you’ll ever be able to totally eradicate the risk of malicious intent by powerful and trusted internal users, but strong controls can (and should) be implemented to ensure that these people are treated with the same caution as any other user. People are human, and a powerful title does not (or rather should not) place someone above reproach or suspicion. That’s certainly a lesson that corporate America has learned the hard way during recent years! PowerTech Authority Broker can help to control and manage powerful profiles on IBM i systems. By reclaiming the excessive power and freedom that these administrator-class users often enjoy, and by providing an audit trail of their activities, it becomes easier to build in the necessary safeguards to ensure that you are not the next victim of one of these horror stories.

For more information on managing powerful users, including a demonstration of Authority Broker, attend our May 25th Webinar, Crowd Control – Managing Data Access for Powerful Users.

Cheers!

- rt

Hot on the heels of the recent Epsilon embarrassment, the Sony PlayStation Network (PSN) remains completely shut down (11 days now and counting) after a massive security breach. In addition to accessing the user credentials, addresses, birth dates, and purchase history of subscribers, it has been suggested that the hackers also may have stolen credit card information. Sony has responded that there is currently no evidence to support that suggestion, and that all of the credit card data on their servers is encrypted.

Unfortunately, hackers typically work hard to cover their tracks, and so it’s quite likely that Sony may have very little idea at this point exactly what has been accessed. What is already known is that Sony remained silent for almost a week before notifying users of the breach; an event that some sources claim might involve more than 77 million records—including those of many minors—making it another headline-grabbing embarrassment. According to Computerworld magazine, this delay may have been the result of Sony’s fear of a public relations backlash, a law enforcement request, or both. It’s also not out of the question that Sony’s security defenses focused on preventing and detecting a breach, and they may not have the tools or infrastructure necessary to quickly determine what was accessed once a breach occurred.

A class-action lawsuit has already been filed against Sony by a subscriber, and claims that the company didn’t adequately secure the private information in their care. Regardless of the financial outcome of that case, it is certainly causing additional pain and suffering to Sony. Until a full forensics analysis can be completed, Sony has suggested that users should change their password, and to also consider changing passwords for other web-based services if those passwords are common to their PSN account.

I can’t over-emphasize the importance of implementing—and also frequently testing—solid security procedures and controls. These controls should not only detect an attempted breach, but also provide a forensic trail of what critical data was accessed if someone is able to find a way in. Fortunately, PowerTech provides solutions like Network Security and DataThread to help with both of these challenges.

On a lighter note, all of the Help/Systems brands (and me!) are busy readying for COMMON. If you’re going to be in Minneapolis next week, please stop by booth #210 in the Expo. In addition, I’d like to offer a reminder to attend our Night Out with Help/Systems event on Tuesday evening for drinks, food, and a chance to win an iPad! The event is being held from 5 to 8 p.m. at the “The Local,” which is conveniently located within walking distance of the conference center.

I took this week’s photograph without any planned intent or expectation. Last weekend, a couple of old trucks caught my eye while I was driving. Fortunately, I had my camera in the car with me, so I turned around and went back. As with several of my favorite images, it was a case of being in the right place at the right time and seeing a photo opportunity when most people would not. As with security, I’ve found that being prepared for the unexpected can be a valuable technique, as sometimes you are faced with an event or an opportunity that was unforeseen and unplanned. I think Sony would have to agree with that. This is another image showcasing the high-dynamic range (HDR) imaging technique I have been exploring recently.

As always, drop me a line if you have any questions about IBM i security, or if you would like to know more about the solutions that PowerTech provides.

Cheers!

- rt

It’s hard to believe that a year has already passed since the previous annual pilgrimage of IBM i professionals! To help celebrate COMMON’s return to our corporate hometown of Minneapolis, Help/Systems is hosting a Social Event on Tuesday, May 3. We’re planning the event to welcome the arrival of our customers, and other IBM i users, from around the world. At 6 p.m., we’ll draw the name of one lucky attendee who will walk out as the owner of an awesome Apple iPad. Just remember, you must be present to win! Tell your friends; we hope to see you all there!

Of course, please also plan on visiting us in the Exposition Hall where the PowerTech, SEQUEL, and Help/Systems lines of solutions will be represented at booth #210. In addition, I will be conducting several sessions on IBM i security topics.

This week, I was back in Nashville, Tennessee, to meet with some large customers and present a session to the local IBM i User Group on the danger posed by the abuse of FTP, ODBC, and remote commands. There was a great discussion about the legitimate use of PC tools and how it can be difficult, and usually counterproductive, to simply shut them down. Fortunately, PowerTech offers Network Security as the perfect solution for allowing controlled use with powerful access control and critical auditing and notification functions.

While I was in Nashville, I discovered something surprising that I had missed on previous trips. In the beautiful Centennial Park, there is a scaled replica of the Parthenon. Built in the late 1800s to celebrate Tennessee’s bicentennial, the structure was made permanent in the 1930s. For this week’s photograph, I used an HDR technique to manage the wide-contrast range of the scene and to bring out the rich textures of the amazing stonework. I hope you like it.

As always, drop me a line if you have any questions about IBM i security, or if you would like to know more about the solutions that PowerTech provides.

Cheers!

- rt

Well, it’s happened again. Last weekend, my Blackberry lit up with no fewer than three separate e-mails from global financial companies that I do business with, all of which reported that information on me had been compromised. While I entrust these organizations with my e-mail information, they apparently all used a common third-party firm to handle their e-mail marketing. Epsilon, a company headquartered in Dallas, Texas, admitted that a “subset” of its clients’ customer data had been exposed by an unauthorized entry into its e-mail system. I’ve received these types of notifications before, but to see several in one day was a new twist.

While all three businesses were quick to stress that no financial data had been stolen, it serves as yet another sobering reminder that unauthorized access is not only possible, but likely, somewhere in the information supply chain. I certainly wasn’t aware that my data was being shared with this particular firm, and yet I am now exposed to an increase (if that’s possible) of solicitation for sexual enhancement pharmaceuticals and messages from members of the Nigerian Royal Family, or worse. It’s an interesting irony that we are expected to be grateful that it was “only” our name and personal e-mail address that was exposed (hence the reason I use a Yahoo e-mail address for non-personal communication). Of course, as e-mail phishing attacks continue to become more sophisticated, having the names and e-mails of actual living people may increase the potential for that to become more personalized.

Despite the irritation and inconvenience this represents to me as a consumer, I can’t help but be interested as a security professional. Questions immediately come to mind about how the breach might have happened, and subsequently how it was discovered. I wonder if a well-architected incident response (IR) plan was set in motion, or whether blind panic ensued as I.T. staff scrambled to locate and patch the source of the unauthorized entry. I also imagine that the impact on their reputation will be significant. While all businesses hope to never be the victim of a security scandal, it’s strongly recommended you plan that it’s going to happen sooner or later. I’m sure that the mindset at Epsilon has probably shifted dramatically from just a couple of weeks ago. Ask if your business has the controls in place to detect a breach attempt and to accurately determine the scope if it’s successful. Of course, the determination that a breach has occurred should be followed by a swift, organized response. This is what can ultimately make the difference between an unfortunate incident and a global calamity.

I’ve always found it interesting (and somewhat surprising) how many people still think that data breaches and data loss are relatively uncommon. I think that stems from the fact that most of us base our awareness on reports of only large-scale events, like the ones experienced by TJ Maxx, Heartland Data Systems, and now Epsilon. However, a quick look at the chronology of data breaches maintained by Privacy Rights Clearinghouse paints a very different picture. In fact, there are now so many entries in the list that their Web site provides search and filtering functions. Already in April, there’s been an average of one event per day (as of April 11).

In the case of the Epsilon breach, the affected companies are now believed to number well over one hundred, and include internationally recognized names such as Citi, ExxonMobil, and Verizon. I personally received notifications from Ameriprise Financial, Capital One, and US Bank. According to CBS News, the breach event is currently being investigated by the U.S. Secret Service, and consumers are encouraged to report spam to phishing-report@us.cert.gov.

While no software or hardware solution eliminates 100% of the risk, it does help bring that risk down to a level deemed acceptable to the business. PowerTech is proud to provide the leading suite of access control and activity detection software for IBM i servers, and helps companies all over the globe fight the ongoing battle against data misuse.

On a lighter note, it’s been a while since my blog included anything other than a quick photo snapshot, so I thought I would share my first real attempt at High-Dynamic-Range Imaging (HDRI). This process works by combining multiple images of the same scene taken at varying exposures, and then using special software to remap the color tones. This enables the photographer to attain a result that doesn’t suffer from the contrast restrictions of electronic and print media. Google Images has some great HDR examples ranging from subtle to very surreal. I hope you like the image that I was able to capture of this covered bridge in my home town. Taken in near darkness, exposures ranged from about ten seconds to more than two minutes. Expect to see more of HDR images as I delve deeper into this exciting, and relatively new, form of photographic art.

Oh yes, one last security note: For those of you who have been waiting patiently for the release of the 2011 “State of IBM i Security” white paper, it’s now available for download at www.powertech.com.

As always, let me know if you have any questions about PowerTech, our full line of powerful security solutions, or anything photographic!

Cheers,

- rt

Last week saw the usual plethora of “April Fool” pranks and hoaxes. My teenage son, Jordan, tried to freak me out by sending an alarming text message confessing that the police were in the process of confiscating a “controlled substance” from his high school locker! Although my son found plenty of humor in his attempt to give me heart failure, thank goodness there was no such thing. And, then there was Google’s announcement of the availability of their revolutionary motion-activated e-mail client, called “GMail Motion.” Powered by body gestures and a Webcam, the announcement included a complete “motion guide” and videos of experts touting how this technology is the dawn of a new era in computer interfacing. Google played on their well-earned reputation for innovation, but I’m proud to say that I didn’t fall for it. But I know many people did.

The week also saw PowerTech revealing a sneak peek of the 2011 edition of our popular “State of IBM i Security Study.” Unfortunately, what we revealed wasn’t a hoax and, for most IBM i shops, there wasn’t much to laugh about.

While regulatory compliance is an overwhelming driver of the majority of our customer conversations, it appears that mandates to secure IBM i servers and data still haven’t been fully realized.

This year’s statistics were aggregated from 243 systems of all shapes and sizes, serving applications to virtually every industry. We documented some alarming averages: over 300 inactive user profiles, 68 profiles with default passwords, and 46% of systems with no firewall in place to control and audit users accessing the system from powerful desktop interfaces.

The final white paper will be released to the general public in the next few days. In addition, if you’d like to view the recent Webinar discussing a number of the important statistics, just visit the PowerTech web site. Our most recent Webinars are listed in the center of the page.

Let me know if you have any questions about PowerTech’s Compliance Assessment tool, the study findings, or our full line of mitigating solutions!

Cheers,

- rt

Last week, I made a trip to Houston, Texas, on very short notice. Unfortunately, that last minute booking meant that the price of my airline seat was probably five times what it would have been if I’d booked a month or two ahead of time. I felt a little better when I was upgraded to First Class (based on my frequent flier status, not ticket price), but as I sat looking at my fellow passengers I couldn’t help but wonder how much they had paid for their tickets. I figured that every single one was probably different.

I have never even attempted to understand how an airline can justify how two same-class seats on the exact same flight can cost two wildly different amounts, or how two long flight segments can cost less than a short direct flight. It is especially befuddling when a direct flight from a local airport costs more than a one-stop flight from an alternate airport when the connection is on the original direct flight! As a programmer by trade, I can only imagine how complex the pricing algorithm is for an airline’s booking system.

Fortunately, pricing of our powerful security solutions is a lot simpler. The cost doesn’t change regardless of whether you want to start protecting your servers today, or run the risk of waiting until next week. It also doesn’t change if you are being proactive or have already been the unfortunate victim of a data breach (will you even know?) That’s because our pricing model is based on two simple variables: the size of your server and the number of copies you need. And, while we do have occasional pricing increases—after all, we have increasing costs to cover as well—the increases are known in advance and easy to budget for.

In addition to an easy-to-understand pricing model, we’ve bundled our most popular solutions into a cost-effective security “suite.” We also introduced the option to purchase maintenance contracts in one-, three-, or five-year increments. This allows you to accurately budget for your ongoing costs, as well as lock in at today’s lower rates. We hope it’s reassuring to our customers to know that our pricing won’t quadruple just because we sold another “seat” to the customer immediately before you!

Sadly, I didn’t have much time in Houston (despite the 84-degree weather literally begging me to stay). But, I did snag a great photo of a downtown office celebrating the arrival of the NCAA Final Four basketball tournament. It certainly supports the self-imposed reputation that “everything’s bigger in Texas!”

Let me know if you have any questions about PowerTech’s full line of (consistently-priced) security solutions!

Cheers,

- rt

A couple of weeks ago, I attended a fascinating presentation by a local Minneapolis firm that specializes in forensic audits. These are the guys hired by companies that suspect criminal behavior within their ranks. While not technically a law enforcement entity, their expertise centers on finding hidden evidence. The presenting experts were an ex-law enforcement officer who worked on St. Paul’s “Crimes Against Children” task force, and a trained interrogator who painted a picture of how it’s possible to dissect a computer to find evidence of wrongdoing.

We heard the tale of a hospital manager that was ordering expensive supplies on behalf of his employer, and then turning around and supplementing his disposable income by selling them on Craigslist. He even got confident enough in his fraudulent scheme to start drop-shipping some of the orders directly to his “customers.” He was finally caught after his computer showed evidence of ghost orders totaling approximately $250,000, and incriminating e-mails from one of his various online buyers. Then, there was the female employee who claimed sexual harassment from her supervisor, but was subsequently found out in an e-mail message to be buying cocaine from that same supervisor! These examples were quite staggering cases that took some time to solve, but both were carried to prosecution on the weight of the computer forensics.

I was particularly fascinated by the topic as I love true-crime shows on television. I love to hear how people think they’ve committed the elusive “perfect crime.” Unfortunately (usually for the perpetrator), it’s often the littlest details that get them caught. For example, the case of a woman’s Internet search on “how to kill someone without getting caught,” which became evidence after her husband mysteriously turned up dead.

Fortunately, PowerTech has never had to consult in a murder case. However, our software does enable security teams to perform detailed forensic analysis of events that take place on an IBM Power Systems server. IBM i has an extensive (and often under-utilized) facility to log activities performed by system and application users. If logging events for all users garners too much log data, you can narrow it down to specific users, or even specific objects accessed by those specific users.

As I mentioned, many customers still don’t make use of this capability, but the biggest challenge for those that do is usually analyzing and interpreting the data. No one in their right mind wants to manually pour over log entries that can number in the millions per day. Even if a person wanted to, realistically it wouldn’t be humanly possible. PowerTech is well-versed in this dilemma and has several powerful solutions to help with the burdensome aspect of the task, including escalating the log entries to an enterprise monitoring tool in syslog format. We also help many customers via the advanced analysis capabilities of Compliance Monitor. And if you want to get down to the database record and field level, we have DataThread. These solutions ensure that your security staff is equipped to react to issues in a timely manner and, by doing so, reduce risk. Who wouldn’t want their security team to have the proper equipment necessary to enforce and react to questionable activities?

I often have to meet with executives to explain how spending money on security adds value to an organization. While it might not be as immediately quantifiable as a new machine in the factory, there are plenty of ways to demonstrate a return on security investment (ROSI). In fact, if some of the companies in my earlier examples had had better controls and tools in place, these unfortunate, embarrassing, and definitely costly situations might have been averted.

If you would like to learn more about how to analyze your IBM i event log, give the experts at PowerTech a call.

Cheers,

- rt

For the past couple of weeks, the PowerTech team has been busy analyzing the data for the 2011 “State of IBM i Security” study update. This white paper continues to be one of our most popular downloads, and is a frequently requested topic for local user group presentations. This update will mark the eighth consecutive year of its publication.

The security data used for this study is collected via an “opt in” feature in our free Compliance Assessment tool. We harvest the anonymous information from the authorized systems—no corporate application data is retained, nor is anything that would compromise the integrity of the customer’s security infrastructure identifiable. This year, we analyzed data collected from 182 systems, as well as 61 systems collected by a non-PowerTech source.

While the results do not provide annual trends (we don’t knowingly reassess the same systems twice), we continue to see significant room for improvement in the implementation of security controls in IBM i environments. Despite the many customers that approach PowerTech for help with stringent compliance requirements—Sarbanes-Oxley, HIPAA, and PCI are the most common—the majority of companies reviewed still are not leveraging the resources that have been available for many years. This supports the general opinion that there’s a broad lack of knowledge in the IBM i community on what capabilities are already owned, and how to effectively implement them. The data also indicates that many systems remain unprotected from network access, and have no forensic auditing facility.

One debate we sometimes have is whether the data we collect is truly a random sample and representative of the true state of security. While we readily acknowledge that these systems have been “chosen” by the very nature of their inclusion in our assessment process, we do contend that the servers we assess are a random sampling of system sizes and application types, and that they come from enterprises in every industry and numerous geographic regions. One could argue that the customers that come to us influence the study by having enough awareness of security vulnerabilities to request an assessment, or that these are enterprises that have not already secured their systems. Both arguments have credibility, but based on the overwhelming evidence of more than 1000 systems being unsecured, my professional opinion is that we are stating the vulnerabilities fairly.

We’ll be revealing the 2011 study to the public during a Webinar on March 30, so join us to hear about the latest findings.

Cheers,

- rt