Tom Olzak

Posts Tagged ‘Business Continuity’

A Different Kind of Whitelist?

In Business Continuity, Cybercrime, Email, Phishing, Risk Management, Spam on September 30, 2010 at 13:45

During my years as a security director, one of the weekly challenges I faced was how to tell my peers in engineering that we have more items to add to the growing list of blocked domains or IP addresses.  This was not only a management headache; it also occasionally caused a backup of the email queue feeding our perimeter Barracuda devices. If only there was a better way…

Well, Spamhaus claims it has found the answer.  Using a tightly controlled whitelist–membership is possible upon invitation by another member–Spamhaus says it provides comprehensive email filtering, free and without all the management issues faced by many enterprises.

“Unlike traditional whitelists, the Spamhaus Whitelist is not a service to help bulk mail senders improve delivery rates. You can not whitelist an IP address or domain that is used for sending marketing or soliciting bulk email, or used for sending any email on behalf of third parties. This rule therefore automatically excludes makes not eligible for whitelisting Email Service Providers, ISP customer mail relays and mail servers used by third-parties, and all bulk mailing list servers and services,” the company said in its explanation of the service.

(Source: Spamhaus Debuts New Whitelist Service | threatpost.)

Setup is easy and well documented at the Spamhaus site. At a high level,

The Spamhaus Whitelist is actually made up of two whitelists: an IP address whitelist called the ‘SWL’ and a domain whitelist called the ‘DWL’. These are published as and respectively.

The SWL is both an IPv4 and IPv6 whitelist. It responds to queries of either IPv4 or IPv6 addresses. (Note: IPv6 handling is not yet active. Spamhaus estimates IPv6 service starting in 2011)

The DWL is a VBR (vouch-by-reference) domain whitelist designed to automate DKIM certification.

(Source:, 2010)

So what happens if a sender abuses their membership in the whitelist?  Since the new service is in beta, we really don’t have any examples of deviant behavior.  However,

Spamhaus is reserving the right to revoke whitelist status for any email etiquette transgressions, such as the distribution of bulk mail of any type. The whitelist will be maintained in both IP addresses and domain name forms as two separate, but matched, lists. Controls mean no domain or IP address that is on the Spamhaus Project blocklist can ever be whitelisted.

(Source: Spamhaus debuts whitelist service, The Register, 28 September 2010)

Note that this service uses DKIM, something Microsoft Exchange DOES NOT support.  There are third-party solutions (example) that make Exchange compatible.  But if you use Exchange, I recommend adding a front end solution, like Barracuda Spam Firewall, between the Internet and your mail servers.  Other DKIM-compatible solutions are listed at

Good Planning Requires Follow-up

In Backup, Business Continuity, Cloud Computing, Disaster Recovery, Security Management, Vendor Management on August 31, 2010 at 07:29

Many organizations still believe that having a great business continuity plan, complete with a solid contract with a third-party recovery partner, is enough to protect them from the inevitable.  As American Eagle Outfitters found, however, this is not enough.

According to Evan Schuman from, which monitors retail Web sites, the outage began with series of server failures.

Schuman, who said he spoke with an unnamed IT source at American Eagle, said a storage drive failed at an IBM off-site hosting facility. That failure was followed by a secondary backup disk drive failure. Once the drives were replaced, the company attempted a restore of about 400GB of data from backup, but the Oracle backup utility failed, possibly as a result of data corruption. Finally, American Eagle Outfitters attempted to restore its data from its disaster recovery site, only to discover the site wasn’t ready and could not get the logs up and running.

“I know they were supposed to have completed it with Oracle Data Guard, but apparently it must have fallen off the priority list in the past few months,” the source told Schuman.

via American Eagle Outfitters learns a painful service provider lesson – CSO Online – Security and Risk.

This is the description of events leading to an eight-day outage for the company’s customer-facing website.  There are one or two lessons for all of us here.

First, when was the last time American Eagle asked IBM for its processes for dealing with unusual outages?  How often did they review IBM’s processes for testing incident response?  This is as much American Eagle’s responsibility as it is the off-site vendor’s.

Second, when was the last time backup tests were performed?  What are the requirements for this in the contract and how is compliance validated?

Based on this article, there’s no evidence that American Eagle was intentionally negligent.  They simply made the mistake of assuming; that is, assuming their service providers were practicing due diligence.  When using cloud or any other third-party services, we still have a responsibility to inspect what we expect.

PDF Security Problems? Use Google Docs

In Cybercrime on April 7, 2010 at 12:27

According to F-Secure’s Mikko Hypponen, the best way to avoid PDF vulnerabilities is to use Google Docs to read them.  Just stop using on-the-desktop tools.  Consider the gPDF browser plug-in for quick views.

Analyst’s View: PDF—Pretty Dangerous Format? | Neil J. Rubenking |

While this may work, I don’t think users–and most enterprises–will listen.  A better approach is to provide better software, both for reading PDFs and for protecting systems from PDF threats.  And we just have to keep telling users about how dangerous PDFs are… and Word documents… and Excel spreadsheets… and JPEG files…

On Uncertain Security (#infosecblog)

In Risk Management, Security Management on April 3, 2010 at 14:25

On Uncertain Security is an excellent blog post about the uncertainty principle in risk management.

In general, risk management in an inexact science.  We can reasonably eliminate all risk, nor can we promise management that our layers of controls will never fail.  Setting proper expectations, inspecting what we expect, and practicing due diligence will get us as close as possible to the promised land of the secure network.

IMHO: What we really need is OS stability

In High Performance Systems on April 1, 2010 at 12:21

Intel and AMD show divergent multi-core strategies – – formerly  This is great.  We will soon be putting 64 or more processors in our servers.  Sort of like we did in the 90’s with the AS/400.  So this is better, right?  Well, maybe.

The AS/400 ran OS/400, a stable and very programmer- and business-friendly operating system.  So what will businesses put on these new high-performance catch-ups?

As we build PCs bigger and better–yes, a typical server is just a big, beefy micro-computer–IT departments may want to start considering operating systems built for reliability and performance.  Yes, there will be moaning about the need to retrain all the MCSEs on staff, but there was moaning when CNEs (including me)  had to give up Netware.  We all survived.

%d bloggers like this: