MSP Investment Firm Expands IT Services Portfolio; Previews Plans to Launch New Cloud Security and Compliance Practice in North America 

New York City, NY – Feb. 13, 2012 – Executing against its vision to successfully partner with, empower and profitably grow local and regional MSPs, Technology Capital Investors (TCI), a specialized IT services investment firm, announced today it has acquired Savid Technologies Inc., a well established security consulting firm and managed service provider (MSP) with operations based out of Chicago.

Under the terms of the agreement, Savid Technologies will join TCI’s national portfolio of high-performance MSP partners. The successful MSP will keep its company brand, associates and executive leadership including industry renowned cloud security expert, author of Hacking Exposed, and CEO of Savid Technologies Michael A. Davis.

As part of TCI, Michael Davis will continue to run the day-to-day operations of the business, and serve as the leadership behind TCI’s new suite of managed security and compliance services which is scheduled to launch in Q1 2012.

“Savid Technologies is a strategic partner acquisition that will play an integral role in TCI’s growing family of MSP brands, and become the central hub for our new North America security and compliance practice,” says Sam Attias, managing partner, TCI.  “Working as a team, TCI and Savid Technologies will bring to market a fully integrated security offering that our partners can market and sell to their clients.”

“TCI is on the cutting edge of technology and fast becoming a driving force within the IT industry,” says Davis. “Sam and his team have a true understanding of client IT needs, and have the right vision and plan around the future of the marketplace.”

“We’re pleased to join the TCI family and extend our security and compliance skill set into a nationwide  team that will help shape the IT industry and accelerate adoption of cloud computing by offering proven security and compliance services to enterprise and SMB clients,” concludes Davis.

For more information on TCI, visit www.techcapinvestors.com.

About Savid Technologies, Inc. 

Savid Technologies, Inc. provides specialized IT consulting services nationwide. The firm’s expertise and experience runs broad and deep with clients ranging from small businesses consisting of no more than three people to Fortune 500 companies, as well as high-profile government and military agencies. Savid’s primary IT services include IT security audits, outsourced IT for small to midsize businesses and compliance services. www.savidtech.com

About Technology Capital Investors

Technology Capital Investors (TCI) has helped MSPs and hosting companies successfully grow their businesses by partnering with them and establishing a profitable and scalable business model that includes cloud-based IT services and specialized market expertise. TCI also invests in cloud and

SaaS based solutions that enable the delivery of IT services to end clients. www.techcapinvestors.com

# # #

Press contact:
Marie Rourke
WhiteFox Marketing
714.292.2199
marie@whitefoxpr.com

In 2007, world-renown security professional Bruce Schneier said in an interview that the convergence of security, where it’s built in vs. bolted on, could make our industry a fad. Has the adoption of the cloud and consumerization started to make this a reality in 2012? We think so, and while we don’t recommend you hang up your security hat to become a Starbucks barista just yet, infosec pros must adapt or risk extinction.

“The primary reason the IT security industry exists is because IT products and services aren’t naturally secure,” wrote Schneier in his blog. “If computers were already secure against viruses, there wouldn’t be any need for antivirus products. If bad network traffic couldn’t be used to attack computers, no one would bother buying a firewall. If there were no more buffer overflows, no one would have to buy products to protect against their effects. If the IT products we purchased were secure out of the box, we wouldn’t have to spend billions every year making them secure.”

While Schneier may have been ahead of his time in 2007, the security industry has definitely changed in the past five years. In 2011, we saw executives starting to get involved, and security has become a topic on the tongues of consumers and enterprises alike thanks to hacker groups making headlines on the evening news. In the future Schneier envisions, product manufacturers “fold security into the underlying products, and the companies marketing those products will have an incentive to invest in security upfront, to avoid having to spend more cash obviating the problems later.”

Just look at the acquisitions: Intel bought McAfee, HP bought ArcSight, VMware bought PacketMotion. 2011 saw vendors begin to bake security into consumer and general IT products. The requirement for security in the cloud will accelerate this process. Here’s what you need to do to avoid extinction:

1. Take a communications class. The No. 1 issue we see with security professionals is an inability to communicate security risks and remediation to nontechnical people. How can you help marketing select a more secure cloud provider if you can’t explain to them the security risks and benefits?
2. Less trust, more verify. Most security organizations don’t audit the systems, vendors or processes that ostensibly have security “built-in.” Just because a vendor passed your inspection when you bought it doesn’t mean it’s still doing a good job six months later. While security professionals normally don’t like IT auditors, the roles are merging; be prepared, and understand how to continually audit and assess whether a once-trusted component can still be trusted.
3. Build in security yourself. The business has new projects coming online all the time. While it may seem like drinking from a fire hose, take the time to assemble a menu of services that your security team can implement consistently instead of looking at all projects as one-offs. Over time, you will identify trends and opportunities to build security into a whole range of processes, from system builds to HR practices to vendor selection. Building security in and letting your audit team verify frees you up to look out the front window with the business instead of always watching the rear-view mirror. If you haven’t read up on the “security as a service” concept, do it now.
4. Realize that bolt-ons fall off. If you cannot build security in to an organizational process and need to bolt on controls—which is the current state of application security—don’t make the mistake of setting and forgetting. Put a system in place to let you know when those bolted on controls come flying off. We’ve seen faulty one-off security controls and processes bring down even the most automated security systems. Think of F1 racing teams; these guys have sensors for every small part on the car. If one piece falls off, it changes the entire aerodynamic profile of the vehicle and could cost them the race. Therefore, they put detective controls in place to perceive when preventive controls fail.

The built-in vs. bolt-on debate will continue to rage. But the fact is, more vendors will be promising built-in security, and while this will make the business decision to use certain products and services easier for management, it doesn’t mean you can let your guard down. Never assume that these products are more secure or won’t introduce risk into the organization. Rather, the risk will simply move from technical vulnerabilities to process and management—which, unfortunately, are some of the weakest areas in risk programs.

According to Michael Davis, CEO of a Chicago-based security consulting firm, Savid Technologies, and author of the new InformationWeek Reports How to Pick Endpoint Protection, malware was by far the most common reason for security breaches suffered by respondents to the InformationWeek 2011 Strategic Security Survey. He says they routinely see users dismiss a security prompt or choose to execute a program (which turns out to be malicious) because they are irritated at being interrupted or don’t understand the consequences of their actions.

Read the entire article >>

We all do it—open our email accounts and quickly fly through and delete the spam before settling in to sift through messages that have some value to us. But before you start clicking links or downloading files, are you certain that none of those seemingly valued emails is actually from a cybercriminal posing as someone else in a bid to install malicious software on your computer and steal your data and personal information?

There are some red flags that can help determine if an email is legitimate. Pass these tips on to others, so they can defend their information against cybercriminals, too.

Spelling and bad grammar: Legitimate companies employ copy editors to review content before circulation, so there should be no spelling or grammatical errors. Cybercriminals, on the other hand, tend not to worry about such niceties. Beware when you see misspellings or other grammatical inaccuracies.

Links in emails: Look before you click. Whenever an email contains a link that you want to access, before you click to open it, hover your cursor over the link to see if the addresses match. If not, refrain from clicking the link.

Threats: One sign that may indicate a phishing scheme is receiving a threat, such as, “Your account will be closed if you don’t respond by clicking the link below.” Another red flag is alerts that your security has been compromised.

Spoofing companies and websites: These are e-wolves in sheep’s clothing. Often, cybercriminals will place logos and other imagery belonging to the companies they’re impersonating into the message body, then link those images to their malicious scam sites. If you do click on an image and are brought to the supposed site, look closely at the URL. Some scammers will use an address that closely resembles the URL of the company they’re looking to imitate; an example would be http://www.applle.com. You can also use the hovering maneuver with images.

So now that you know what to be aware of, the next hurdle is determining what to do if you have been subjected to a scam. First, report it. If you’re a Microsoft Office Outlook user, attach a copy of the email to a new email and send it to reportphishing@antiphishing.org. Most importantly if you have been a victim, change all PIN numbers and passwords on any accounts that may have been compromised. Contact your bank or online merchant if threats were issued saying your account has been compromised. Call your financial institution and have a fraud alert placed on your credit reports. If your accounts have in fact been accessed, cancel those accounts and open new ones. Continue to closely monitor your account statements for unexplained transactions.

Passwords are a pain. The helpdesk hates resetting them. Security hates managing them. And users just plain hate them. The very term “password” reveals the fundamental flaw—we should be using pass phrases. Most modern operating systems, including Windows, OS X and Unix, support phrases with over 200 characters.

Uncle Sam has a better idea, which we’ll discuss. For now, let’s admit that security awareness trainers’ attempts to promote better passwords and our fancy policies to ensure complexity have failed. Part of the problem is that, to most organizations, a password of “Winter12” qualifies as complex. An analysis of the breached Sony accounts showed that while 93% of passwords were between six and 10 characters in length, only 1% contained an alphanumeric, and less than 1% were longer than 14 characters. The Top 3 passwords used: “seinfeld,” “password” and “winner.” Further analysis showed that 82% of passwords were found within rainbow tables.

So users make bad password decisions. We know this. But that isn’t the only reason they need to go. A problem just as significant as strength is that passwords and, for that matter, pass phrases provide authentication only once, when typed in or provided. There’s no mechanism for continuous re-authentication without interrupting user workflow. Think about the way attacks happen in the real world: ATM skimmers record PINs and reuse them later. The ATM has no way to know it was a fraudster who typed in the PIN. If a user walks away from a mobile device or PC, an attacker can jump on and take control of the session. Even metasploit, the open source exploit framework, has the ability to take control of RDP and VNC sessions from legitimate users.

This leads us to the requirement for continuous authentication in future system designs. Fortunately for enterprises, the U.S. government is putting our tax dollars behind R&D for just such a cause. The Defense Advanced Research Projects Agency (DARPA) has released a grant to promote development of “active authentication.” DARPA states: “The current standard method for validating a user’s identity for authentication on an information system requires humans to do something that is inherently difficult: create, remember and manage long, complex passwords. Moreover, as long as the session remains active, typical systems incorporate no mechanisms to verify that the user originally authenticated is the user still in control of the keyboard. Thus, unauthorized individuals may improperly obtain extended access to information system resources if a password is compromised or if a user does not exercise adequate vigilance after initially authenticating at the console.”

DARPA’s recommendation solution is to develop a “cognitive fingerprint,” which is government speak for biometric tests that will include keystroke-latency analysis, eye scans, how a user searches for information, eye tracking and the speed with which a person reads content. The key is to develop a profile of an individual so that once an authorized user is authenticated, each move can reauthenticate the person, at a frequency as great as every second. With this technique, even if someone’s password is “seinfield” and an attacker takes over a session, the cognitive fingerprint won’t match and the session can be shut down. If an action requires administrative privileges, the cognitive fingerprint can provide the authentication system with additional statistical confidence that the user is actually who he’s supposed to be.

While passwords may not be gone completely in our lifetimes, the way we use them will change dramatically as additional metrics are brought online to authenticate and then continually reauthenticate users as they access a system. As technology like that behind Microsoft’s Kinect makes it into laptops, desktops and even smartphones, be prepared for new behavioral biometric authentication frameworks to make a strong introduction.

New InformationWeek Reports Research Finds 21% of IT Pros Think Their Encryption Initiatives Are Falling Behind Peers

At 94%, SSL or IPSec VPNs most common encryption deployed; TPM and cloud encryption least used

“Furthermore, the determination of what is encrypted or not is based on the data itself,” Davis said. “Depending on the classification schemes of the organization, it could mean credit card data, PII (personally identifiable information), or PHI (protected health information). Using this approach reduces the risk of having to manage and detect when data leaves the organization because you can be assured it is encrypted no matter where it is.”

Read the Entire Article, Encryption Key To Evolving Data-Centric Security Model

The results from the InformationWeek survey prompted its author, Michael Davis, CEO of Savid Technologies, to begin the report with the declaration: “The wheels have officially come off the security convergence bandwagon.”

Read the rest of the article and learn what Savid believes is the future of physical and logical security.

Security Director News, Two surveys expose clashing opinions on physical and logical security convergence

First, we need to discuss how we measure the quality of a security team. At Savid, it is pretty simple. Since we perform ethical hacking to assess security programs at organizations, if we got access to something we shouldn’t have, it counts as an intrusion in our books.

Most reviews of security controls look at what went wrong because it’s harder to learn from the successes. So let’s get the major failures of 2011 out of the way and then let’s talk about what our best clients did to prevent us from breaking in. Overall, most of the security programs we assessed had application security issues. However, 2011 was the worst we have ever seen in terms of the depth and breadth of application security issues – even though the majority of the security programs we tested were in compliance with regulations such as HIPAA, PCI, and GLBA.

Ok, so with that out of the way, what did the best security teams do to prevent our ethical hackers from breaking in?  One Thing: Defense In Depth. 2011 was the first year where we saw significant advancements in defense in depth deployments among our clients. For example, we saw a noticeable increase in proper system hardening (using standards such as CIS and NIST) and reduction of excessive permissions that stopped our attacks cold.

Properly deploying defense in depth can be the distinction between a data breach requiring notification or a simple documented incident. The difference between the two for some organizations could be millions of dollars. Oh, and it also has a side effect of making most malware non-functional by preventing the malware from creating temporary files, accessing DLLs, etc. Remember, an attacker can’t exfiltrate data if the exfiltration tools won’t run!

So, how did the defense in depth stop our hacking? Most of the time we were able to get entry into a server or application but because of defense in depth we weren’t able to leverage that entry for any gain (such as privilege escalation, intellectual property, or personally identifiable information). For example, if we got access to an application via SQL injection, we weren’t able to execute any commands on the server because the SQL server was hardened to prevent usage of xp_cmd and the SQL service account had no local permissions on the box to do anything other than access the database files and folders. Another example is when we got access to a Linux system running a custom PHP login system via an upload vulnerable and a PHP Shell script. The hardening of Apache and the file system prevented our low privileged web server service account from reading local files, creating files, etc. Essentially, the account we got control of was useless and the attack vector wasted our time and effort.

Wasting an attacker’s time and effort is exactly what you as the defender want to do. Every minute an attacker is stalled or delayed is more time for your detective controls such as IDS/IPS, Logging, or even Tripwire like defenses to detect an attack. We recommend that every security program have a simple theme: If You Cannot Prevent It, Detect It. Leveraging defense in depth provides additional detection points along the attack path. Every time a low privileged user attempts to access the Accounting Share – detect it. Every time a server in your DMZ attempts to connect to a server in the internal network (which should be blocked by the firewall) detect it and respond to it. These are all indicators that the server is doing something it shouldn’t.

Our number one recommendation when deploying defense in depth with proper detection controls is the use of fake records – commonly called “honeytokens”. For example, if you have a public web application that has access to an internal database server through a firewall, place a fake record in the database using a randomly generated 30-64 character value. This record has no value and should never be accessed via normal web application use. If your firewall, web filter, or DLP system ever sees this traffic move across the network – something went wrong and you need to find out why.

Every year Verizon releases their Data Breach investigations Report and year after year they mention the same problem: The time between a breach occurring and detection of the breach is too long, sometimes it takes years! So this year, add some more defense in depth controls to your security program and watch how quickly it helps reduce the impact of a vulnerability.

There are a few simple precautions you can take to further secure yourself before you make your online purchases.  First make sure you have a web filter in place that will warn you of suspicious websites. Keep your web browsers up to date too. Often times the site you are shopping on is legitimate but if your computer is infected with keyloggers and other malicious viruses you can run the risk of your credit card data being stolen.

It is always best to shop at familiar websites but if you are looking at products or services from an unfamiliar sight do a little research before you begin; find out what other consumers have to say about the store or seller.  Epinions.com and BizRate.com give customer evaluations that may help you determine the legitimacy of the company.  It is also a good idea to review the website for the BBB and or TRUSTe approval icons.  Be sure to click those icons to ensure that they take you to those accredited sites and that you can find the companies name within their listings. Often times harmful sights will display the graphic with no link so be aware.

Remember, before entering your personal data and credit card information check the connection of the website out to make sure it is encrypted. The URL will start with (http“s”) and also look for the padlock icon in the address bar or right corner of the window.  Be aware of any warnings that your computer gives you regarding the security certificate of the site, when in doubt find somewhere else to shop.

Keep in mind when choosing a payment method it is always best to use PayPal if it is an option, that way your credit card and bank account information will not be shared with the merchants and sellers. PayPal will also protect you against fraudulent charges and if there are problems with your purchases. Once your purchases are made it’s always a good idea to check your bank accounts and credit card statements to ensure the proper amount was charged; if the charges are wrong contact the website where your purchases were made immediately along with calling your  Credit Card Company to inquire about a “charge back”.

We hope that by keeping these tips in mind that you will continue to enjoy shopping online and are more secure in doing so.