Posts Tagged ‘security’

Novosco achieves prestigious quality awards – ISO 27001, ISO 9001:2008 & IIP

Belfast, 12th March, 2009 — Novosco, who is Ireland’s leading provider of virtual IT infrastructure and services, has been awarded the prestigious and internationally recognised ISO 27001 and ISO 9001 certifications.  This formed part of an integrated achievement with Novosco also being awarded the Investors In People (IIP) award.   Novosco achieved the awards with the assistance of CIMAOMEGA, experts in transformational change in the workplace.

Patrick McAliskey, Novosco Managing Director; Gillian Esquivel, CIMAOMEGA Director & Susan Magee, Novosco Human Resource Manager
Patrick McAliskey, Novosco Managing Director; Gillian Esquivel, CIMAOMEGA Director & Susan Magee, Novosco Human Resource Manager

ISO 27001 & ISO 9001:2008 are internationally recognised awards.  ISO 27001 is a highly sought after certification which proves an organisations commitment to providing  information security management, ensuring business continuity, maximising business investments and reducing business damage by preventing and minimising the impact of security incidents. The ISO 9001:2008 recognises an organisation’s ability to consistently provide service that meets customer and regulatory requirements.   To achieve these awards Novosco designed and implemented a formal ‘Novosco Integrated Management (NIMS) System’. 

The Novosco NIMS system contains details of the procedures and processes that meet ISO requirements for business continuity, data security, and disaster recovery, as well as providing Novosco management and staff with an objective method of maintaining excellent working practices.

Patrick McAliskey, Managing Director for Novosco explained, “As an IT service provider, Novosco customers trust us with their confidential data and their IT infrastructure.  The awards reinforce our commitment to providing our customers with service excellence and they formally recognise that the products and services which we provide are consistently on par with world class standards.  Despite the current economic climate, Novosco felt it was important to invest in the awards as it gives us further competitive advantage and has reinforced Novosco’s position as Ireland’s leading IT provider to both public & private sector customers”. 

“Novosco has been our trusted partner since 2003 and we congratulate the company on the achievement of the ISO awards.  Novosco implemented the virtualisation of our IT infrastructure, which decommissioned over 20 servers and saved around £200k compared to the cost of a non-virtualised environment.” said Jim Fennell Information Systems Manager, Lagan Holdings Ltd.

At the end of last year, Novosco also received the Investors in People (IIP) recognition.  The company was formally assessed with regard to staff training, development and overall company performance. 

Patrick McAliskey continues, “The IIP award shows that we take our commitment as an employer very seriously.  The process has helped us to organise our development programme so that it delivers focused, up-to-date skills to our workforce.  The award is integrated with the ISO accreditation to ensure the high standards needed for these awards are continually maintained.”

About Novosco
Novosco is one of Ireland’s leading providers of virtual IT infrastructure and services and is committed to assisting customers in the evaluation and optimisation of their IT systems.  With established hardware/software vendor partnerships with Citrix, EMC, Microsoft and VMware, Novosco offers the highest level of accreditation in Ireland for Virtualisation solutions.  This approach enables Novosco to develop and deliver cost-effective IT solutions that enhance client operations.

Novosco have provided solutions to a range of clients including government establishments and private sector organisations of all sizes including Acheson Glover, Belfast Trust, Lagan Holdings and many more.   
For more information visit www.novosco.com

Reaction to MS08-067

Last week Microsoft published Security Bulletin MS08-067. This bulletin describes a vulnerability in the Windows server service, affecting Windows 2000, XP, Vista, 2003 and 2008.

Microsoft have also released a corresponding “out-of-band” (i.e., not contained in the monthly batch of updates) update in the shape of KB958644. The update is available from Microsoft Update.

Novosco are actively encouraging all of our customers to deploy the update as soon as possible (on all Windows hosts – clients and servers). You can do so by visiting the Microsoft Update website or by deploying with Windows Server Update Services or some other 3rd party deployment tool.

But why all the fuss? Well, this particular vulnerability is wormable – meaning that potentially (more on “potentially” later) the vulnerability can be exploited by a worm, i.e., self-replicating malicious code that seeks out vulnerable hosts and infects them from your laptop while you’re writing your blog post…

Talking about worms in this way takes me back to those bygone halcyon days when Windows anti-virus was “optional”, host based firewalls were unheard of and the only reason to use a firewall in the enterprise was to take advantage of its NAT capabilities and not fork out for expensive publicly routable IP addresses for your network. It was also the time before we had all deployed WSUS or some other automatic update solution. Right?

Wrong! Even though we now have written policies defining that laptops must have host-based firewalls and AV, and we have fancy UTM devices at the network perimeter, all too often we still have the problem that updates are being ignored. Consider this situation: a user goes home with their company laptop (which hasn’t been updated in the last 8 months) and browses the web for a while from their home internet connection. Because Internet Explorer hasn’t been patched they get burned by some exploit which drops a Trojan containing code which in turn exploits the MS08-067 vulnerability. The user didn’t really do anything wrong, wasn’t an local administrator and knows nothing of the infection. Next day they plug their laptop into the corporate network and while they’re at the coffee machine ten minutes later they see the IT admins running past on their way to the server room as the “whole network’s down!!!!”.

Update mangement would have saved that company on two counts – the first by patching the user’s laptop. If it wasn’t vulnerable the malicious code wouldn’t have got onto it in the first place. The second; even if the laptop hadn’t been patched (say the user was off work for a while and got infected anyway) the servers would have been patched and wouldn’t have been vulnerable so no downtime would have occurred.

That example’s a bit simplified, certainly a layered security solution of best practices, AV and UTM would have helped. But I think it serves to get the message across – the fuss surrounding this update is symptomatic of a bigger problem.

Now I put “potentially” in bold above for a reason – there is no worm exploiting this vulnerability (that we know of, yet). Right now, there is however a recognisable trojan which is being used in targeted attacks. And, there’s publicly available exploit code in the wild which means you can bet that VXers are beavering away trying to develop a suitable worm. So you have a choice – patch now or don’t. You can choose not to and give me the old excuses about the risks of deploying patches (breaking applications etc) but that’s why Microsoft genuinely recommend that you test their updates with your applications and if you’re really that worried you should seriously think about a test environment, but if (maybe when) the worm hits and you get burned I’ll try not to say “I told you so”.

Remember folks – “Proactive patching is better than reactive repair”.