Security Patch Management
Recently released SQL exploit kits remind us of how important it is to patch security vulnerabilities in software. Sadly, most successful attacks use exploits that are well known – but, the patch has not yet been applied. So, who is to blame for not patching the system?
Quite often your system administrator is mistakenly assumed guilty. However, you only need to dig a little deeper to realize that the issue is not negligence, but the huge volume of patches that are released every month by vendors. Security patches come in continuously from a variety of third party commercial products, open source libraries and operating systems.
In essence, security patch management becomes a triage tree which attempts to answer which patches need to be applied and when … balanced against the requirements for production stability. Generally speaking, a patch may be ignored if the product/library/service is not installed. Larger patches or software version upgrades are considered higher risk because of large number of software and system dependencies.
So what do you need to patch? The old security idiom hold true, ‘You need to patch everything to make your system secure and no more!‘ Today’s systems are very complex which implies they are also very fragile. Security patches which are deemed critical are usually remotely exploitable and should be patched as soon as possible. And security patches which are less than critical (i.e. – Important) can probably wait until your next maintenance patch. And when you can, schedule an upgrade to the latest available OS release which has all the security patches already applied.
In February 2016, Google announced that 77 percent of all web requests are encrypted. Today, almost all encrypted web traffic uses normal http traffic over a Transport Layer Security (TLS) protocol encrypted framework. The TLS protocol allows users to safely exchange a secret that is used to encrypt data packets in both directions.
The history of TLS begins with Netscape Corporation and an encryption framework called Secure Sockets Layer (SSL) in 1994. The very first implementation called SSL 1.0 was so flawed that it was never released to the public. So, the first official http encryption standard was 2.0 released in February 1995. Five years later, the SSL protocol eventually gave way to the TLS protocol.
Over time, security researchers have discover flaws in each implementation of SSL and TLS. Like an old washing machine, the flaws and problems become unworkable and needs to be replaced. The current standard TLS protocol is 1.2 which was released in August 2008. It has been the target of many successful exploits including Poodle, Sloth, and Crime.
The latest draft version is TLS 1.3 – which is soon expected to be a standard. It removes many of the primitives and features that made TLS 1.2 vulnerable and represents a significant leap forward in security. In addition, the TLS 1.3 protocol has been modified to reduce the TLS handshake time which provides a significant performance increase for mobile devices. In summary, it’s time to say goodbye to TLS 1.2 and welcome TLS 1.3.
Toptech Systems is pleased to announce the release of an entirely new version of MultiMate, MultiMate Plus. MultiMate Plus is a ground-up rebuild focused on providing an intuitive user-interface and building a foundation for an expanded feature set in future releases.
MultiMate has been offered to customers since 2009 to help with the configuration and interaction of the MultiLoad II suite of products. MultiMate allows the user to create and manage configuration prompt files, meter ticket templates, and an access ID database. The application also supports the ability to upload new firmware, as well as download, view and print archived transaction data, event log data, and more.
After hearing from customers that there were various areas in the traditional MultiMate tool that could be improved, Toptech made it a priority to build a program that would RELIABLE and INTUITIVE. This first release of MultiMate Plus does nearly everything the traditional MultiMate product did but with a completely improved user experience.
A few of the new user-interface features:
- There are now change lists so you can easily view the modifications that were made from the last configuration to now.
- Every alarm includes a description so there is no confusion.
- You can now search and filter for factors such as BSW and more.
- Products can now be viewed and edited in one page so it’s faster and easier to navigate.
BOL Editor and Custom Logic are the two features this release will not include. The next release (scheduled for the end of October) will include those features. There are exciting future plans that expand this application beyond anything the traditional MultiMate or its competitors have managed to achieve. As always, this application is offered for free so that anyone with a MultiLoad II product can benefit.
Click this link and scroll down to Product Downloads for the new MultiMate Plus.
You are probably well aware that Hurricane Matthew is heading toward the east coast of the United States. This hurricane could have severe impacts in the US from rain and wind and may adversely affect some of your terminal locations.
As a precautionary measure, and in addition to your normal backup procedure, Toptech suggests that any site that could be affected by Hurricane Matthew perform a backup of servers and store them in a safe and accessible location.
Toptech would also like to extend its sincerest hopes that all of your employees and family members remain safe and sound.
MultiLoad II Slate is the newest offering in automation hardware for batch control. Slate is an evolution of the MultiLoad II system, taking it to the next level by using each company’s database to provide a solution that is specific to their needs.
“Now, in addition to adding flexibility for the oil industry, other markets such as paint, beverage, and mining can enjoy the same level of efficiency oil terminals have benefited from for years.” says Joe Porthouse, Director of Engineering for Toptech Systems.
MultiLoad II Slate is the result of Toptech’s commitment to continued innovation in addressing market needs. Many of the businesses that partner with Toptech Systems are experts in various industries and have expressed a need for a MultiLoad-like solution in those markets. After analyzing the requirements for these various markets, one thing became clear…flexibility is the key. The types of required data varied from industry to industry and market to market, with aviation tracking tail numbers, mining tracking odometers, locomotives tracking spur lines and so on and so on. MultiLoad II Slate allows for this diversity.
In short, Toptech Systems is offering the world something no other company has managed to offer, a blank slate. Application specific databases can be stored in the device, allowing it to speak the language of any industry. In addition, Slate supports custom prompting, allowing companies to choose the amount of security and information they want to receive before each load. As the user friendly interface for the driver or operator, Slate includes a full alphanumeric keypad and a color display. It is also available in a Division 1 or 2 enclosure.
Due to the varied nature of each industry, companies have traditionally been faced with only three options: The first option has been to endure the slow, manual process of tracking their transactions with pen, paper, and a spreadsheet. This leaves them with only a best estimate of how much product moved each month and includes hours of data entry for accounting. Another option has been to use a standard automation system. Since these systems weren’t designed with each industry in mind, this often leaves companies trying to fit a square peg in a round hole. With features they don’t need and language they don’t use, frustrations abound. The third option has been to build a custom automation system. This requires a significant investment of time and money. In addition, the company must pay for more customizations anytime they change a process.
There’s now a new player in town: the MultiLoad II Slate. Slate is designed to help companies with any fluid loading and offloading application. This new device stores any information the company needs before a transaction begins, tracks every transaction, and sends it to the software system for a fraction of the cost of PLC/PC based solutions. Companies will be able to view their data using their terms, the way they want to see it.
James Imhoff, Business Line Director for Toptech Systems states, “We are excited for this latest evolution of MultiLoad which opens it to interface with a virtually unlimited amount of systems and markets. We’ve always been focused on moving companies forward and Slate is yet another, strong component of that goal.”
Encrypting communication has been in the news a lot. Private citizens want to keep their personal lives private so they use encrypted communications to keep their information secret. Terrorists also use encrypted communication to hide their activities.
At the turn of the century, businesses realized that exposing sensitive company information or personally identifiable information (PII) could result in lost revenue, bad publicity and potentially millions of dollars in regulatory fines. As more business applications have gone publicly online, hackers have seen an opportunity to profit by identity theft, extortion and corporate espionage. Much of this pain could be avoided by encrypting communications.
When communications are not encrypted man-in-the-middle (MITM) attacks are much more likely. This is where the attacker secretly relays and possibly alters communication between two parties who believe they are directly communicating with each other. For example, this could be as simple as ease-dropping or selectively modifying the account numbers of a financial wire transfer.
Toptech Systems has implemented secure encrypted communications in TMS6v , TDS, Load2Day and UAP. As new PIDEX standards are being defined, Toptech continues to rigorously support the encryption of exchange data. Contact Toptech Systems for more information.
Hackers are becoming increasingly adept at guessing usernames and capturing passwords. Hardly a week goes by without news of yet another online site that has been hacked and user credentials published to the Internet. Phishing emails have become so sophisticated that in some cases, you don’t even have to read your email to have your PC infected with malware.
So how do I prevent hackers from using my accounts and accessing my resources? In high security environments, multiple credentials are used to verify the identity of a user. This is called Multi-Factor Authentication (MFA) and is considered a best practice.
For example, the basic user ID/password combination is considered one factor authentication. A second factor could be your fingerprint. A good example of this is Toptech’s verified II fingerprint scanner. A third factor could be an RFID card that has an associated 4 digit PIN number like the card reader in Toptech’s MultiLoad II.
The objective of MFA is to layer your defense. If one factor is compromised, the attacker still has to successfully overcome a second factor to get access. Many online systems have the option of enabling MFA for your accounts. Banking systems were one of the first to embrace the concept of MFA and often employ those secondary security questions (i.e. What is the name of your first pet?).
Toptech’s MultiLoad II has always been considered a leader in using MFA. The MultiLoad II has a keypad for PIN code entry and a RFID card slot. This can be combined with the verified II for 3 levels of authentication – what you have (RFID card), what you know (PIN code) and who you are (fingerprint). Contact Toptech Systems for more information.
Your username and password identifies you as the unique owner of the account given to you. From the computer’s point of view, it defines who you are and what you are allowed to do. In computer security terms, we call this authentication and authorization.
Usernames are typically assigned by the system administrator and they are usually a combination of first initial and last name which makes them easy to guess. As a result, the only thing you have control of is your choice of password.
So what makes a good password and how long should it be? A good password is one that cannot be guessed by testing every possible combination of characters (brute force attack) or looked up in a dictionary (dictionary attack). This means it should use 12 or more characters. If your password is less than 12 characters it needs to be complex, using a mix of uppercase, lowercase, numbers and special characters.
Do not use dictionary words or combinations of dictionary words. For example, ‘NewYorkJets’ is eleven characters long but hackers have built dictionaries that combine words together. So, ‘NewYorkJets’ would be easily found. However, replacing some of the letters with numbers makes it un-guessable (i.e. ‘NewY0rkJets!’).
Toptech Systems has developed a sophisticated, customizable password entry function that is used on TMS6v, TDS, Load2Day and UAP. That means you can define the minimum length of your passwords, password complexity, and reuse of previously used passwords. We also automatically filter out the most commonly used words or phrases (i.e. secret, password, 12345678) to keep your accounts safe. Contact Toptech Systems for more information.
Toptech Systems is proud to announce the newest version of its TMS6 Terminal Management System, TMS6v. Available immediately, TMS6v brings forward the great flexibility made accessible by virtual computing. The “v” signifies virtualization and 5.0.
Among other things, TMS6v provides as much as 50% REDUCTION in scheduled downtime for routine upgrades, a 75% REDUCTION in hardware qualification time and a 25% IMPROVEMENT in performance.
Guy Ragault, Toptech’s Director of Standard Terminals, stated “TMS6v really represents the new Toptech approach to designing, deploying and supporting a solution that will fit every terminals’ needs.”
Here is a list of some of the major benefits in TMS6v:
Toptech Systems is excited about improving operations for each of its customers.
On July 14, 2015 Toptech Systems was proud to accept the United Way Above & Beyond Community Volunteer Excellence Award for service to the Boys & Girls Clubs of Central Florida (BGCCF). For the past year, Toptech Systems has been working very hard to enrich the lives of Seminole County youth through initiatives such as Homework Help sessions, Celebrate the Children, Faces of the Future and various other activities. Recently, they partnered with the East Altamonte Branch to completely remodel the teen room.
After speaking with BGCCF staff, it became clear they desired a better space for their teens. Matt Rowlett, Manager of Standard Terminals and Crude Operations, remarked, “The passion BGCCF staff has for the kids is contagious. Over 30% of our organization got involved in remodeling the teen room. Our ultimate goal was to create a room that would inspire the teens to go to college and, in true Toptech fashion, blow away BGCCF’s expectations. It was a blast!”
Before beginning this project Toptech knew they wanted to focus on encouraging the use of technology. Prior to the remodel, teens were rarely seen on the old computers in the room. In the new room, every computer is almost always being used. This means they can complete their research for school, take advantage of foreign language programs and the digital drawing pad (a crowd favorite) and generally become more comfortable with computers, giving them a leg up in this increasingly technological society.
Realizing that remodeling the teen room is only one step in truly changing lives, Toptech Systems also created a 2015 Teen Events calendar focused on sessions that would encourage their dreams of college, introduce them to various career paths, teach them skills for success and impart general life wisdom.
Following his “The Diversity of Engineering” session with the teens, Joe Porthouse, Director of Engineering, commented “There was so much engagement and excitement from the kids. I don’t think they had ever considered engineering as a career but by the end of our conversation and activities, a third of them wanted to be an engineer and everyone learned something new.”
With nearly twenty sessions left in the 2015 Teen Events calendar, Toptech Systems is excited to see how the teens will continue to be inspired by their new space.
For more information about the teen room remodel project please view this article on the BGCCF blog.
To find out how your company can make a difference in the community and get involved with Boys & Girls Clubs of Central Florida, contact Alicia Hodge at 239.826.9974, or for more information, visit www.bgccf.org.